Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)

Hi,

Please see below. 

On Wed, 2020-11-25 at 14:48 +0000, Magnus Westerlund wrote:
> 
> On Mon, 2020-11-23 at 19:19 +0100, Rafa Marin-Lopez wrote:
> > Dear Magnus:
> > 
> > Thank you very much for your review. Please, see our comments below.
> > 
> > > ----------------------------------------------------------------------
> > > DISCUSS:
> > > ----------------------------------------------------------------------
> > > 
> > >        leaf ecn {
> > >          type boolean;
> > >          default false;
> > >          description
> > >            "Explicit Congestion Notification (ECN). If true
> > >            copy CE bits to inner header.";
> > >          reference
> > >            "Section 5.1.2 and Appendix C in RFC 4301.";
> > >        }
> > > 
> > > There is something wrong here, likely in the description of the option.
> > > This
> > > as
> > > the outer IP header on sender side needs to set ECN field to ECT to enable
> > > so
> > > that any CE marks can be received. I think it is reasonable to have an
> > > option
> > > to just enable ECN, but that requires several things. Secondly with the
> > > changes
> > > in RFC 8311, there might be need to be more explicit in the configuration
> > > of
> > > ECN to actually indicate which ECT value that should be set on send side
> > > for
> > > the established IPsec tunnel. Due to under discussion experiments with ECT
> > > values per RFC 8311 we should verify that just copying the inner header
> > > value
> > > to the external is fine and don't break anything as path and/or marking
> > > behavior may not be the same.
> > 
> > [Authors] Yes, we agree with you that this is poorly explained and needs to
> > be
> > clarified.
> > 
> > On the one hand, RFC 6040 mentions:
> > 
> > "Modes:  RFC 4301 tunnel endpoints do not need modes and are not
> > updated by the modes in the present specification.  Effectively,
> > an  RFC 4301 IPsec ingress solely uses the REQUIRED normal mode of
> > encapsulation, which is unchanged from RFC 4301 encapsulation. 
> > It will never need the OPTIONAL compatibility mode as explained 
> > in Section 4.3”.
> > 
> > Therefore, our interpretation is that for RFC 4301 tunnels we can only
> > apply 
> > Figure 3 ("Normal mode” column), which means copying the values of inner
> > header to outer header.
> > 
> > On the other hand, regarding your comment about RFC 8311, our interpretation
> > is that only specifying copy would be not enough for certain cases based on
> > RFC 8311 so there might be a need to set an ECT(0) or ECT(1) when the inner
> > packet could be ECT(0) or ECT(1) but copying is not valid. For example, if
> > the
> > inner packet has ECT(0) or ECT(1) but we want to set the outer IP header
> > with
> > ECT(0) for either case. Is this interpretation correct? If it is, we think
> > we
> > could accommodate this as:
> > 

Sorry, I think I lead you astray due to no understanding the context here
sufficiently. So as long as the option is to turn on "Normal Mode" for tunnel
processing of the ECN bits or not then you can disregard the whole thing about
RFC 8311. The applications that will use alternative behaviors for ECN will have
to know that the consumer understand the semantics. So in this case as the IPSec
tunnel only copies the bits back and forth no additional action is needed. 

So please remove the whole second sentence and the RFC8311 reference.

In addition to the first part of the below description. It only mentions the
encapsulation action. So my quesiton, is this configuration only for the
encapsulating entity, or for a whole tunnel and applied to both ends? If it is
the later, then I think you should take note of the need to process the outer
ECN field and remark per RFC6040. 

Cheers

Magnus

> > container ecn {
> >        leaf copy-or-set { 
> >          type boolean;
> >          default true; 
> >          description 
> >            "If True the ECN field of the incoming IP header
> >            is copied to the outer IP header of the tunnel following
> >            RFC 6040 normal mode. If False, it is possible to set
> >            a specific ECT value (ECT (0) or ECT (1) to the outer
> >            header of the tunnel.";
> >          reference 
> >            "RFC 6040. RFC 8311.";
> >        }
> >        leaf set {
> >          when "../copy-or-set = 'true'";
> >                  
> >          type enumeration {         
> >            enum ect0 {
> >              value 0;
> >              description 
> >                "ECT(0)";
> >            }
> >            enum ect1 {
> >              value 1; 
> >              description 
> >                "ECT(1)";
> >            }
> >          }
> >          description 
> >            "To set an specific ECT value in the 
> >            outer IP header when the inner IP header contains ECT(0)
> >            or ECT(1) value.";
> >          reference 
> >            "RFC 8311";
> >        }
> >        description 
> >          "Explicit Congestion Notification (ECN) management.";
> >        reference 
> >          "RFC 6040. RFC 8311";
> >      } 
> > 
> > 
> > Does this reflect what you had in mind?
> > 
> > > I think there is also the question if RFC 6040 needs to be referenced in
> > > this
> > > context to ensure that people pick up on that RFC 6040 updates RFC 4301.
> > 
> > [Authors] Correct. RFC 6040 is the proper reference.
> > 
> > Best Regards.
> > 
> > 
> > > 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > I2nsf mailing list
> > > I2nsf@ietf.org
> > > https://www.ietf.org/mailman/listinfo/i2nsf
> > 
> > -------------------------------------------------------
> > Rafa Marin-Lopez, PhD
> > Dept. Information and Communications Engineering (DIIC)
> > Faculty of Computer Science-University of Murcia
> > 30100 Murcia - Spain
> > Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> > -------------------------------------------------------
> > 
> > 
> > 
> > 

Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)

Attachment: smime.p7s