[DMM] Benjamin Kaduk's Discuss on draft-ietf-dmm-pmipv6-dlif-05: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Thu, 05 March 2020 05:22 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dmm@ietf.org
Delivered-To: dmm@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9476E3A0C71; Wed, 4 Mar 2020 21:22:18 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dmm-pmipv6-dlif@ietf.org, dmm-chairs@ietf.org, dmm@ietf.org, Dapeng Liu <max.ldp@alibaba-inc.com>, max.ldp@alibaba-inc.com
X-Test-IDTracker: no
X-IETF-IDTracker: 6.119.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <158338573858.29475.12173301575622176655@ietfa.amsl.com>
Date: Wed, 04 Mar 2020 21:22:18 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmm/ZliDRLnbXLIlrGvPjTnsNd7C_xw>
Subject: [DMM] Benjamin Kaduk's Discuss on draft-ietf-dmm-pmipv6-dlif-05: (with DISCUSS and COMMENT)
X-BeenThere: dmm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Distributed Mobility Management Working Group <dmm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmm>, <mailto:dmm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmm/>
List-Post: <mailto:dmm@ietf.org>
List-Help: <mailto:dmm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmm>, <mailto:dmm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 05:22:19 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-dmm-pmipv6-dlif-05: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dmm-pmipv6-dlif/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I have a very boring Discuss point and a somewhat boring point, and expect to change my ballot to Yes once they're resolved. In Section 3.2 we say that pacing mechanisms "MAY" be used to avoid bursts when the CMD is fanning out PBUs, but in Section 6 we say that pacing "SHOULD" be used; please resolve the inconsistency (preferrably with "MUST" as Mirja requests). Please also include some discussion of privacy considerations (I give some suggestions in the COMMENT). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for this well-written document! It is clearly written, and when multiple approaches exist, does well at laying out the different options and their pros/cons, as befits an Experimental document. Also, several times I have started to write a comment only to realize that it is answered by the following text :) Section 1 The Distributed Mobility Management (DMM) paradigm aims at minimizing the impact of currently standardized mobility management solutions which are centralized (at least to a considerable extent). I'd consider saying a little more about which aspects of their operation are centralized. Perhaps the following paragraph suffices, though. Following this idea, in our proposal, the central anchor is moved to the edge of the network, being deployed in the default gateway of the mobile node. That is, the first elements that provide IP (side note: Using the singular "central anchor" poses an interesting rhetorical question: is the (formerly) single central anchor being duplicated and spread amongst all access routers, or does there remain a single central anchor (per MN), just one that moves around along with the MN.) anchors to retrieve the MN's previous location(s). Also, a key- aspect of network-based DMM, is that a prefix pool belongs exclusively to each MAAR, in the sense that those prefixes are assigned by the MAAR to the MNs attached to it, and they are routable at that MAAR. It might be worth some statement relating this "ownership" of prefixes to actual mobility events -- e.g., they are assigned to MNs attached to it at that time, but remain with those MNs as mobility occurs, but always remain routable at that MAAR as well as towards the MN itself. We consider partially distributed schemes, where the data plane only is distributed among access routers similar to MAGs, whereas the nit: I suggest s/the data plane only/only the data plane/ control plane is kept centralized towards a cardinal node used as information store, but relieved from any route management and MN's data forwarding task. What's the scope of "single" here -- per deployment, per prefix, per MAAR, ...? P-MAAR (Previous MAAR). When a MN moves to a new point of attachment a new MAAR might be allocated as its anchor point for future IPv6 prefixes. The MAAR that served the MN prior to new attachment becomes the P-MAAR. It is still the anchor point for the IPv6 prefixes it had allocated to the MN in the past and serves as the (side note? Do we expect those previous allocations to eventually "time out" as sessions using them terminate? Or are the allocations more permanent, with intent to reuse if/when the MN returns to that MAAR?) Section 3 interest and eventually take the appropriate action. The procedure adopted for the query and the messages exchange sequence might vary to optimize the update latency and/or the signaling overhead. Here nit: wrong pluralization in "messages exchange sequence" Section 3.1 3. Since this is an initial registration, the CMD stores a permanent BCE containing as primary fields the MN-ID, Pref1 and MAAR1's address as a Proxy-CoA. [how permanent is "permanent"?] Section 3.2 1. When the MN moves from its current point of attachment and attaches to MAAR2 (now the S-MAAR), MAAR2 reserves another IPv6 prefix (Pref2), it stores a temporary BCE, and it sends a plain PBU to the CMD for registration. It's not clear to me at this point how MAAR2 has enough information to determine that this will be a "plain" PBU vs. the the PBU used for initial registration. (That said, it's also not clear to me that the send PBU actually differs on the wire, so maybe this is just a rhetorical question. Er, a question of rhetoric, that is.) 4. The CMD, after receiving the PBA, updates the BCE populating an instance of the P-MAAR list. The P-MAAR list is an additional field on the BCE that contains an element for each P-MAAR involved in the MN's mobility session. The list element contains the P-MAAR's global address and the prefix it has delegated (see Appendix B for further details). Also, the CMD sends a PBA to the new S-MAAR, containing the previous Proxy-CoA and the prefix anchored to it embedded into a new mobility option called Previous MAAR Option (defined in Section 4.5), so that, upon PBA arrival, a bi-directional tunnel can be established between the two MAARs and new routes are set appropriately to recover the IP flow(s) carrying Pref1. To check my understanding: there will only be one Previous MAAR Option present and it will describe only a single MAAR, which implies that if there are multiple P-MAARs, traffic directed to an arbitrary prefix based at one of them is expected to traverse multiple tunnels from P-MAAR to P-MAAR before making its way to the S-MAAR and the MN? [Hmm, looks like my understanding is wrong. I'd consider making "previous Proxy-CoA" and "the prefix anchored to it" plural to give the reader a hint as to what's coming, though I can understand if there is desire to keep the initial mobility example simple and only gradually introduce the complexity in question.] For MN's next movements the process is repeated except the number of P-MAARs involved increases (accordingly to the number of prefixes that the MN wishes to maintain). Indeed, once the CMD receives the first PBU from the new S-MAAR, it forwards copies of the PBU to all the P-MAARs indicated in the BCE as current P-CoA (i.e., the MAAR prior to handover) and in the P-MAARs list. They reply with a PBA to the CMD, which aggregates them into a single one to notify the S-MAAR, that finally can establish the tunnels with the P-MAARs. I'm not sure I understand the cardinality of P-CoA -- is it one, the single S-MAAR prior to handover, or many, all P-MAARs in the list? When there are multiple previous MAARs, e.g., k MAARs, a single PBU received by the CMD triggers k outgoing packets from a single incoming packet. This may lead to packet bursts originated from the CMD, albeit to different targets. Pacing mechanisms MAY be introduced to avoid bursts on the outgoing link. I'll defer to my TSV colleagues, but a "SHOULD" feels more comfortable than "MAY" to me, here. Section 3.3 The handover latency experienced in the approach shown before can be reduced if the P-MAARs are allowed to signal directly their information to the new S-MAAR. This procedure reflects what was described in Section 3.2 up to the moment the P-MAAR receives the PBU with the P-MAAR option. At that point a P-MAAR is aware of the new nit(?): I think this is the S-MAAR option, not the P-MAAR option? S-MAAR including the prefix it is anchoring. This latter PBA does not need to include new options, as the prefix is embedded in the HNP option and the P-MAAR's address is taken from the message's source address. The CMD is relieved from forwarding the PBA to the S-MAAR, (side note: this assumes there's no NAT or tunneling or similar between MAARs, which seems like a plausible assumption, at least for now.) Section 3.4 side. When P-MAARs complete the update, they send a PBA to the CMD to indicate that the operation is concluded and the information is updated in all network nodes. This procedure is obtained from the Is there anything useful to say about behavior on timeout at the CMD (failing to reive a PBA from one or more P-MAARs)? Section 3.5 The de-registration mechanism devised for PMIPv6 cannot be used as is in this solution. The reason for this is that each MAAR handles an nit: s/as is/as-is/ Indeed, when a previous MAAR initiates a de-registration procedure, because the MN is no longer present on the MAAR's access link, it removes the routing state for that (those) prefix(es), that would be deleted by the CMD as well, hence defeating any prefix continuity attempt. The simplest approach to overcome this limitation is to nit(?): s/when/if/. At least, this makes more sense to me if I do that ... maybe I'm just confused. serving MAAR to de-register the whole MN session. This can be achieved by first removing any layer-2 detachment event, so that de- registration is triggered only when the session lifetime expires, I see that RFC 5213 has some mechanisms for lifetime management, but didn't get to look closely enough to understand how clear the necessary lifetime management will be in the DMM case when there are multiple prefixes registered to a given MN at different MAARs. (Also, 5213 doesn't seem to use the "session lifetime" phrase verbatim.) Section 3.6 requiring special support from the mobile node's IP stack. This document defines the Distributed Logical Interface (DLIF), which is a software construct that allows to easily hide the change of associated anchors from the mobile node. A software construct in the MAAR, right? How common is "HMAC" as an abbreviation for "hardware MAC address"? It's also an abbreviation for Hash-based Message Authentication Code, which confuses my poor security-focused brain, though I acknowledge that this does not necessarily extend to most of the target audience for this document... and MN3, while MAAR2 is serving MN1. MN1, MN2 and MN3 have two P-MAARs: MAAR1 and MAAR2. Note that a serving MAAR always plays the Do they have two P-MAARs, or one P-MAAR and one S-MAAR (each)? role of anchoring MAAR for the attached (served) MNs. Each MAAR has one single physical wireless interface. Have we defined "anchoring MAAR" yet? Also, I assume that the "single physical interface" is just "as depicted in this example" and not a protocol requirement :) As introduced before, each MN always "sees" multiple logical routers -- one per P-MAAR -- independently of its currently serving MAAR. [same P-MAAR vs. S-MAAR split as above] by the serving MAAR (MAAR2) configuring an additional distributed logical interface: mn1mar1, which behaves exactly as the logical interface configured by MAAR1 when MN1 was attached to it. This nit(?): "exactly" is asking for pedants to try and poke holes in the claimed perfection. deprecated). The goal is to deprecate the prefixes delegated by these MAARs (which will be no longer serving the MN). Note that on- nit(?): s/which will be no longer/so that they will no longer be/, IIUC Section 4.1 The intdir reviewer's comments regarding the flag bits seem apropos (I presume they were allocated by other extensions to 5213, but we should say something about it). A new flag (D) is included in the Proxy Binding Update to indicate that the Proxy Binding Update is coming from a Mobility Anchor and "D" is for "DMM", I trust? It could be worth mentioning. Is the D bit set for the PBUs sent from CMD to P-MAAR as well? (I see that the PBA description uses a slightly different formulation to cover the 'D' bit; is there a reason to diverge?) Mobility Options Variable-length field of such length that the complete Mobility Header is an integer multiple of 8 octets long. This field contains zero or more TLV-encoded mobility options. The encoding and format of defined options are described in Section 6.2 of [RFC6275]. The MAAR MUST ignore and skip any options that it does not understand. MAARs that *receive* PBUs must be P-MAARs, right? Section 4.2 MAAR (D) The D is set to indicate that the sender of the message supports operating as a Mobility Anchor and Access Router. When a MAG that does not support the extensions described in this document receives a message with the D-Flag set, it MUST ignore the message and an error MUST be returned. Is the CMD considered a MAAR for this purpose? contains zero or more TLV-encoded mobility options. The encoding and format of defined options are described in Section 6.2 of [RFC6275]. The MAAR MUST ignore and skip any options that it does not understand. What about the CMD? Section 4.3, 4.4 Prefix Length 8-bit unsigned integer indicating the prefix length of the IPv6 prefix contained in the option. Anchored Prefix A sixteen-byte field containing the mobile node's IPv6 Anchored Prefix. Only the first Prefix Length bytes are valid for the Anchored Prefix. The rest of the bytes MUST be ignored. Is the prefix length bits or bytes? Section 4.4 Is this also used to convey "local" prefixes in the PBA from CMD to S-MAAR? (If not, how does the S-MAAR know to advertise them from its DLIF?) Section 4.5 What's the alignment requirement? (There's no need to put in a Reserved octet to keep things word aligned?) Prefix Length 8-bit unsigned integer indicating the prefix length of the IPv6 prefix contained in the option. [...] Home Network Prefix A sixteen-byte field containing the mobile node's IPv6 Home Network Prefix. Only the first Prefix Length bytes are valid for the mobile node's IPv6 Home Network Prefix. The rest of the bytes MUST be ignored. [is the prefix length bits or bytes?] Section 4.6 Is there an alignment requirement for this option? This new option is defined for use with the Proxy Binding Update and Proxy Binding Acknowledgement messages exchanged between the CMD and When is this option used in a PBA? Section 4.7 A new DLIF Link-local Address option is defined for use with the Proxy Binding Update and Proxy Binding Acknowledgment messages exchanged between MAARs. This option is used for exchanging the MAARs but not CMDs? When is this used in the PBU? Section 4.8 A new DLIF Link-layer Address option is defined for use with the Proxy Binding Update and Proxy Binding Acknowledgment messages exchanged between MAARs. This option is used for exchanging the MAARs but not CMDs? When is this used in the PBU? Section 6 Unfortunately it seems that RFC 5213 does not include any privacy considerations discussion. While the privacy properties of this protocol bear similarities to those of RFC 5213, it seems that there are also some significant differences, so I do think it is important to produce some documentation of privacy considerations for this document. The main factor would, of cousre, be tracking which entities obtain updates/information about the location of the MN, what those entities are expected to do with that data, and how trusted they are to be proper custodians of it. Other factors may exist as well, including the potential for side-channel information leakage, e.g., due to traffic analysis. There might also be a reverse situation where exposing the link-layer address(es) of a P-MAAR have privacy considerations, though I don't have anything particular in mind at the moment. security concerns of Proxy Mobile IPv6 [RFC5213]. It is recommended that the signaling messages, Proxy Binding Update and Proxy Binding Acknowledgment, exchanged between the MAARs are protected using IPsec using the established security association between them. This This is essentially unchanged from 5213, just with different names for the endpoints, right, and so the existing guidance/experiences apply? I think we should also say something about all MAARs and the CMD being trusted parties. We should also say something about the authorization model (I assume it's just "all trusted parties are trusted to perform all operations relevant to their role", but that's still useful to say). When the CMD acts as a PBU/PBA relay, the CMD may act as a relay of a single PBU to multiple previous MAARs. In situations of many fast handovers (e.g., with vehicular networks), there may exist multiple previous (e.g., k) MAARs exist. In this situation, the CMD creates k nit: remove the redundant "exist" When the CMD acts as MAAR locator, mobility signaling (PBAs) is exchanged between P-MAARs and current S-MAAR. This requires security associations to exist between the involved MAARs (in addition to the ones needed with the CMD). Is this relevant because of scaling/resource-consumption concerns or keying/trust ones? Appendix A.5 not implement existing mobility protocols. Furthermore, a DMM solution SHOULD work across different networks, possibly operated as separate administrative domains, when the needed mobility management Hmm, separate administrative domains makes the risk of NAT relatively higher (per previous comment about NAT). intervention. The partially distributed DMM solution can be deployed across different domains with trust agreements if the CMDs of the operators are enabled to transfer context from one node to another. It would probably be worth expounding a bit more about this scenario and the necessary trust/authorization relationships, in the security considerations.
- [DMM] Benjamin Kaduk's Discuss on draft-ietf-dmm-… Benjamin Kaduk via Datatracker
- Re: [DMM] Benjamin Kaduk's Discuss on draft-ietf-… CARLOS JESUS BERNARDOS CANO
- Re: [DMM] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [DMM] Benjamin Kaduk's Discuss on draft-ietf-… CARLOS JESUS BERNARDOS CANO