IETF Logo Mail Archive

[Gen-art] Re: Gen-ART review of draft-ietf-v6ops-ipsec-tunnels-04.txt

Pekka Savola <psavola@csc.fi> Tue, 12 December 2006 14:04 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gu8FQ-0002TX-Eg; Tue, 12 Dec 2006 09:04:44 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gu7lF-0006Ws-9p for gen-art@ietf.org; Tue, 12 Dec 2006 08:33:33 -0500
Received: from smtp2.csc.fi ([193.166.3.97]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gu7lD-0002KJ-Qe for gen-art@ietf.org; Tue, 12 Dec 2006 08:33:33 -0500
Received: from imap1.csc.fi (imap1.csc.fi [193.166.7.56]) by smtp2.csc.fi (MAILSERVER) with ESMTP id kBCDXDlx029317 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 12 Dec 2006 15:33:13 +0200
Received: from myrsky.csc.fi (myrsky.csc.fi [193.166.7.58]) (authenticated as psavola) by imap1.csc.fi (MAILSERVER) with ESMTP id kBCDXC5B014790 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 12 Dec 2006 15:33:12 +0200
Date: Tue, 12 Dec 2006 15:33:12 +0200
From: Pekka Savola <psavola@csc.fi>
To: Fred Baker <fred@cisco.com>
In-Reply-To: <4694D675-005A-4A44-A578-E28F970AC90F@cisco.com>
Message-ID: <Pine.LNX.4.62.0612121506250.22191@sampo3.csc.fi>
References: <F222151D3323874393F83102D614E055068B89BB@CORPUSMX20A.corp.emc.com> <4694D675-005A-4A44-A578-E28F970AC90F@cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: undef - relay 193.166.7.56 marked with SkipSpamScan
X-CanItPRO-Stream: default
X-Canit-Stats-ID: Bayes signature not available
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
X-Mailman-Approved-At: Tue, 12 Dec 2006 09:04:42 -0500
Cc: David Kessens <david.kessens@nokia.com>, Hannes.Tschofenig@siemens.com, gen-art@ietf.org, Lindqvist Erik Kurt <kurtis@kurtis.pp.se>, Mohan Parthasarathy <mohanp@sbcglobal.net>, rfg@acm.org, David Black <Black_David@emc.com>
Subject: [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-ipsec-tunnels-04.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org

Hello and thanks for review!

I believe the comments look reasonable, and most of them should be 
addressed easily. Two comments below, the first for my fellow co-authors 
and the second as a general comment to you and to Mohan.

On Sun, 10 Dec 2006, Fred Baker wrote:
> On Dec 9, 2006, at 5:55 PM, Black_David@emc.com wrote:
>> Section 4 has some wording problems:
>> 
>>    1.  [RFC2401] does not allow IP as the next layer protocol in traffic
>>        selectors when an IPsec SA is negotiated.  [RFC4301] also allows
>>        IP as the next layer protocol (like TCP or UDP) in traffic
>>        selectors.
>> 
>> The "also" is susceptible to misreading.  The second sentence should
>> be rephrased to: "In contrast, [RFC4301] does allow ..."

Mohan or Richard, could you clarify this?  I thought the idea was that 
RFC2401 does not explicitly mention IP as the possible next layer 
protocol, while many implementations do support it (and we aren't quite 
sure whether such support is mandatory-to-implement)?  On the other hand 
RFC4301 explicitly requires support for all next layer protocol values.

Maybe we forgot to to reword the text above since this become clearer 
after earlier iterations.  If so, suggestions to reword?

>> The three requirements in Section 5.2 are generally applicable,
>> and should not be buried in Section 5.2's discussion of IPsec
>> tunnel mode.  The requirements also lack explanations of why
>> they are requirements.  At a minimum, the statement of the
>> requirements should be moved into Section 5 (before 5.1), but
>> I would suggest moving them to the end of Section 3 and adding
>> a discussion of why these requirements are important (e.g., what
>> goes wrong if they're not met) with reference to the scenarios
>> described in Section 3.

We could easily shuffle the text around a bit.  Now that I read this, only 
the first one seems to be clearly worded as a "requirement" rather than a 
general observation.  While the third one needs clarification (Mohan?), 
only the first one (IMHO) can easily be expanded why that is so:

    1.  All of IPv6 traffic should be protected, including link-local
        (e.g., Neighbor Discovery) and multicast traffic.

    2.  In router-to-router tunnels, the source and destination addresses
        of the traffic could come from a wide range of prefixes that are
        normally learned through routing.  As routing can always learn a
        new prefix, there is no way to know all the prefixes a priori
        [RFC3884].

    3.  Source address selection depends on the notions of routes and
        interfaces.  This affects scenarios (2) and (3).

1) is required so that every form of traffic that is supported by RFC4213 
IPv6-in-IPv4 tunnels is supported.  A more general explanation is 
mentioned in 2nd paragraph of Section 6 (in effect, "we want link local, 
e.g., routing protocols, multicast, etc.") but it doesn't mention why we 
want them (explanation above).  On the other hand Appendix A describes the 
tunnel mode setup if this is not felt to be a requirement and Tunnel mode 
is felt better in the particular scenario.

As for 3), I'm not 100% sure what point it wants to convey and how it's 
relevant here (does that refer to a multihomed endpoint with multiple 
addresses?) Mohan?

Pekka


_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www1.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email