IETF Logo Mail Archive

Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)

Rafa Marin-Lopez <rafa@um.es> Mon, 23 November 2020 18:19 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88E203A064A; Mon, 23 Nov 2020 10:19:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.218
X-Spam-Level:
X-Spam-Status: No, score=-0.218 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGHS0EqQat-h; Mon, 23 Nov 2020 10:19:32 -0800 (PST)
Received: from mx01.puc.rediris.es (outbound5mad.lav.puc.rediris.es [130.206.19.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24E4B3A0621; Mon, 23 Nov 2020 10:19:31 -0800 (PST)
Received: from xenon42.um.es (xenon42.um.es [155.54.212.169]) by mx01.puc.rediris.es with ESMTP id 0ANIJSrJ016131-0ANIJSrK016131; Mon, 23 Nov 2020 19:19:28 +0100
Received: from localhost (localhost [127.0.0.1]) by xenon42.um.es (Postfix) with ESMTP id 22D4420C62; Mon, 23 Nov 2020 19:19:28 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon42.um.es
Received: from xenon42.um.es ([127.0.0.1]) by localhost (xenon42.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 6NCuTdhivim3; Mon, 23 Nov 2020 19:19:28 +0100 (CET)
Received: from quantum.inf.um.es (quantum.inf.um.es [155.54.204.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon42.um.es (Postfix) with ESMTPSA id 7EDB620BE3; Mon, 23 Nov 2020 19:19:25 +0100 (CET)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <9E65120A-D864-4E56-9954-BA536EF88363@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AC9CD1B0-59BF-4602-BD5F-BC258AE65941"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Mon, 23 Nov 2020 19:19:24 +0100
In-Reply-To: <160458812991.16036.6729267088975668048@ietfa.amsl.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, The IESG <iesg@ietf.org>, i2nsf@ietf.org, draft-ietf-i2nsf-sdn-ipsec-flow-protection@ietf.org, ynir.ietf@gmail.com, i2nsf-chairs@ietf.org
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
References: <160458812991.16036.6729267088975668048@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-FEAS-SPF: spf-result=pass, ip=155.54.212.169, helo=xenon42.um.es, mailFrom=rafa@um.es
Authentication-Results: mx01.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.169 as permitted sender) smtp.mailfrom=rafa@um.es
X-FE-Policy-ID: 2:15:0:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=hw77Ls4DLKW+BsdUexfp0ZD0loWoOnS+TEsW7au3uzo=; b=rJ7DqmBLeMnSOjkCAcs/7yEii5fH/dlF2tM1ARoNL2flpFKkt/XS6xhVhzq4ISGDIfJ/K7d2wswf M2WKmH/aEPbDXbgS+bHLK1AoPJOXgnWK4Dr7vvCGlYdbZRcwES4Evl+Oiva8K8WpMlU17rM4GFyS DgrWmTx1nW/aGJ+ufblUq+TtKfhHK4pdLCVmm1pkjnTkcIGidWQANLiHQvn75eWP4h6MRsyJYw0e l1lrxbHAThM7vRigYUHvfuRn1ZVhKyGFaHbxfTcvjXJERCUJahnAfAV6IVBqRzwV9YRWxXjBXjq7 9bMn7kGz2blFK1A1EaBhwoyb/f2QtajufYTrvQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/ICQXUndu_S64OQBLgDDmfjfYu7Y>
Subject: Re: [I2nsf] Magnus Westerlund's Discuss on draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: (with DISCUSS)
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 18:19:35 -0000

Dear Magnus:

Thank you very much for your review. Please, see our comments below.

> El 5 nov 2020, a las 15:55, Magnus Westerlund via Datatracker <noreply@ietf.org> escribió:
> 
> Magnus Westerlund has entered the following ballot position for
> draft-ietf-i2nsf-sdn-ipsec-flow-protection-12: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
>        leaf ecn {
>          type boolean;
>          default false;
>          description
>            "Explicit Congestion Notification (ECN). If true
>            copy CE bits to inner header.";
>          reference
>            "Section 5.1.2 and Appendix C in RFC 4301.";
>        }
> 
> There is something wrong here, likely in the description of the option. This as
> the outer IP header on sender side needs to set ECN field to ECT to enable so
> that any CE marks can be received. I think it is reasonable to have an option
> to just enable ECN, but that requires several things. Secondly with the changes
> in RFC 8311, there might be need to be more explicit in the configuration of
> ECN to actually indicate which ECT value that should be set on send side for
> the established IPsec tunnel. Due to under discussion experiments with ECT
> values per RFC 8311 we should verify that just copying the inner header value
> to the external is fine and don't break anything as path and/or marking
> behavior may not be the same.

[Authors] Yes, we agree with you that this is poorly explained and needs to be clarified.

On the one hand, RFC 6040 mentions:

"Modes:  RFC 4301 tunnel endpoints do not need modes and are not
updated by the modes in the present specification.  Effectively,
an  RFC 4301 IPsec ingress solely uses the REQUIRED normal mode of
encapsulation, which is unchanged from RFC 4301 encapsulation. 
It will never need the OPTIONAL compatibility mode as explained 
in Section 4.3”.

Therefore, our interpretation is that for RFC 4301 tunnels we can only apply 
Figure 3 ("Normal mode” column), which means copying the values of inner header to outer header.

On the other hand, regarding your comment about RFC 8311, our interpretation is that only specifying copy would be not enough for certain cases based on RFC 8311 so there might be a need to set an ECT(0) or ECT(1) when the inner packet could be ECT(0) or ECT(1) but copying is not valid. For example, if the inner packet has ECT(0) or ECT(1) but we want to set the outer IP header with ECT(0) for either case. Is this interpretation correct? If it is, we think we could accommodate this as:

container ecn {
       leaf copy-or-set { 
         type boolean;
         default true; 
         description 
           "If True the ECN field of the incoming IP header
           is copied to the outer IP header of the tunnel following
           RFC 6040 normal mode. If False, it is possible to set
           a specific ECT value (ECT (0) or ECT (1) to the outer
           header of the tunnel.";
         reference 
           "RFC 6040. RFC 8311.";
       }
       leaf set {
         when "../copy-or-set = 'true'";
                 
         type enumeration {         
           enum ect0 {
             value 0;
             description 
               "ECT(0)";
           }
           enum ect1 {
             value 1; 
             description 
               "ECT(1)";
           }
         }
         description 
           "To set an specific ECT value in the 
           outer IP header when the inner IP header contains ECT(0)
           or ECT(1) value.";
         reference 
           "RFC 8311";
       }
       description 
         "Explicit Congestion Notification (ECN) management.";
       reference 
         "RFC 6040. RFC 8311";
     } 


Does this reflect what you had in mind?

> 
> I think there is also the question if RFC 6040 needs to be referenced in this
> context to ensure that people pick up on that RFC 6040 updates RFC 4301.

[Authors] Correct. RFC 6040 is the proper reference.

Best Regards.


> 
> 
> 
> 
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email