[DMM] Benjamin Kaduk's Discuss on draft-ietf-dmm-pmipv6-dlif-05: (with DISCUSS and COMMENT)

[Benjamin Kaduk via Datatracker <noreply@ietf.org>]

Benjamin Kaduk has entered the following ballot position for
draft-ietf-dmm-pmipv6-dlif-05: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dmm-pmipv6-dlif/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

I have a very boring Discuss point and a somewhat boring point, and
expect to change my ballot to Yes once they're resolved.

In Section 3.2 we say that pacing mechanisms "MAY" be used to avoid
bursts when the CMD is fanning out PBUs, but in Section 6 we say that
pacing "SHOULD" be used; please resolve the inconsistency (preferrably
with "MUST" as Mirja requests).

Please also include some discussion of privacy considerations (I give
some suggestions in the COMMENT).


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks for this well-written document!  It is clearly written, and when
multiple approaches exist, does well at laying out the different options
and their pros/cons, as befits an Experimental document.  Also, several
times I have started to write a comment only to realize that it is
answered by the following text :)

Section 1

   The Distributed Mobility Management (DMM) paradigm aims at minimizing
   the impact of currently standardized mobility management solutions
   which are centralized (at least to a considerable extent).

I'd consider saying a little more about which aspects of their operation
are centralized.  Perhaps the following paragraph suffices, though.

   Following this idea, in our proposal, the central anchor is moved to
   the edge of the network, being deployed in the default gateway of the
   mobile node.  That is, the first elements that provide IP

(side note: Using the singular "central anchor" poses an interesting
rhetorical question: is the (formerly) single central anchor being
duplicated and spread amongst all access routers, or does there remain a
single central anchor (per MN), just one that moves around along with
the MN.)

   anchors to retrieve the MN's previous location(s).  Also, a key-
   aspect of network-based DMM, is that a prefix pool belongs
   exclusively to each MAAR, in the sense that those prefixes are
   assigned by the MAAR to the MNs attached to it, and they are routable
   at that MAAR.

It might be worth some statement relating this "ownership" of prefixes
to actual mobility events -- e.g., they are assigned to MNs attached to
it at that time, but remain with those MNs as mobility occurs, but
always remain routable at that MAAR as well as towards the MN itself.

   We consider partially distributed schemes, where the data plane only
   is distributed among access routers similar to MAGs, whereas the

nit: I suggest s/the data plane only/only the data plane/

   control plane is kept centralized towards a cardinal node used as
   information store, but relieved from any route management and MN's
   data forwarding task.

What's the scope of "single" here -- per deployment, per prefix, per
MAAR, ...?

   P-MAAR (Previous MAAR).  When a MN moves to a new point of attachment
      a new MAAR might be allocated as its anchor point for future IPv6
      prefixes.  The MAAR that served the MN prior to new attachment
      becomes the P-MAAR.  It is still the anchor point for the IPv6
      prefixes it had allocated to the MN in the past and serves as the

(side note? Do we expect those previous allocations to eventually "time
out" as sessions using them terminate?  Or are the allocations more
permanent, with intent to reuse if/when the MN returns to that MAAR?)

Section 3

   interest and eventually take the appropriate action.  The procedure
   adopted for the query and the messages exchange sequence might vary
   to optimize the update latency and/or the signaling overhead.  Here

nit: wrong pluralization in "messages exchange sequence"

Section 3.1

   3.  Since this is an initial registration, the CMD stores a permanent
       BCE containing as primary fields the MN-ID, Pref1 and MAAR1's
       address as a Proxy-CoA.

[how permanent is "permanent"?]

Section 3.2

   1.  When the MN moves from its current point of attachment and
       attaches to MAAR2 (now the S-MAAR), MAAR2 reserves another IPv6
       prefix (Pref2), it stores a temporary BCE, and it sends a plain
       PBU to the CMD for registration.

It's not clear to me at this point how MAAR2 has enough information to
determine that this will be a "plain" PBU vs. the the PBU used for
initial registration.  (That said, it's also not clear to me that the
send PBU actually differs on the wire, so maybe this is just a
rhetorical question.  Er, a question of rhetoric, that is.)

   4.  The CMD, after receiving the PBA, updates the BCE populating an
       instance of the P-MAAR list.  The P-MAAR list is an additional
       field on the BCE that contains an element for each P-MAAR
       involved in the MN's mobility session.  The list element contains
       the P-MAAR's global address and the prefix it has delegated (see
       Appendix B for further details).  Also, the CMD sends a PBA to
       the new S-MAAR, containing the previous Proxy-CoA and the prefix
       anchored to it embedded into a new mobility option called
       Previous MAAR Option (defined in Section 4.5), so that, upon PBA
       arrival, a bi-directional tunnel can be established between the
       two MAARs and new routes are set appropriately to recover the IP
       flow(s) carrying Pref1.

To check my understanding: there will only be one Previous MAAR Option
present and it will describe only a single MAAR, which implies that if
there are multiple P-MAARs, traffic directed to an arbitrary prefix
based at one of them is expected to traverse multiple tunnels from
P-MAAR to P-MAAR before making its way to the S-MAAR and the MN?
[Hmm, looks like my understanding is wrong.  I'd consider making
"previous Proxy-CoA" and "the prefix anchored to it" plural to give the
reader a hint as to what's coming, though I can understand if there is
desire to keep the initial mobility example simple and only gradually
introduce the complexity in question.]

   For MN's next movements the process is repeated except the number of
   P-MAARs involved increases (accordingly to the number of prefixes
   that the MN wishes to maintain).  Indeed, once the CMD receives the
   first PBU from the new S-MAAR, it forwards copies of the PBU to all
   the P-MAARs indicated in the BCE as current P-CoA (i.e., the MAAR
   prior to handover) and in the P-MAARs list.  They reply with a PBA to
   the CMD, which aggregates them into a single one to notify the
   S-MAAR, that finally can establish the tunnels with the P-MAARs.

I'm not sure I understand the cardinality of P-CoA -- is it one,
the single S-MAAR prior to handover, or many, all P-MAARs in the list?

   When there are multiple previous MAARs, e.g., k MAARs, a single PBU
   received by the CMD triggers k outgoing packets from a single
   incoming packet.  This may lead to packet bursts originated from the
   CMD, albeit to different targets.  Pacing mechanisms MAY be
   introduced to avoid bursts on the outgoing link.

I'll defer to my TSV colleagues, but a "SHOULD" feels more comfortable
than "MAY" to me, here.

Section 3.3

   The handover latency experienced in the approach shown before can be
   reduced if the P-MAARs are allowed to signal directly their
   information to the new S-MAAR.  This procedure reflects what was
   described in Section 3.2 up to the moment the P-MAAR receives the PBU
   with the P-MAAR option.  At that point a P-MAAR is aware of the new

nit(?): I think this is the S-MAAR option, not the P-MAAR option?

   S-MAAR including the prefix it is anchoring.  This latter PBA does
   not need to include new options, as the prefix is embedded in the HNP
   option and the P-MAAR's address is taken from the message's source
   address.  The CMD is relieved from forwarding the PBA to the S-MAAR,

(side note: this assumes there's no NAT or tunneling or similar between
MAARs, which seems like a plausible assumption, at least for now.)

Section 3.4

   side.  When P-MAARs complete the update, they send a PBA to the CMD
   to indicate that the operation is concluded and the information is
   updated in all network nodes.  This procedure is obtained from the

Is there anything useful to say about behavior on timeout at the CMD
(failing to reive a PBA from one or more P-MAARs)?

Section 3.5

   The de-registration mechanism devised for PMIPv6 cannot be used as is
   in this solution.  The reason for this is that each MAAR handles an

nit: s/as is/as-is/

   Indeed, when a previous MAAR initiates a de-registration procedure,
   because the MN is no longer present on the MAAR's access link, it
   removes the routing state for that (those) prefix(es), that would be
   deleted by the CMD as well, hence defeating any prefix continuity
   attempt.  The simplest approach to overcome this limitation is to

nit(?): s/when/if/.  At least, this makes more sense to me if I do that
... maybe I'm just confused.

   serving MAAR to de-register the whole MN session.  This can be
   achieved by first removing any layer-2 detachment event, so that de-
   registration is triggered only when the session lifetime expires,

I see that RFC 5213 has some mechanisms for lifetime management, but
didn't get to look closely enough to understand how clear the necessary
lifetime management will be in the DMM case when there are multiple
prefixes registered to a given MN at different MAARs.  (Also, 5213
doesn't seem to use the "session lifetime" phrase verbatim.)

Section 3.6

   requiring special support from the mobile node's IP stack.  This
   document defines the Distributed Logical Interface (DLIF), which is a
   software construct that allows to easily hide the change of
   associated anchors from the mobile node.

A software construct in the MAAR, right?


How common is "HMAC" as an abbreviation for "hardware MAC address"?
It's also an abbreviation for Hash-based Message Authentication Code,
which confuses my poor security-focused brain, though I acknowledge that
this does not necessarily extend to most of the target audience for this
document...

   and MN3, while MAAR2 is serving MN1.  MN1, MN2 and MN3 have two
   P-MAARs: MAAR1 and MAAR2.  Note that a serving MAAR always plays the

Do they have two P-MAARs, or one P-MAAR and one S-MAAR (each)?

   role of anchoring MAAR for the attached (served) MNs.  Each MAAR has
   one single physical wireless interface.

Have we defined "anchoring MAAR" yet?
Also, I assume that the "single physical interface" is just "as depicted
in this example" and not a protocol requirement :)

   As introduced before, each MN always "sees" multiple logical routers
   -- one per P-MAAR -- independently of its currently serving MAAR.

[same P-MAAR vs. S-MAAR split as above]

   by the serving MAAR (MAAR2) configuring an additional distributed
   logical interface: mn1mar1, which behaves exactly as the logical
   interface configured by MAAR1 when MN1 was attached to it.  This

nit(?): "exactly" is asking for pedants to try and poke holes in the
claimed perfection.

   deprecated).  The goal is to deprecate the prefixes delegated by
   these MAARs (which will be no longer serving the MN).  Note that on-

nit(?): s/which will be no longer/so that they will no longer be/, IIUC

Section 4.1

The intdir reviewer's comments regarding the flag bits seem apropos (I
presume they were allocated by other extensions to 5213, but we should
say something about it).


   A new flag (D) is included in the Proxy Binding Update to indicate
   that the Proxy Binding Update is coming from a Mobility Anchor and

"D" is for "DMM", I trust?  It could be worth mentioning.

Is the D bit set for the PBUs sent from CMD to P-MAAR as well?
(I see that the PBA description uses a slightly different formulation to
cover the 'D' bit; is there a reason to diverge?)

   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field
      contains zero or more TLV-encoded mobility options.  The encoding
      and format of defined options are described in Section 6.2 of
      [RFC6275].  The MAAR MUST ignore and skip any options that it does
      not understand.

MAARs that *receive* PBUs must be P-MAARs, right?

Section 4.2

   MAAR (D)

      The D is set to indicate that the sender of the message supports
      operating as a Mobility Anchor and Access Router.  When a MAG that
      does not support the extensions described in this document
      receives a message with the D-Flag set, it MUST ignore the message
      and an error MUST be returned.

Is the CMD considered a MAAR for this purpose?

      contains zero or more TLV-encoded mobility options.  The encoding
      and format of defined options are described in Section 6.2 of
      [RFC6275].  The MAAR MUST ignore and skip any options that it does
      not understand.

What about the CMD?

Section 4.3, 4.4

   Prefix Length

      8-bit unsigned integer indicating the prefix length of the IPv6
      prefix contained in the option.

   Anchored Prefix

      A sixteen-byte field containing the mobile node's IPv6 Anchored
      Prefix.  Only the first Prefix Length bytes are valid for the
      Anchored Prefix.  The rest of the bytes MUST be ignored.

Is the prefix length bits or bytes?

Section 4.4

Is this also used to convey "local" prefixes in the PBA from CMD to
S-MAAR?  (If not, how does the S-MAAR know to advertise them from its
DLIF?)

Section 4.5

What's the alignment requirement?
(There's no need to put in a Reserved octet to keep things word
aligned?)

   Prefix Length

      8-bit unsigned integer indicating the prefix length of the IPv6
      prefix contained in the option.
   [...]
   Home Network Prefix

      A sixteen-byte field containing the mobile node's IPv6 Home
      Network Prefix.  Only the first Prefix Length bytes are valid for
      the mobile node's IPv6 Home Network Prefix.  The rest of the bytes
      MUST be ignored.

[is the prefix length bits or bytes?]

Section 4.6

Is there an alignment requirement for this option?

   This new option is defined for use with the Proxy Binding Update and
   Proxy Binding Acknowledgement messages exchanged between the CMD and

When is this option used in a PBA?

Section 4.7

   A new DLIF Link-local Address option is defined for use with the
   Proxy Binding Update and Proxy Binding Acknowledgment messages
   exchanged between MAARs.  This option is used for exchanging the

MAARs but not CMDs?
When is this used in the PBU?

Section 4.8

   A new DLIF Link-layer Address option is defined for use with the
   Proxy Binding Update and Proxy Binding Acknowledgment messages
   exchanged between MAARs.  This option is used for exchanging the

MAARs but not CMDs?
When is this used in the PBU?

Section 6

Unfortunately it seems that RFC 5213 does not include any privacy
considerations discussion.  While the privacy properties of this
protocol bear similarities to those of RFC 5213, it seems that there are
also some significant differences, so I do think it is important to
produce some documentation of privacy considerations for this document.
The main factor would, of cousre, be tracking which entities obtain
updates/information about the location of the MN, what those entities
are expected to do with that data, and how trusted they are to be proper
custodians of it.  Other factors may exist as well, including the
potential for side-channel information leakage, e.g., due to traffic
analysis.  There might also be a reverse situation where exposing the
link-layer address(es) of a P-MAAR have privacy considerations, though I
don't have anything particular in mind at the moment.

   security concerns of Proxy Mobile IPv6 [RFC5213].  It is recommended
   that the signaling messages, Proxy Binding Update and Proxy Binding
   Acknowledgment, exchanged between the MAARs are protected using IPsec
   using the established security association between them.  This

This is essentially unchanged from 5213, just with different names for
the endpoints, right, and so the existing guidance/experiences apply?

I think we should also say something about all MAARs and the CMD being
trusted parties.  We should also say something about the authorization
model (I assume it's just "all trusted parties are trusted to perform
all operations relevant to their role", but that's still useful to say).

   When the CMD acts as a PBU/PBA relay, the CMD may act as a relay of a
   single PBU to multiple previous MAARs.  In situations of many fast
   handovers (e.g., with vehicular networks), there may exist multiple
   previous (e.g., k) MAARs exist.  In this situation, the CMD creates k

nit: remove the redundant "exist"

   When the CMD acts as MAAR locator, mobility signaling (PBAs) is
   exchanged between P-MAARs and current S-MAAR.  This requires security
   associations to exist between the involved MAARs (in addition to the
   ones needed with the CMD).

Is this relevant because of scaling/resource-consumption concerns or
keying/trust ones?

Appendix A.5

   not implement existing mobility protocols.  Furthermore, a DMM
   solution SHOULD work across different networks, possibly operated as
   separate administrative domains, when the needed mobility management

Hmm, separate administrative domains makes the risk of NAT relatively
higher (per previous comment about NAT).

   intervention.  The partially distributed DMM solution can be deployed
   across different domains with trust agreements if the CMDs of the
   operators are enabled to transfer context from one node to another.

It would probably be worth expounding a bit more about this scenario and
the necessary trust/authorization relationships, in the security
considerations.