IETF Logo Mail Archive

Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels

"Templin, Fred L" <Fred.L.Templin@boeing.com> Tue, 06 December 2016 19:34 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 805FF129AB4 for <int-area@ietfa.amsl.com>; Tue, 6 Dec 2016 11:34:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mtdx9CM0qNe1 for <int-area@ietfa.amsl.com>; Tue, 6 Dec 2016 11:34:28 -0800 (PST)
Received: from phx-mbsout-02.mbs.boeing.net (phx-mbsout-02.mbs.boeing.net [130.76.184.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A445129A57 for <int-area@ietf.org>; Tue, 6 Dec 2016 11:31:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id uB6JVKoj039693; Tue, 6 Dec 2016 12:31:21 -0700
Received: from XCH15-06-09.nw.nos.boeing.com (xch15-06-09.nw.nos.boeing.com [137.136.239.172]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id uB6JVCWn039590 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Tue, 6 Dec 2016 12:31:12 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-09.nw.nos.boeing.com (2002:8988:efac::8988:efac) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 6 Dec 2016 11:31:12 -0800
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1178.000; Tue, 6 Dec 2016 11:31:11 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Joe Touch <touch@isi.edu>, Lucy yong <lucy.yong@huawei.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "int-area@ietf.org" <int-area@ietf.org>
Thread-Topic: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
Thread-Index: AQHSSfUTLZDjgwj4v06xdSRLJ7spf6DwdPtAgAFWbFCAAJuxAP//gxPAgACJCwD//3tEwIAAjWUA//+BhHAAFPoOgAAP0p/A//+omgD//4m84IABfSIAgACA9qD//51zgIAAhBJQ//+I0oAAEIbo0AAPI8IAAC4ZozAAgC5ygAAP6STgAA0LaIAAA1bQkAAMNEeAABCsZzAAD499gAAvpk1Q
Date: Tue, 06 Dec 2016 19:31:11 +0000
Message-ID: <d9da3c70fcba42ddb6c7a60d8e80b6b4@XCH15-06-08.nw.nos.boeing.com>
References: <2a8ef418-91dc-b0c5-1384-203b4fde3830@gmail.com> <d4e08982-03f8-fe5e-0c67-aa5cd7f26275@isi.edu> <e4096f9729474e00915432aa5c3af300@XCH15-06-08.nw.nos.boeing.com> <b82247d0-5221-ad60-3c4f-6e3287ef1fa9@isi.edu> <f54cd95a4f974ca189e2b3fb24864b97@XCH15-06-08.nw.nos.boeing.com> <a3f0ade1-2145-ee28-31cf-d5a4878b507c@isi.edu> <1707aa63f4e4424e85a8933a79b43dfe@XCH15-06-08.nw.nos.boeing.com> <982c4212-34cb-21f1-c8a8-a23df18d5c30@isi.edu> <1ced07df7e8c453f8c0821363bc5604e@XCH15-06-08.nw.nos.boeing.com> <137debc3-eb11-5c13-884e-d8f6598e8ec9@isi.edu> <30ad1018463746b3b7ef5d864abc9ff3@XCH15-06-08.nw.nos.boeing.com> <e23fc6bd-c95d-9d38-74e1-c040bffe653f@isi.edu> <25503919e279426eb5fd827acf14d9c4@XCH15-06-08.nw.nos.boeing.com> <ceaf3563-ec86-8fe0-f67d-f50e9b9586ae@isi.edu> <05616d07ab3f420a8c0bd5556837d788@XCH15-06-08.nw.nos.boeing.com> <de82e183-f6dd-b872-eb21-981d57218a81@isi.edu> <a5713afee0f84c008e080f730350ed93@XCH15-06-08.nw.nos.boeing.com> <f69d6b1f-19fa-cb8d-f319-a18f7130bee6@isi.edu>
In-Reply-To: <f69d6b1f-19fa-cb8d-f319-a18f7130bee6@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/LRIziYzXnARYezN6GMqEaZSSvOU>
Subject: Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2016 19:34:29 -0000

Hi Joe,

> -----Original Message-----
> From: Joe Touch [mailto:touch@isi.edu]
> Sent: Tuesday, December 06, 2016 11:11 AM
> To: Templin, Fred L <Fred.L.Templin@boeing.com>; Lucy yong <lucy.yong@huawei.com>; Brian E Carpenter
> <brian.e.carpenter@gmail.com>; int-area@ietf.org
> Subject: Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
> 
> Fred,
> 
> First, we are violently agreeing that subnet redirect works only where
> source addresses cannot be spoofed. The problem is that this is not the
> typical case, so it's not a generic solution IMO.

The same can be said about ordinary host-based Redirect (only works where
the source address cannot be spoofed). The only difference is the attack
surface is larger for subnet redirection which is why RFC6706 does the
due diligence of supporting data origin authentication.

Again, this is to defeat "insider" attacks. In environments where insider
attacks are not a matter of concern, then there is not even a need for
data origin authentication.

> On the general architecture point:
> 
> 
> On 12/6/2016 11:04 AM, Templin, Fred L wrote:
> > ...
> >> The X-Bone works too, and didn't need any of that specialized code
> >> above.
> > Has X-Bone carried forward into modern implementations?
> Its model for IPsec transport + IPIP tunnels is used in commercial routers.

ISATAP is in commercial routers and widely deployed host implementations
too. Go to any Windows host , open a command window and type "ipconfig"
and you will see an ISATAP interface. (The code is also in linux.)

> It doesn't require new code anywhere, though - it has been compatible
> with OS-X, FreeBSD, and Linux for nearly 20 years.
> 
> And its model is the basis of the tunnel draft.
> 
> We can continue to do things the hard way, needing new code and
> mechanism, or the easy way that does not. I prefer the easy way.

AERO uses the NBMA tunnel virtual link model meaning that IPv6 ND works
the same as for an NBMA physical link. The model supports traffic engineering,
multi-homing, route optimization, fault tolerance, mobility management and
security. Do you have a solution for these that does not require new code?

Thanks - Fred
fred.l.templin@boeing.com

> Joe

v2.23.0 | Report a Bug | By Email