[Gen-art] RE: Gen-ART review of draft-ietf-tsvwg-vpn-signaled-preemption-01
"Sharon Chisholm" <schishol@nortel.com> Mon, 02 October 2006 19:47 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GUTlC-00058y-L6; Mon, 02 Oct 2006 15:47:30 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GUTlB-00058t-82 for gen-art@ietf.org; Mon, 02 Oct 2006 15:47:29 -0400
Received: from zrtps0kp.nortel.com ([47.140.192.56]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GUTlA-0006mv-Pf for gen-art@ietf.org; Mon, 02 Oct 2006 15:47:29 -0400
Received: from zcarhxm2.corp.nortel.com (zcarhxm2.corp.nortel.com [47.129.230.99]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id k92JlEe29559; Mon, 2 Oct 2006 15:47:14 -0400 (EDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 02 Oct 2006 15:47:10 -0400
Message-ID: <713043CE8B8E1348AF3C546DBE02C1B40B215DAE@zcarhxm2.corp.nortel.com>
In-Reply-To: <91325D43-C118-4E4C-8930-7CFAAC32A028@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Gen-ART review of draft-ietf-tsvwg-vpn-signaled-preemption-01
thread-index: AcbmVIqEVAHqz1ptTYGwmlBPsaapCQAAQl0A
From: Sharon Chisholm <schishol@nortel.com>
To: Fred Baker <fred@cisco.com>
X-Spam-Score: 1.1 (+)
X-Scan-Signature: ccfb4541e989aa743998098cd315d0fd
Cc: lars.eggert@netlab.nec.de, magnus.westerlund@ericsson.com, gen-art@ietf.org, jmpolk@cisco.com, pratik.bose@lmco.com
Subject: [Gen-art] RE: Gen-ART review of draft-ietf-tsvwg-vpn-signaled-preemption-01
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
hi <Fred> I get the impression that you didn't like the document :-) </Fred> I wouldn't go that far. It's just that I felt I kept getting lost in it. There seemed to be a lot of good information, I think it just needs to be reworked a bit. <Fred> > 1. The document doesn't seem to agree on its purpose. In the abstract > it claims "Some networks require communication between an interior and > exterior portion of a VPN, but have sensitivities about what > information is communicated across the boundary. This note seeks to > outline the issues and the nature of the proposed solutions." But > later on the document claims "The key question this document explores > is "how do reservations, and preemption of reservations, work in such > an environment?", where such an environment is nested VPNs. The > document does seem to talk about both and they seem related, but still > this needs to be clarified. OK, we'll see if can tighten language on the purpose of the document. Bottom line, it is about implementing the Integrated Services architecture as described in RFC 2998 across a type of VPN in which not only the connected enclaves don't share knowledge with the network they run over, but that network doesn't share knowledge with them. Examples might include a military network that runs over a commercial network (yes, that happens), or a civilian first responder call that is crossing a military network (yes, that happens). </Fred> That would be very helpful. This description is also more helpful then what is currently in the draft. Deciding a single statement of problem and propagating it through the document would be helpful. Is the interior/exterior the problem focus, the nesting of VPNs or both in combination, for example. <Fred> > 2. The abstract says 'This note seeks to outline the issues and the > nature of the proposed solutions.', it would be good to refer to what > the specific solution are. Given the substance of the document, what would you think the proposed solutions are? We thought that section 2 gave a pretty complete overview, description, and example. Specifically what are you looking for here? </Fred> Is there a succinct way of summarizing the 'specific solution'? <Fred> > 3. Section 1 is titled 'QoS in a VPN domain', but is actually a > mishmash of topics. It contains a reiteration of the purpose of the > document with respect to interior/exterior, tutorial on a number of > topics, and some clarification of term usage specific to this > document. The title of the section seems a bit off and ... Would it help if we renamed the section "Introduction"? It seems that the idnits tool complains that we don't follow the boilerplate in that regard. > ...the information within the section would be better organized into > the sections I mentioned or some other form to reduce the feeling of > 'here is some information' and 'here is some more information' that > this document has on occasion. Telling me that you want the organization different without telling me in what way isn't all that helpful. Specifically how would you suggest we organize the information to improve your comprehension of it? </Fred> Actually, I did make a suggestion. I suggested organizing things as problem statement, background information and terminology. Calling the entire thing Introduction sounds good. <Fred> > 5. In section 1.1, titled 'Nested VPNs', we get three quarters of the > way through, in the paragraph just before figure 3, before we finally > start talking about nesting VPNs. This comment really throws me. The text starts out with the sentence "One could describe such a network in terms of three network diagrams." We try to show a VPN and then show how VPNs can be nested, and comment that our requirements deal with both structures. In the ASCII version, this is a two pages of text, with the diagram that one wishes was on the second page on a third due to the editing tool. It seems that we're not being allowed to introduce the topic - and I guarantee that if we are not, the discussion of its solution won't make any sense either. </Fred> My point was, aside from the first sentence that says 'such' a network (and you should clarify what 'such' a network is since this is potentially ambiguous given this is a new section), the next page or so goes on to describe the steps performed by a (non-nested) VPN router. <Fred> > 6. Figure 5 is very ambitious for ASCII art and I don't find it > terribly readable. This figure is then referenced through very long > examples walking through its H5 and R4 type labels. I wonder if this > is a simpler way to convey the same information? It is indeed complex. It is a fairly complex problem. Now, I could if you like break it up the way I broke up section 1.1, which you complained about. We could discuss handling the problem of preemption in a VPN, and then separately discuss nesting the VPNs. Would that help? Would you then complain about that level of complexity? </Fred> My complaint with section 1 wasn't that it was broken down into sections, it that it could be better organized. I don't know what the best way to help figure 5 would be. If it is describing two different concepts it might be helpful to represent it separately. Or perhaps since each enclave seems to have the same thing in it, we could hide those details in the figure. The contents of an enclave could be shown in a separate picture. And that way, there might be room to refer instead to Router 1, Router 2, Host 1, Host 2, VPN 1, VPN 2 in the figure as well as in the text. I think that would be an improvement. <Fred> > 7. Is DSCP corollary a well-known term? I googled and didn't find it > used. I also didn't see it defined in the document. I think I meant "DSCP corollary to". The point is that the DSCP should correspond to the reservation and the data it should carry - either be the same DSCP, or use a value that maps to the DSCP, as discussed in the security considerations. If I change that to "corollary to", does that work for you? </Fred> Well, you wouldn't then we introducing a new term, so that solves the issue but the way you explained it here is much more understandable. <Fred> > 9. In section 5, the fourth paragraph does not seem to be discussing a > security consideration. You're talking about this, right? VPN Routers encapsulate encrypted IP packets and prepend an extra header on each packet. These packets, whether used for signaling or data, should be identifiable, at a minimum by the IP addresses and DSCP value. The prepended header, therefore, should contain at a minimum the DSCP value corresponding to the signaled reservation in each packet. This may literally be the same DSCP as is used for the data (forcing control plane traffic to receive the same QoS treatment as its data), or a different DSCP that is routed identically (separating control and data plane traffic QoS but not routing). Specifically, this paragraph was requested by the people who specify the encryptors in question. They view the idea that the encryptor might allow the DSCP through to be a security vulnerability. Russ Housley might be in a position to advise us here. </Fred> So, this is intended to be identifying requirements to prevent a specific security vulnerability? Some discussion on the security vulnerability would help put it in context. Otherwise it reads like a bit of oddly placed tutorial. <Fred> > 10. Section 3 claims that it 'details the data flows within a VPN > Router, in the context of sessions as described in Section 2.', which > isn't that helpful. If we mean some of the nested VPNs discussed, we > should clearly say this rather then using a cryptic cross references. Again, this was requested by the folks who specify the encryptors in question. They want to be able to identify exactly what information crosses the boundary and what does not. I'm not sure whether you are saying that section 3 isn't helpful to you, or whether you are saying section 2 didn't help. Please say more. </Fred> The criticism is that the introduction to section 3 does not introduce section 3 terribly well. Sharon _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen-ART LC review of draft-ietf-dhc-dhc… Gray, Eric
- [Gen-art] Re: Gen-ART LC review of draft-ietf-dhc… Jari Arkko
- [Gen-art] re: Gen-ART LC review of draft-ietf-dhc… CTO YAN Renxiang
- [Gen-art] Gen-ART review of draft-ietf-tsvwg-vpn-… Sharon Chisholm
- [Gen-art] Re: Gen-ART review of draft-ietf-tsvwg-… Fred Baker
- [Gen-art] RE: Gen-ART review of draft-ietf-tsvwg-… Sharon Chisholm