Re: [IPsec] Some comments to the draft-gundavelli-ipsecme-3gpp-ims-options-00.txt
"Sri Gundavelli (sgundave)" <sgundave@cisco.com> Sun, 21 April 2013 20:48 UTC
Return-Path: <sgundave@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB64121F93D7 for <ipsec@ietfa.amsl.com>; Sun, 21 Apr 2013 13:48:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00PCYlv1ntGS for <ipsec@ietfa.amsl.com>; Sun, 21 Apr 2013 13:48:07 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 524B421F93D6 for <ipsec@ietf.org>; Sun, 21 Apr 2013 13:48:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6007; q=dns/txt; s=iport; t=1366577287; x=1367786887; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=jvcnFsPpZqvL4LkRdvhUj2J/7mBFZQhmQC0vb0DyVQA=; b=mKe3JaImkFQngjgfSq1kHqQwrK4MgUIwBR/rtgMluA/xTSE6znhzfNci 9o8Aad/PHF2u+K+SYdKVCghc/AJ5hhX6e+FiXpsWGkfvmtUy1PV18enhf iFFgpuJMNn261L2xHNqypgABj4bchpwUqNR+snd7GZZPvxT0D/DGP6oc8 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFACVPdFGtJXG8/2dsb2JhbABPgwbBOYEBFnSCIQEEJxM/EgEIIhRCJQIEAQ0FCIgMunePDjEHgmZhA5NGlGmDDIIo
X-IronPort-AV: E=Sophos;i="4.87,520,1363132800"; d="scan'208";a="201267899"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-8.cisco.com with ESMTP; 21 Apr 2013 20:48:07 +0000
Received: from xhc-aln-x05.cisco.com (xhc-aln-x05.cisco.com [173.36.12.79]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id r3LKm6c6004797 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 21 Apr 2013 20:48:06 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.159]) by xhc-aln-x05.cisco.com ([173.36.12.79]) with mapi id 14.02.0318.004; Sun, 21 Apr 2013 15:48:06 -0500
From: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>, "Aeneas Dodd-Noble (noblea)" <noblea@cisco.com>, "jouni.nospam@gmail.com" <jouni.nospam@gmail.com>, "baboescu@broadcom.com" <baboescu@broadcom.com>
Thread-Topic: Some comments to the draft-gundavelli-ipsecme-3gpp-ims-options-00.txt
Thread-Index: AQHOPBbfkK3N7LSI7ECyznXpomQb85jhCVaA
Date: Sun, 21 Apr 2013 20:48:06 +0000
Message-ID: <24C0F3E22276D9438D6F366EB89FAEA81024577A@xmb-aln-x03.cisco.com>
In-Reply-To: <20847.48212.437658.582136@fireball.kivinen.iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [10.32.246.211]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1E2EE21E54FE5D4BB1156AF7E9615A68@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Some comments to the draft-gundavelli-ipsecme-3gpp-ims-options-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Apr 2013 20:48:08 -0000
Hi Tero, Thanks a lot for the review comments. This is very helpful. Please see inline. On 4/18/13 2:26 AM, "Tero Kivinen" <kivinen@iki.fi> wrote: >In section 3 and 4, there is text saying: > >---------------------------------------------------------------------- >... > Length (2 octets) > Length of the value field in octets. In this case, its 4. >... > Length (2 octets) > Length of the value field in octets. In this case, its 16. >... >---------------------------------------------------------------------- > >But the length of the configuration attribute value can also be 0 for >the requests. At least in general case, I do not know whether this >P-CSCF_IP{4,6}_ADDRESS option is supposed to be normal configurable >option or something else. In normal case the client either sends empty >request, and server fills the value in, or the client sends request >telling the preferred value, and server either replies with that or >something else. The goal is to allow the client to request for the configuration value, so the server can populate it. So, the client sends a request with a NULL/0.0.0.0 value, and the server can include the Attribute with a proper value in the response message. > >The draft also says: > >---------------------------------------------------------------------- > Multiple instances of this Attribute with different values can be > present in the configuration payload and there is no implied > preferrential order. >---------------------------------------------------------------------- > >In RFC5996 we have text which says that for INTERNAL_IP{4,6}_ADDRESS >the multi-valued return values only work in a way, that client sends >as many entries in the request as it is willing to get back in the >reply, and server can only return as many (or fewer) items there was >in the request. This is to allow client to decide whether it wants to >support multi-valued addresses. Do you want to do similar thing here, >or is it assumed that all implementations do allow multiple values for >this attribute? The text from RFC5996 says as follows: The client should be able to include a single a instance of the Attribute with a value of 0.0.0.0, but the server should be able to offer one or more instances of the Attribute. In this case, there is no real requirement for the client to indicate capability for multiple instances. We can safely assume the client can handle one or more values. We did have some discussion on if there is an implied order when multiple instances of the Attribute or present. In the context of 3GPP interface where it will be used, the server obtains these Attribute values from the PGW over S2b interface and there is no such order on that interface. So, we will not indicate any order, its up to the client on how it decides to use those values. > >---------------------------------------------------------------------- > o INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS - An address on the > internal network, sometimes called a red node address or private > address, and it MAY be a private address on the Internet. In a > request message, the address specified is a requested address (or > a zero-length address if no specific address is requested). If a > specific address is requested, it likely indicates that a previous > connection existed with this address and the requestor would like > to reuse that address. With IPv6, a requestor MAY supply the low- > order address octets it wants to use. Multiple internal addresses > MAY be requested by requesting multiple internal address > attributes. The responder MAY only send up to the number of > addresses requested. >---------------------------------------------------------------------- > >This also points out how the request can either be empty or have some >previously used value in. Do you want to do similar thing here? The request should be empty. I don't believe ePDG is sending specific hints over S2b interface and so we are bound by that interface definition. I will check the spec to be sure. > >Also in section 5 Example Scenario, it would be nice to have values >filled in to the P-CSCF_IP{4,6}_ADDRESS attributes, just like you have >values filled to other attributes (INTERNAL_IP4_ADDRESS and >INTERNAL_IP4_DNS). I.e. the request is most likely empty and reply >contains something. Sure. Will address these comments. These are very good comment. Very helpful. Appreciate it. Regards Sri > >---------------------------------------------------------------------- > Client Gateway > -------- --------- > > HDR(IKE_SA_INIT), SAi1, KEi, Ni --> > > <-- HDR(IKE_SA_INIT), SAr1, KEr, Nr, [CERTREQ] > > HDR(IKE_AUTH), > SK { IDi, CERT, [CERTREQ], AUTH, [IDr], > CP(CFG_REQUEST) = > { INTERNAL_IP4_ADDRESS(), > INTERNAL_IP4_DNS(), > P-CSCF_IP4_ADDRESS, > P-CSCF_IP6_ADDRESS }, SAi2, > TSi = (0, 0-65535, 0.0.0.0-255.255.255.255), > TSr = (0, 0-65535, 0.0.0.0-255.255.255.255) } --> > > <-- HDR(IKE_AUTH), > SK { IDr, CERT, AUTH, > CP(CFG_REPLY) = > { INTERNAL_IP4_ADDRESS(192.0.2.234), > P-CSCF_IP4_ADDRESS, > P-CSCF_IP6_ADDRESS, > INTERNAL_IP4_DNS(198.51.100.33) }, > SAr2, > TSi = (0, 0-65535, 192.0.2.234-192.0.2.234), > TSr = (0, 0-65535, 0.0.0.0-255.255.255.255) } > > > Figure 4: P-CSCF Attribute Exchange >-- >kivinen@iki.fi
- [IPsec] Some comments to the draft-gundavelli-ips… Tero Kivinen
- Re: [IPsec] Some comments to the draft-gundavelli… Sri Gundavelli (sgundave)
- Re: [IPsec] Some comments to the draft-gundavelli… Tero Kivinen
- Re: [IPsec] Some comments to the draft-gundavelli… Sri Gundavelli (sgundave)