[L2tpext] Comments on draft-ietf-l2tpext-tunnel-switching-03.txt
"W. Mark Townsley" <townsley@cisco.com> Fri, 27 September 2002 15:06 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22880 for <l2tpext-archive@lists.ietf.org>; Fri, 27 Sep 2002 11:06:27 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8RF5Gv27548; Fri, 27 Sep 2002 11:05:17 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8RF3tv27486 for <l2tpext@optimus.ietf.org>; Fri, 27 Sep 2002 11:03:55 -0400
Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.24.11]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22796 for <l2tpext@ietf.org>; Fri, 27 Sep 2002 11:01:57 -0400 (EDT)
Received: from iwan-view3.cisco.com (iwan-view3.cisco.com [171.69.24.144]) by sj-msg-core-2.cisco.com (8.12.2/8.12.2) with ESMTP id g8RF3Lt7022890 for <l2tpext@ietf.org>; Fri, 27 Sep 2002 08:03:21 -0700 (PDT)
Received: from cisco.com ([10.32.255.3]) by iwan-view3.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) with SMTP id IAA19828 for <l2tpext@ietf.org>; Fri, 27 Sep 2002 08:03:19 -0700 (PDT)
Message-ID: <3D9472B6.60201@cisco.com>
Date: Fri, 27 Sep 2002 17:01:10 +0200
From: "W. Mark Townsley" <townsley@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: l2tpext@ietf.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Subject: [L2tpext] Comments on draft-ietf-l2tpext-tunnel-switching-03.txt
Sender: l2tpext-admin@ietf.org
Errors-To: l2tpext-admin@ietf.org
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Getting better, but still needs work IMO. Comments inline by WMT.
Thanks,
- Mark
Network Working Group Reinaldo Penno
Internet-Draft Nortel Networks
Expires Feb 2003 Vipin Jain
Pipal Systems
Steve McGeown
Sandvine Inc.
Ly Loi
Tahoe Networks
Marc Eaton-Brown
Devoteam FrontRunner
August 2002
L2TP Tunnel Switching
draft-ietf-l2tpext-tunnel-switching-03.txt
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The distribution of this memo is unlimited. It is filed as <draft-
ietf-l2tpext-tunnel-switching-03.txt> and expires Feb 2003. Please
send comments to the L2TP mailing list (l2tpext@ietf.org).
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
L2TP Tunnel Switching, also called L2TP Multihop, is the process of
forwarding layer2 payload from an L2TP session to another L2TP
session over a different tunnel. It facilitates moving the logical
termination point of an L2TP session, based on layer2 characteristics
or administrative policies, to a different LNS. This document
introduces the L2TP tunnel switching nomenclature, defines the
behavior of standard AVPs [L2TP] in tunnel switching deployment, and
proposes protocol extensions for inter-operable tunnel switching
implementation.
Jain, et al. expires Feb 2003 [Page 1]
INTERNET DRAFT L2TP Tunnel Switching August 2002
Contents
Status of this Memo.......................................... 1
1. Introduction.............................................. 2
2. Purpose of tunnel switching............................... 3
3. Handling standard AVPs.................................... 4
4. Proposed Extensions for tunnel switching.................. 7
5. StopCCN/CDN Messages and L2TP tunnel Switching............ 8
6. IANA Considerations....................................... 9
7. Security Considerations................................... 9
8. Authors Addresses......................................... 9
9. Acknowledgments........................................... 10
10. References............................................... 10
Appendix A................................................... 11
Terminology
Tunnel Switching Aggregator (TSA): These are the devices that switch
the layer2 data on an incoming L2TP session/tunnel on to another L2TP
session/tunnel. TSA functions as an LNS for the inbound tunnel and as
a LAC for the outbound tunnel.
Inbound Tunnel: L2TP Control Connection on TSA where TSA is acting as
LNS.
Outbound Tunnel: L2TP Control Connection on TSA where TSA is acting
as LAC.
1. Introduction
[L2TP] allows processing of layer2 packets to be divorced from the
termination of the layer2 circuit. L2TP tunnel switching facilitates
moving the termination point of a layer2 session further on to
another LNS that potentially is unknown to the first LAC. It does so
by re-tunnelling the layer2 session within another L2TP tunnel to a
different LNS. The knowledge of whether to switch a layer2 session to
Jain, et al. expires Feb 2003 [Page 2]
INTERNET DRAFT L2TP Tunnel Switching August 2002
another L2TP tunnel can be static or dynamic (for example during PPP
session is establishment).
L2 User LAC TSA LNS
[LNS LAC]
|---- L2-----|
|---- L2/L2TP ----|
|-- L2 --|
|----- L2/L2TP -----|
|------ tunnel switching ----|
The figure above presents a typical tunnel switching scenario for
incoming calls. The user opens a layer2 (for example PPP) session
WMT Are we going to mayke this RFC2661-specific or not? If so, I think we can go
ahead and call this a "PPP" session vs. a "layer2" session. If we are going to
make it L2TPv3 based, we probably need more nomenclature changes than just this.
What we have here seems sort of in-between.
to a LAC, which puts the layer2 session into a L2TP tunnel that
terminates on a TSA. The TSA being LNS, based on local policies
determines which tunnel should be used to further tunnel the
layer2 session. The same layer2 session is switched onto another L2TP
tunnel originating on the TSA and terminating on the LNS. If
the TSA decides to terminate the layer2 session it will not
re-tunnel the packet.
2. Purpose of tunnel switching
Tunnel switching enables higher administrative control on how layer2
sessions are engineered in L2TP deployments.
WMT "higher administrative control," "layer2 sessions are engineered" - this is
a little broad and encompassing. I think we should come down to earth a bit here.
- L2TP tunnel switching divorces the location of the LAC that
implements administrative policies. A LAC may not always have the
administrative control/capability to know whether the LNS that
would be most appropriate to terminate a layer2 session handling.
For example, PC based LACs might not be aware of the service
provider's policies. In some cases it may not be desirable
to expose such policies to a LAC that resides on the
customer premises, whereas in other situations a LAC might not such
exhibit rich functionality. Local policies could be based on
traffic (to balance the traffic across multiple LNSs), class of
service (to allow preferred sessions onto distinguished LNSs), or
layer 2 parameters (to direct traffic for different ISPs to different
LNS, for example based on PPP user information).
- There are situations where the administrative domain of a LAC, such
as a Local Exchange Carrier (LEC) or Competitive Local Exchange
Carrier (CLEC), are not the same as that of an LNS, and often are the
Internet Service Provider (ISP) terminating the subscriber's layer2
connections. In such situations, a tunnel switched multi tier
deployment helps the Carrier.
Jain, et al. expires Feb 2003 [Page 3]
INTERNET DRAFT L2TP Tunnel Switching August 2002
(ILEC or CLEC) hide its internal network connectivity from the
ISPs. It eases the configuration/manageability across different
administrative domains. For example, for every new LAC added in
the Carrier's network, an ISPs do not need to reconfigure their LNSs.
Since for them the LAC could always be the TSA.
- Layer2 sessions wholesaling: L2TP tunnel switching allows using a
common L2TP control connection on the LAC for sessions that are
eventually destined to different LNSs (ISPs). This enables the
wholesaler to bundle layer2 sessions belonging different ISPs on
to a single tunnel.
WMT I am sometimes reading "control connection" and sometimes reading "tunnel"
for what I think are the same things. I understand that in RFC2661 this can be
ambiguous, but please try to be consistent in your new doc. At least in the same
paragraph ;-)
It would be administratively easier to manage
this flat configuration.
WMT But if you go through a tunnel switch, it's not a flat configuration, its
tiered. Some things may become easier to manage when you aggregate traffic at
the TSA, but other things become more difficult. For example, debugging a single
session problem may very well become more difficult as you have to trace a user
with a problem through each TSA, rather than knowing immediately which LAC the
user is connected to at the LNS.
3. Handling standard AVPs
This section defines the behavior of AVPs defined in [L2TP]
on TSA, as to whether they should be RELAYED, DROPPED or REGENERATED.
RELAYED AVPs are forwarded transparently only if they are present in
the incoming message.
DROPPED AVPs are the dropped if present in the incoming message.
REGENERATED AVPs are the AVPs that are dropped on an inbound tunnel
and are regenerated as defined by [L2TP] for an outbound tunnel as
if there was no tunnel switching, possibly resulting in the same
value.
WMT I wonder if we need a special set of AVPs that may be "stacked" as is done
in the sessinfo for nas-port and hostname tracing. Note that I am not suggesting
that we try and allow stacking of existing AVPs, just defining the mechanism for
other drafts, such as sessinfo, to utilize.
For some AVPs, to get a value to be RELAYED, the TSA might be
required to defer sending a reply to a message on an inbound
(or outbound) tunnel until it gets the reply for a corresponding
request on outbound (or inbound) tunnel.
Message Type (All Messages) - MUST be REGENERATED
Random Vector (All Messages) - MUST be REGENERATED
Result Code (CDN, StopCCN) - SHOULD be REGENERATED based on
recommendations discussed in section 5.
Protocol Version (SCCRQ, SCCRP) - MUST be REGENERATED. This
would allow TSA to switch sessions when inbound and outbound
tunnels use different versions of the L2TP protocol.
Framing Capabilities (SCCRQ, SCCRP) - On outbound tunnels, the
TSA SHOULD REGENERATE this AVP based upon Framing Capabilities
Jain, et al. expires Feb 2003 [Page 4]
INTERNET DRAFT L2TP Tunnel Switching August 2002
of one or more inbound tunnels whose sessions could be switched
to the outbound tunnel. Similarly, the inbound tunnel AVP SHOULD
be REGENERATED by the TSA based upon the Framing Capabilities of
the outbound tunnel.
Bearer Capabilities (SCCRQ, SCCRP) - For the outbound tunnel,
the AVP SHOULD be REGENERATED based upon Bearer Capabilities of
one or more inbound tunnels whose sessions may be switched to
the outbound tunnel. Similarly, the inbound tunnel AVP SHOULD be
REGENERATED by the TSA based upon the Bearer Capabilities of the
outbound tunnel.
Tie Breaker (SCCRQ) - MUST be REGENERATED
Firmware Revision (SCCRP, SCCRQ) - MUST be REGENERATED.
Host Name (SCCRP, SCCRQ) - MAY be RELAYED, REGENERATED, or
DROPPED.
Vendor Name (SCCRP, SCCRQ) - SHOULD be REGENERATED.
Assigned tunnel ID (SCCRP, SCCRQ, StopCCN) - MUST be REGENERATED.
Receive Window Size (SCCRQ, SCCRP) - MUST be REGENERATED.
For example the value of this AVP could be choosen based on
Receive Window Sizes of the tunnels the TSA is going to be
switching sessions to. Appendix A has more information on
congestion control in L2TP tunnel switching environments.
Challenge (SCCRP, SCCRQ) - MUST be REGENERATED.
Challenge Response (SCCCN, SCCRP) - MUST be REGENERATED.
Q.931 Cause Code (CDN) - MUST NOT be REGENERATED and can only be
RELAYED or DROPPED.
Assigned Session ID (CDN, ICRP, ICRQ, OCRP, OCRQ) - MUST be
REGENERATED.
Call Serial Number (ICRQ, OCRQ) - SHOULD be RELAYED. It would
best serve the intended purpose of this AVP and facilitate easier
debugging.
Minimum BPS (OCRQ) - MUST be RELAYED.
Maximum BPS (OCRQ) - MUST be RELAYED.
Jain, et al. expires Feb 2003 [Page 5]
INTERNET DRAFT L2TP Tunnel Switching August 2002
Bearer Type (ICRQ, OCRQ) - MUST be RELAYED.
Framing Type (ICCN, OCCN, OCRQ) - MUST be RELAYED.
Called Number (ICRQ, OCRQ) - SHOULD be RELAYED.
Calling Number (ICRQ) - SHOULD be RELAYED.
Sub-Address (ICRQ, OCRQ) - SHOULD be RELAYED.
(Tx) Connect Speed (ICCN, OCCN) - MUST be RELAYED
Rx Connect Speed (ICCN, OCCN) - MUST be RELAYED
Physical Channel ID (ICRQ, OCRP) - MAY be RELAYED, REGENERATED,
or DROPPED.
WMT What is the difference between MAY RELAY and MAY REGENERATE? Since
"REGENERATION" includes the ability to use the same value received, RELAY seems
to just be a subset of REGENERATION.
WMT Nice first shot at the list here, not an easy process. I see a lot of MAYs
and SHOULDs right now. Perhaps we should enforce a base mode of operation,
applying a "MUST" category to all AVPs that we possibly can. Then, in a separate
section, AVPs with SHOULDs or MAYs that we are indecisive on. In general, the
more MUSTs (and not "MUST NOT"s) we have, the better. Having them grouped would
make it a little easier, at least for me, to try and grasp.
Private Group ID (ICCN) - MAY be RELAYED, REGENERATED, or
DROPPED.
Sequencing Required (ICCN, OCCN) - SHOULD be REGENERATED.
Initial Received LCP CONFREQ (ICCN) - MUST NOT be REGENERATED and
can only be RELAYED or DROPPED. Proxy LCP AVPs (Initial Received
LCP CONFREQ, Last Sent LCP CONFREQ and Last Received LCP CONFREQ)
MUST be either all DROPPED or all RELAYED.
Last Sent LCP CONFREQ (ICCN) - MUST NOT be REGENERATED.
WMT If you don't REGENERATE it, what do you do to it? RELAY? DROP? In general, I
think it would be more clear to say what to _do_ vs. what not to do whenever
possible.
Last Received LCP CONFREQ (ICCN) - MUST NOT be REGENERATED.
WMT Whenever we say "regenerate" we will have to be clear about what it is
regenerated with. For example, I think this assumes that PPP is run again at
each TSA, which may not be the case. PPP might operate over the tunnel switches
end to end (if you base your new tunnel off information, say, in the ICRQ,
control connection the ICRQ arrives on, etc. vs. PPP negotiation). We might have
to identify this as two modes of operation, and account in the standard for each.
Proxy Authen Type (ICCN) - MUST NOT Be regenerated and can only be
RELAYED or DROPPED.
WMT Why not REGENERATED? What if, at my first TSA, I allow PPP without any auth
(say, so that the user is not prompted for a password) and then renegotiate LCP
with CHAP at the next hop where the real policy enforcement is?
WMT I am thinking that in order to get into what MUST be done for some of these
AVPs, we need to define very clearly the assumed mode of operation with regard
to PPP negotiation, what information is used to setup a new session and when,
etc. Not necessarily easy stuff to pin down, I know.
Proxy Authentication AVPs (Proxy Authen
Name AVP, Proxy Authen Challenge Proxy Authen ID and Proxy
Authen Response AVP) MUST be either all DROPPED or all RELAYED.
Proxy Authen Name (ICCN) - MUST NOT be REGENERATED.
Proxy Authen Challenge (ICCN) - MUST NOT be REGENERATED.
Proxy Authen ID (ICCN) - MUST NOT be REGENERATED.
Proxy Authen Response (ICCN) - MUST NOT be REGENERATED.
Call Errors (WEN) - MUST NOT be REGENERATED.
ACCM (SLI) - MUST NOT be REGENERATED.
PPP Disconnect Cause AVP (defined by [RFC 3145]) - MUST NOT be
REGENERATED.
Jain, et al. expires Feb 2003 [Page 6]
INTERNET DRAFT L2TP Tunnel Switching August 2002
4. Proposed Extensions for tunnel switching
In this section we present new AVPs that simply permits
enhanced and interoperable tunnel switching support. Additionally
proposing to solve some trade-offs that arise by deploying
L2TP tunnel switching.
4.1 Tunnel Capacity AVP (All Messages)
The tunnel Capacity AVP, Attribute Type TBD, indicates the
sesion capacity of the sender over an L2TP control connection.
LAC/LNS could interpret this AVP to know if the peer it is
connected to has capacity of receive any more sessions.
The absolute value in this AVP is opaque to the peer,
however relative (current to maximum) could be interpreted
as a measure of peer's capacity. It could be an indicative
of bandwidth, session capacity, administrative limit, etc.
The Attribute Value field for this AVP has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPN Length | Service Profile Name ... (arbitrary length) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Maximum Capacity |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Current Capacity |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
WMT If your Max and Current Capacity values are fixed, there is no need for an
SPN length in this AVP. Further, I wonder why you wouldn't use separate AVPs here?
The Service Profile Name is a configured (e.g. ISP or Domain name)
unique name between the TSA and its peer. It is up to 256 bytes
long, but MUST be at least 1 octet. It is assumed that a tunnel
might carry sessions for multiple Service Profiles and this AVP
allows specifying the capacity for a Service Profile.
The Maximum Capacity indicates the maximum (reference) capacity of
the TSA for a service profile. Its value is opaque to the TSA's
peer. For example, an implementation could choose to use this to
be an indicative of maximum number of sessions, maximum bandwidth,
etc.
The Current Capacity indicates the current capacity of the TSA.
Like Maximum Capacity AVP its value is also opaque to the TSA's
peer. The value of this AVP indicates the relatively (relative to
Maximum Capacity) how many more sessions the TSA could handle.
WMT This sounds like something that could be moderately useful to any LAC, LNS
or TSA. Why can't we just put this in its own "Load Balancing" or "Service
Profile Capacity" draft?
This AVP MAY be hidden (the H-bit can be either 0 or 1). The M-bit
for this AVP MUST be set to 0.
Jain, et al. expires Feb 2003 [Page 7]
INTERNET DRAFT L2TP Tunnel Switching August 2002
4.2 TSA ID AVP (ICRQ, OCRQ)
WMT This is broken through a NAT, with L2TP over ATM, L2TP over FR, and assumes
that Hostname is unique for a given management domain of IP addresses. The
latter may be untrue in cases where, for example, a number of LACs need to
connect to a given LNS using a common Hostname AVP to obtain a common policy
profile on that LNS. If any of those LACs are behind NATs, this doesn't work.
The TSA ID AVP, Attribute Type TBD, could be used to detect if a
session is looping in an L2TP tunnel switched network. This AVP
would occur as many times as the number of TSAs in the network. It
is inserted by TSA while generating an ICRQ or OCRQ when it
switches a session. All incoming TSA ID AVPs MUST be copied
unaltered to the REGENERATED ICRQ or OCRQ.
The TSA SHOULD check to see if its own Hostname and IP Addresses
is present in one of the TSA ID AVP.
WMT If the hostname and IP address in the TSA is checked only against "its own"
Hostname and IP address as stated above, then loop detection only works if the
loop traverses the starting point. Given that we are assuming one's topology may
be so convoluted and broken that a loop is possible, then we would have to
assume that the loop may actually start *after* the initial LAC. In fact, that
is probably the case, considering the initial LAC would _probably_ not be
configured as a TSA as well.
If it does then it MUST
respond with a CDN carrying a Result Code AVP indicating Result
Code to be 'General Error', Error Code indicating 'Loop Detected'
TBD, and optionally a description indicating the loop condition.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HN Length | HostName ... (arbitrary length) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
WMT Why do you need an HN Length? You know the length of the AVP, and last I
checked IPv4 addresses were always 4 bytes ;-) As with the above new AVP, it
would really make more sense in my code for these to be separate AVPs. Most
other code I have seen it would be as well. Further, this way you could extend
this to IPv6, FR, ATM, etc. without having to affect the Hostname value. In
fact, you don't even need to copy the Hostname if you state that the existing
Hostname value is either RELAYED as defined in this draft, or stacked as defined
in the sessinfo draft.
The Hostname MUST be the same as that used on the Hostname AVP
when the tunnel was established.
The IP address field represents the TSA's IPv4 address on a tunnel
where a session is being switched to.
This AVP MAY be hidden (the H-bit can be either 0 or 1). The M-bit
for this AVP MUST be set to 0.
5. StopCCN/CDN Messages and L2TP tunnel Switching
The administrative policies on the TSA would always supersede how a
TSA should be interpreting or not interpreting the CDN/StopCCN
messages generated by it's peer.
However, the recommended behavior is that, if a TSA receives a
StopCCN/CDN message from a peer, it SHOULD convey the same message
received on inbound or outbound tunnel. The Result Code AVP, which is
an indicative of the type of error, should be relayed as well. The
following sections recommends the more specific situations and on how
the StopCCN/CDN Error Codes are to be interpreted.
Jain, et al. expires Feb 2003 [Page 8]
INTERNET DRAFT L2TP Tunnel Switching August 2002
5.1 TSA receiving CDN Error Code-7 from an LNS
The TSA should try to establish the session on one of the
remaining LNS peers as determined by the configured policies on
the TSA - if there are none available it should generate a CDN
message for the LAC with the Error Code-7.
5.2 TSA reaching the aggregate session limit.
In this situation the TSA SHOULD generate a CDN message with Error
Code-4 for the LAC.
5.3 TSA failing to establish an outbound tunnel
The TSA should try to establish the session on one of the
remaining LNS peers as determined by the configured policies on
the TSA - if there are none available it should generate a CDN
message for LAC with the Error Code-1.
6. IANA Considerations
This document requires two new "AVP Attributes" to be assigned
through IETF Consensus [RFC2434]:
Tunnel Capacity AVP (section 4.1)
TSA Id AVP (section 4.2)
This document defines no additional number spaces for IANA to manage.
7. Security Considerations
L2TP tunnel switching inherits all security issues from [L2TP] and
does not introduce any new security issues.
WMT Sure it does. What about carrying the IP address and Hostname of the
originating LAC around through multiple Hops and administrative domains? What
about the ability to obtain "Maximum Capacity" profiles and using this to
optimize DoS attacks? I know, "use IPsec," but in the absence of IPsec, these
are additional security issues.
8. Author's Addresses
Reinaldo Penno
Nortel Networks
2305 Mission College Blvd
Santa Clara, CA 95054
Phone: +1 408.565.3023
Email: rpenno@nortelnetworks.com
Steve McGeown
Sandvine Inc.
Phone: +1 519.880.2230
Email: smcgeown@sandvine.com
Jain, et al. expires Feb 2003 [Page 9]
INTERNET DRAFT L2TP Tunnel Switching August 2002
Ly Loi
Tahoe Networks
3052 Orchard Drive
San Jose, CA 95134
Phone: +1 408.944.8630
Email: lll@tahoenetworks.com
Marc Eaton-Brown
Devoteam FrontRunner Ltd.
Union House
182-194 Union Street
London SE1 OLH
Phone: +44 7989 498337
Email: mebrown@devoteam-frontrunner.com
Vipin Jain
Pipal Systems
2903 Bunker Hill Ln #210
Santa Clara, CA 95054
Phone: +1 408.470.9700
Email: vipinietf@yahoo.com
9. Acknowledgments
Thanks to W. Mark Townsley of Cisco Systems and Mark Llacuna of
Nortel Networks for their valuable comments.
10. References
[L2TP] RFC 2661, W. Townsley, A. Valencia, A. Rubens, G. Pall,
G. Zorn, B. Palter, "Layer 2 Tunnel Protocol (L2TP)",
RFC2661, August 1999.
[PPP] RFC 1661, Simpson, W., "The Point-to-Point Protocol (PPP)",
STD 51, RFC 1661, July 1994.
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC 3145] RFC 3145, Verma, et. al.
"L2TP Disconnect Cause Information", July 2001
Jain, et al. expires Feb 2003 [Page 10]
INTERNET DRAFT L2TP Tunnel Switching August 2002
Appendix A
Considerations for Congestion Avoidance
[L2TP] recommends slow start and congestion avoidance techniques be
used on the control connection. That alone may not be sufficient to
deal with congestion problems in tunnel switched deployments.
Primarily because a TSA terminates the control connection and
initiates another one. For example, while switching incoming calls,
outbound tunnel might be more congested than inbound tunnel, in which
case even if two tunnels are implementing slow start and congestion
avoidance procedures, the effectiveness of end to end (first LAC to
last LNS in tunnel switched network) congestion control might not be
achieved.
WMT The point of the congesting control, really, was to ensure that the
intervening network is not overly utilized (like TCP). Yes, it also provides
some congestion control of the peer for processing messages, which is probably
the more useful effect in practice.
In order to deal with the situation it is recommended that
a TSA utilize the congestion information from the outbound tunnel to
provide feedback information in following manner:
- It could stop accepting new ICRQs with the issue of the
appropriate cause code in ICCNs
WMT Don't you mean in a CDN?
WMT Another way is to ZLB ack (or piggyback ack) and ICRQ, and wait before
sending the ICRP. A drastic measure if life is really bad, is to simply drop
incoming messages so that the peer backs off exponentially.
- It could utilize a Tunnel Capacity AVP to indicate that TSA might
not have capacity to handle more sessions on the given incoming
tunnel.
This will ensure the TSA to be as transparent as possible to the
congestion in the network and provide end to end congestion control.
WMT Well, I wouldn't call it end to end congestion control in the strict sense
of the word. But, yes, these mechanisms could help bring the sessions up without
thrashing. I think that we may need to be a little more specific here though.
Jain, et al. expires Feb 2003 [Page 11]
_______________________________________________
L2tpext mailing list
L2tpext@ietf.org
https://www1.ietf.org/mailman/listinfo/l2tpext
- [L2tpext] Comments on draft-ietf-l2tpext-tunnel-s… W. Mark Townsley
- Re: [L2tpext] Comments on draft-ietf-l2tpext-tunn… Vipin Jain