[Gen-art] RE: Gen-ART review of draft-ietf-v6ops-ipsec-tunnels-04.txt
Black_David@emc.com Wed, 13 December 2006 06:30 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuNdY-0004kN-LS; Wed, 13 Dec 2006 01:30:40 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuNdW-0004kC-Sl for gen-art@ietf.org; Wed, 13 Dec 2006 01:30:38 -0500
Received: from mexforward.lss.emc.com ([128.222.32.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GuNdV-0000VK-Ev for gen-art@ietf.org; Wed, 13 Dec 2006 01:30:38 -0500
Received: from mailhub.lss.emc.com (nagas.lss.emc.com [10.254.144.11]) by mexforward.lss.emc.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id kBD6UPmN004164; Wed, 13 Dec 2006 01:30:26 -0500 (EST)
Received: from corpussmtp3.corp.emc.com (corpussmtp3.corp.emc.com [10.254.64.53]) by mailhub.lss.emc.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id kBD6TOW9029959; Wed, 13 Dec 2006 01:30:17 -0500 (EST)
From: Black_David@emc.com
Received: from CORPUSMX20A.corp.emc.com ([128.221.62.13]) by corpussmtp3.corp.emc.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Dec 2006 01:29:56 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 13 Dec 2006 01:29:55 -0500
Message-ID: <F222151D3323874393F83102D614E055068B8A04@CORPUSMX20A.corp.emc.com>
In-Reply-To: <D2EAA008-8F08-4EAC-8572-E81D12FD844F@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Gen-ART review of draft-ietf-v6ops-ipsec-tunnels-04.txt
Thread-Index: AcceTkV6m3AJDVP7Tmu88+xPrGFplgALvE+Q
To: fred@cisco.com, mohanp@sbcglobal.net
X-OriginalArrivalTime: 13 Dec 2006 06:29:56.0158 (UTC) FILETIME=[1B0925E0:01C71E80]
X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.5.0.283055, Antispam-Data: 2006.12.12.221433
X-PerlMx-Spam: Gauge=, SPAM=2%, Reason='EMC_FROM_0+ -2, NO_REAL_NAME 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __IMS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0'
X-Spam-Score: 0.2 (/)
X-Scan-Signature: b2809b6f39decc6de467dcf252f42af1
Cc: david.kessens@nokia.com, Hannes.Tschofenig@siemens.com, gen-art@ietf.org, kurtis@kurtis.pp.se, rfg@acm.org, psavola@funet.fi
Subject: [Gen-art] RE: Gen-ART review of draft-ietf-v6ops-ipsec-tunnels-04.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
Fred, Many thanks for the longer explanation. There is one slight twist - this draft is dealing entirely with IPv6-in-IPv4 tunnels, so in: > Ideally, that means that first IPv6 has to decide which interface is > used by the route to the destination as a next hop interface, select > the source address from the interface, let IPSEC sign or encrypt the > message, add the IPv6 header, and then hand the datagram to the > device driver. In a purely layered sense, that is borderline bizarre. > So what I understand existing implementations to do is select an IP > address a priori (there often is only one interface, so selecting the > most global address available is an algorithm that always works), do > the IPSEC part, do the IPv6 part, and let IPv6 hand the thing to a > device driver. That's what Mohan is describing. The second header is an IPv4 header, and IPv4 controls the dispatch to the device driver (which may be unable to deal with IPv6). In this case, there is both an "IPv4 interface" (deals with the device driver) and an "IPv6 interface" (drops the packet into IPsec). The a priori address selection technique still works, but there are both IPv6 and IPv4 addresses to be selected. In any case, as you say: > Trust me, at least from the perspective of a network management > model, anywhere an IP datagram potentially leaves the box there is an > IPv6 interface. Internally, it's what tells you that "on this device, > when you send an IPv6 datagram to a given immediate neighbor, whether > router or host, you call <this> driver and do <this> with the > datagram". In this case, the IPv6 datagram is leaving encased in an IPv4 header, so both "interfaces" believe they've sent a datagram, and the notions of "immediate neighbor" are different for IPv4 vs. IPv6. Thanks, --David > -----Original Message----- > From: Fred Baker [mailto:fred@cisco.com] > Sent: Tuesday, December 12, 2006 7:33 PM > To: Mohan Parthasarathy; Black, David > Cc: gen-art@ietf.org; rfg@acm.org; Pekka Savola; > Hannes.Tschofenig@siemens.com; David Kessens; Lindqvist Erik Kurt > Subject: Re: Gen-ART review of draft-ietf-v6ops-ipsec-tunnels-04.txt > > > On Dec 12, 2006, at 2:51 PM, Mohan Parthasarathy wrote: > > In some implementations e.g., linux, to protect the traffic using > > IPsec tunnel mode SA, traffic matching the selectors is given to > > IPsec for protecting the traffic. IPsec is just another software > > module that is neither visible as an interface nor in the routing > > tables. By this it means that IPsec is not modeled as an interface > > at all. > > On Dec 12, 2006, at 3:38 PM, Black_David@emc.com wrote: > > Let's start with a router. In order for a router to forward an > > IPv6 packet, it has to send it through an IPv6 interface, hence, > > somewhere between where the forwarding table is consulted and where > > the packet hits the wire, there is an "IPv6 interface". > > I think you guys are looking at two sides of one coin. > > IPSEC maintains its security association between a source and a > destination IP address. As such, while one wants to call IPSEC before > handing the datagram to IP (whether v4 or v6), in doing so one must > predetermine which IP address will be used, which potentially implies > which interface the datagram will be sent from. This would be > consistent with RFC 1122's statement on page 62: > > (B) A host MAY restrict itself to sending (non-source- > routed) IP datagrams only through the physical > interface that corresponds to the IP source address of > the datagrams. > > Ideally, that means that first IPv6 has to decide which interface is > used by the route to the destination as a next hop interface, select > the source address from the interface, let IPSEC sign or encrypt the > message, add the IPv6 header, and then hand the datagram to the > device driver. In a purely layered sense, that is borderline bizarre. > So what I understand existing implementations to do is select an IP > address a priori (there often is only one interface, so selecting the > most global address available is an algorithm that always works), do > the IPSEC part, do the IPv6 part, and let IPv6 hand the thing to a > device driver. That's what Mohan is describing. > > In a router, where IPSEC is usually in tunnel mode and one interface > is as good as another, the need for IPSEC use and the set of security > associations used on a given interface (eg, from that interface's > address) is an attribute used in forwarding the IP datagram. At the > point where IP is about to copy the link layer header onto the head > of the datagram, it asks what kind of link layer is in use. One kind > of "link layer" requires the addition of an IPSEC header, another IP > header, and a link layer header. That's what David is describing. > > Mohan, any time a system, host or router, sends a datagram, it has to > account for having done so using the RFC 2863 Interface MIB, it has > to determine whether the ability to send datagrams is currently > administratively enabled. It derives ifIndex from the route entry > (see InetCidrRouteEntry in RFC 4292) that it uses to forward the > datagram, or from the IpDefaultRouterEntry described in RFC 4293. > This table is "the interface" from a management and configuration > perspective, and is found near whatever the software is dealing with > internally. This is what David is asking about. > > Trust me, at least from the perspective of a network management > model, anywhere an IP datagram potentially leaves the box there is an > IPv6 interface. Internally, it's what tells you that "on this device, > when you send an IPv6 datagram to a given immediate neighbor, whether > router or host, you call <this> driver and do <this> with the > datagram". > > _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen-ART review of draft-ietf-v6ops-ipse… Black_David
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Fred Baker
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Pekka Savola
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Mohan Parthasarathy
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Mohan Parthasarathy
- [Gen-art] RE: Gen-ART review of draft-ietf-v6ops-… Black_David
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Fred Baker
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Mohan Parthasarathy
- [Gen-art] RE: Gen-ART review of draft-ietf-v6ops-… Black_David
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Pekka Savola
- [Gen-art] Re: Gen-ART review of draft-ietf-v6ops-… Mohan Parthasarathy
- RE: [Gen-art] Re: Gen-ART review ofdraft-ietf-v6o… Black_David