IETF Logo Mail Archive

[I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)

Magnus Westerlund via Datatracker <noreply@ietf.org> Thu, 05 November 2020 14:55 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: i2nsf@ietf.org
Delivered-To: i2nsf@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E622D3A17D4; Thu, 5 Nov 2020 06:55:29 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Magnus Westerlund via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org, i2nsf-chairs@ietf.org, i2nsf@ietf.org, Yoav Nir <ynir.ietf@gmail.com>, ynir.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.21.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <160458812991.16036.6729267088975668048@ietfa.amsl.com>
Date: Thu, 05 Nov 2020 06:55:29 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/50kJKf20PfiF08BWn1AzSDk1SNk>
Subject: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2020 14:55:30 -0000

Magnus Westerlund has entered the following ballot position for
draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

        leaf ecn {
          type boolean;
          default false;
          description
            "Explicit Congestion Notification (ECN). If true
            copy CE bits to inner header.";
          reference
            "Section 5.1.2 and Appendix C in RFC 4301.";
        }

There is something wrong here, likely in the description of the option. This as
the outer IP header on sender side needs to set ECN field to ECT to enable so
that any CE marks can be received. I think it is reasonable to have an option
to just enable ECN, but that requires several things. Secondly with the changes
in RFC 8311, there might be need to be more explicit in the configuration of
ECN to actually indicate which ECT value that should be set on send side for
the established IPsec tunnel. Due to under discussion experiments with ECT
values per RFC 8311 we should verify that just copying the inner header value
to the external is fine and don't break anything as path and/or marking
behavior may not be the same.

I think there is also the question if RFC 6040 needs to be referenced in this
context to ensure that people pick up on that RFC 6040 updates RFC 4301.

v2.23.0 | Report a Bug | By Email