Re: [Int-area] Comments for draft-ietf-intarea-tunnels-02
Joe Touch <touch@isi.edu> Wed, 08 June 2016 20:49 UTC
Return-Path: <touch@isi.edu>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AA7B12D5B6 for <int-area@ietfa.amsl.com>; Wed, 8 Jun 2016 13:49:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Level:
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Omi9Kf9o3-TT for <int-area@ietfa.amsl.com>; Wed, 8 Jun 2016 13:49:04 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9249812D5A4 for <int-area@ietf.org>; Wed, 8 Jun 2016 13:49:04 -0700 (PDT)
Received: from [128.9.160.211] (mul.isi.edu [128.9.160.211]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id u58Kmmwg027786 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 8 Jun 2016 13:48:49 -0700 (PDT)
To: Vincent Roca <vincent.roca@inria.fr>, townsley@cisco.com
References: <DC49264E-9590-4B63-B1B6-E87F486114C2@inria.fr>
From: Joe Touch <touch@isi.edu>
Message-ID: <53cf28eb-bbda-a4ba-908e-205bfdc00f43@isi.edu>
Date: Wed, 08 Jun 2016 13:48:48 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <DC49264E-9590-4B63-B1B6-E87F486114C2@inria.fr>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: u58Kmmwg027786
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/b9vgoAsjcLsPQuWtRycROp3H7I0>
Cc: int-area@ietf.org
Subject: Re: [Int-area] Comments for draft-ietf-intarea-tunnels-02
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2016 20:49:07 -0000
Hi, Vincent, Thanks for your detailed comments. All are queued up for the next revision. Comments below only where needed. Joe On 6/8/2016 7:44 AM, Vincent Roca wrote: > Hello everybody, > > > First of all, I need to say that I found the > draft-ietf-intarea-tunnels-02 I-D extremely useful > and wish I found it before. > > We exchanged a few private emails with Joe last week and I promised to > send detailed > comments on the list. Here they are... Sorry if this is a bit long. ... > I also clarified the case of encapsulation header size that is deducted. It's worth noting throughout that MTU is defined as the size of the payload. > ** Path MTU definition: I think it's worth clarifying that we focus on > the tunnel PMTU in this I-D. > I also explain that the encapsulation header size has already been > subtracted from the > Tunnel PMTU. > > OLD: > o Path MTU (PMTU): the largest message that can transit a path. > Typically, this is the minimum of the link MTUs of the links of > the path. > > NEW: > o Path MTU: the largest message that can transit a path. > Typically, this is the minimum of the link MTUs of the links of > the path. > > o Tunnel Path MTU (TunnelPMTU): the largest Tunnel Transit Packet > (or fragment) > that can transit inside the tunnel's path. The encapsulation > header size is already > subtracted from TunnelPMTU and this TunnelPMTU is not visible > from outside the > tunnel, unlike the Tunnel MTU. This definition is what the tunnel MTU is intended to convey. I think we do need another term for the path MTU between the egress and ingress but NOT inside the tunnel. I prefer to just call that the PMTU between the ingress and egress, though. > > > ** In tunnel MTU definition: > Say explicitly that the encapsulation header size has already been > subtracted from > the Tunnel MTU, since encapsulation headers are considered as > "headers from lower > protocols" and therefore excluded. > > OLD: > o Tunnel MTU (TMTU): the largest message that can transit a tunnel. > Typically, this is limited by the egress reassembly MTU. > > NEW: > o Tunnel MTU (TunnelMTU): the largest message that can transit a > tunnel. > The encapsulation header size is already subtracted from TunnelMTU. > Typically, the TunnelMTU is limited by the EgressRMTU. This should be clarified as the MTU that can transit *inside* a tunnel. ... > ** Still section 4.1: we cannot say that 1500 is the minimum > EgressRMTU as > we need to remove the encapsulation header size before as detailed above. > I also tried to explain why... Not easy! Do you have a better explanation? It's because IPv6 uses the term MTU in terms of the link payload, not as the network payload. Throughout this doc, we similarly refer to the tunnel as a link, so link MTU is the correct notion. ... > ** Section 5.2: I fully agree with: > "Detect when the egress MTU drops below the required minimum and shut > down the tunnel if that happens - configuring the tunnel down and > issuing a hard error may be the only way to detect this anomaly, and > it's sufficiently important that the tunnel SHOULD be disabled." > > However this not only an implementation aspect. This is also required > for security > reasons and therefore it should be discussed in the Security > Considerations section > as well. E.g., we observed opposite behaviors from an on-the-shelf IPsec > implementation and discussed consequences in our (now expired) > draft-roca-ipsecme-ptb-pts-attack-00. > > [WG: we already discussed this aspect in private emails with Joe last > week.] See below - I think Vincent and I are still working on this... > ** Section 5.4.4: it is said, for the "consistent with this doc" part, > that: > "Shuts the tunnel down if the tunnel path MTU isn't => 1280." > This contradicts the example of section 4.1 where TunnelPMTU == > 1280-40-TOptSz > is valid... > Do you mean "Shuts the tunnel down if the Tunnel MTU, seen from the > outside network, > isn't >= 1280"? Yes. That's consistent with tunnel = link and MTU = payload. > ** Section 6, Security considerations > As already discussed privately with Joe, I may have other items but > still need > to think it over. > > > ** Section A.1: the following sentence is ambiguous: > OLD: > "When the encapsulated packet exceeds the MTU of the tunnel, the > packet needs to be fragmented." > This is the Tunnel Path MTU, not MTU of the tunnel which can be > understood as > synonymous to the Tunnel MTU. It's the tunnel MTU, as clarified above. > ** Section A.1/ A.2: > Discussion in section 4.1 assumes an Outer Fragmentation scheme. The > notion of > Egress Reassembly also assumes an Outer Fragmentation. In fact it > seems to be > the model assumed throughout this I-D but this is not clearly stated > unless I missed > something. Am I right? You are correct. > It's clearly more universal as it does not make any assumption on the > inner packet > (can it be fragmented on path or not, as explained in A.2). > I think the I-D should identify from the beginning the assumption made > (Outer vs. > Inner fragmentation) as it will impact the discussion. Said > differently move Appendix A > in Section 3 for instance. Point taken, esp. with discussions on other lists (e.g., v6ops) and the notion of "recursive" tunneling (X in X, for any X). Joe
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Templin, Fred L
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Joe Touch
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Templin, Fred L
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Joe Touch
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Templin, Fred L
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Joe Touch
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Templin, Fred L
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Templin, Fred L
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Vincent Roca
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Vincent Roca
- [Int-area] Comments for draft-ietf-intarea-tunnel… Vincent Roca
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Joe Touch
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Vincent Roca
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Templin, Fred L
- Re: [Int-area] Comments for draft-ietf-intarea-tu… Joe Touch