IETF Logo Mail Archive

Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels

"Templin, Fred L" <Fred.L.Templin@boeing.com> Tue, 06 December 2016 21:46 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3F04129CAE for <int-area@ietfa.amsl.com>; Tue, 6 Dec 2016 13:46:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-o0nUVJgxh0 for <int-area@ietfa.amsl.com>; Tue, 6 Dec 2016 13:46:50 -0800 (PST)
Received: from phx-mbsout-01.mbs.boeing.net (phx-mbsout-01.mbs.boeing.net [130.76.184.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFB4012943E for <int-area@ietf.org>; Tue, 6 Dec 2016 13:46:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id uB6LkoYm041679; Tue, 6 Dec 2016 14:46:50 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (xch15-06-08.nw.nos.boeing.com [137.136.238.222]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id uB6Lknvu041671 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Tue, 6 Dec 2016 14:46:49 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 6 Dec 2016 13:46:48 -0800
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1178.000; Tue, 6 Dec 2016 13:46:48 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Joe Touch <touch@isi.edu>, Lucy yong <lucy.yong@huawei.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "int-area@ietf.org" <int-area@ietf.org>
Thread-Topic: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
Thread-Index: AQHSSfUTLZDjgwj4v06xdSRLJ7spf6DwdPtAgAFWbFCAAJuxAP//gxPAgACJCwD//3tEwIAAjWUA//+BhHAAFPoOgAAP0p/A//+omgD//4m84IABfSIAgACA9qD//51zgIAAhBJQ//+I0oAAEIbo0AAPI8IAAC4ZozAAgC5ygAAP6STgAA0LaIAAA1bQkAAMNEeAABCsZzAAD499gAAvpk1QAE3mNQAAqxMmAAFD+EsAApg69rAFHyD3gApOvMjg
Date: Tue, 06 Dec 2016 21:46:47 +0000
Message-ID: <ef0bd101057340a5b82b1a49e028932c@XCH15-06-08.nw.nos.boeing.com>
References: <2a8ef418-91dc-b0c5-1384-203b4fde3830@gmail.com> <982c4212-34cb-21f1-c8a8-a23df18d5c30@isi.edu> <1ced07df7e8c453f8c0821363bc5604e@XCH15-06-08.nw.nos.boeing.com> <137debc3-eb11-5c13-884e-d8f6598e8ec9@isi.edu> <30ad1018463746b3b7ef5d864abc9ff3@XCH15-06-08.nw.nos.boeing.com> <e23fc6bd-c95d-9d38-74e1-c040bffe653f@isi.edu> <25503919e279426eb5fd827acf14d9c4@XCH15-06-08.nw.nos.boeing.com> <ceaf3563-ec86-8fe0-f67d-f50e9b9586ae@isi.edu> <05616d07ab3f420a8c0bd5556837d788@XCH15-06-08.nw.nos.boeing.com> <de82e183-f6dd-b872-eb21-981d57218a81@isi.edu> <a5713afee0f84c008e080f730350ed93@XCH15-06-08.nw.nos.boeing.com> <f69d6b1f-19fa-cb8d-f319-a18f7130bee6@isi.edu> <d9da3c70fcba42ddb6c7a60d8e80b6b4@XCH15-06-08.nw.nos.boeing.com> <622a5176-2b39-f08d-d31c-67aa076d52d6@isi.edu> <19fdababf617416ba19755fce7e2fcb7@XCH15-06-08.nw.nos.boeing.com> <c4cc5ab0-32b2-eff5-38de-803595263b21@isi.edu> <76d6861a032e444193553fe045a41eca@XCH15-06-08.nw.nos.boeing.com> <d6ef34df-3ff9-f989-1d5e-beafd512ff8a@isi.edu>
In-Reply-To: <d6ef34df-3ff9-f989-1d5e-beafd512ff8a@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/FebwJu36x48GKbLuf9ZcMVg-y7c>
Subject: Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2016 21:46:53 -0000

Hi Joe,

> -----Original Message-----
> From: Joe Touch [mailto:touch@isi.edu]
> Sent: Tuesday, December 06, 2016 1:28 PM
> To: Templin, Fred L <Fred.L.Templin@boeing.com>; Lucy yong <lucy.yong@huawei.com>; Brian E Carpenter
> <brian.e.carpenter@gmail.com>; int-area@ietf.org
> Subject: Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
> 
> Fred,
> 
> ...
> >> A standard host Redirect affects only one host. This affects the entire
> >> subnet and needs better protection - which isn't always available.
> > That is what I said - several times. And, that is why RFC6706 specifies
> > mitigations for links where insider attacks may be a concern. For other
> > links, it could be that no mitigations are necessary.
> >
> > The due diligence of RFC6706 is a matter that I think should be appreciated
> > and not scorned.
> 
> I never scorned it; I just said that it's not complete.

RFC6706 has thoroughly discussed the threat model and provides effective
mitigations. It is therefore complete.

> If this is to be a generally useful mechanism, it needs to come out of
> the AERO spec and be described as a direct extension to IPv6 ND
> redirects, but that requires a much more detailed discussion of the
> security requirements and how they can be achieved in existing IPv6
> deployments.
> 
> >>>>> AERO uses the NBMA tunnel virtual link model meaning that IPv6 ND works
> >>>>> the same as for an NBMA physical link. The model supports traffic engineering,
> >>>>> multi-homing, route optimization, fault tolerance, mobility management and
> >>>>> security. Do you have a solution for these that does not require new code?
> >>>> I already mentioned it - existing IP forwarding with virtual L2
> >>>> interfaces. The existing IP forwarding supports TE, multihoming, route
> >>>> optimization, etc - all without any new code.
> >>> I am talking about traffic engineering in terms of selecting one or more underlying
> >>> interfaces in the both the outbond and inbound directions.
> >> Sure - the problem is that you have two different TEs running:
> >>
> >> - the main IP forwarding TE that picks the interface
> > The main IP forwarding code will always pick the (singular) areo0 interface.
> If there are multiple interfaces, why would it pick aero0? And what
> would its QoS be? It can't have a single value, so the main IP
> forwarding code can't decide between aero0 and other interfaces.

The IP forwarding table has an entry such as:

  2001:db8::/32 -> aero0

Meaning that any IPv6 packet with a destination that matches 2001:db8::/32
*and for which no more-specific route exists* goes out interface aero0
unconditionally. The packet will have a TOS value, and it is that TOS that
guides the aero0 interface on how to portion traffic over the underlying
interfaces.

> >> - the intra-interface forwarding that picks the L2 encaps
> > Yes.
> >
> >> That means the main TE is basically blind to the TE over the subnet.
> > So what?
> That means you potentially have two TEs fighting each other. I

There is no fight if the IP layer has only one outbound interface alternative.

> >> If you do this with separate L2 VIFs, the main TE can pick the VIF itself.
> > The interface does the right thing.
> The interface can only do the right thing with the traffic it has
> already been given by the main IP forwarder. It can't collaborate with
> that forwarder.

No, the AERO interface doesn't need to collaborate with the IP layer. All
it does is looks at the packet's TOS value and uses that to select one or
more outbound underlying interfaces.

> >> Everything you want can be done by the main IP forwarding engine -
> >> including ECMP.
> > You didn't address the point about mobility, nor the other points I raised.
> > Are you aware of a mobility solution that requires no supporting code?
> The other cases are either handled by existing IP forwarding or require
> exactly the same amount of mechanism inside the IP forwarder that you
> implement in the interface instead (e.g., for mobility and dogleg
> redirection).

AERO mobility management and route optimization are better than existing
approaches. That is why the aviation and corporate mobile device communities
are looking at it.

Thanks - Fred
fred.l.templin@boeing.com

> Joe

v2.23.0 | Report a Bug | By Email