Re: [L2tpext] Review of Keyed IPv6 Tunnel [draft-mkonstan-keyed-ipv6-tunnel-00]
"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Sat, 26 October 2013 21:16 UTC
Return-Path: <cpignata@cisco.com>
X-Original-To: l2tpext@ietfa.amsl.com
Delivered-To: l2tpext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B14E11E8194 for <l2tpext@ietfa.amsl.com>; Sat, 26 Oct 2013 14:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.715
X-Spam-Level:
X-Spam-Status: No, score=-110.715 tagged_above=-999 required=5 tests=[AWL=-0.116, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6O21yBgRX98M for <l2tpext@ietfa.amsl.com>; Sat, 26 Oct 2013 14:15:59 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 9C74E11E8145 for <l2tpext@ietf.org>; Sat, 26 Oct 2013 14:15:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6039; q=dns/txt; s=iport; t=1382822157; x=1384031757; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=oAdi89dY8t3sTZCIwzx99b02Nv8gX07W3Nw90y7k9OI=; b=B7w4xFAa8PD6M+1KLolDnsDDG66DQPYVg/kcLxuaj+oF80JUf1EdoWr5 +Hs1/nm0dKhk72+vw3xyrg4lDiGpxkhtSt5bOwaFSHfouRzGThtD6BNvc 2sQQZx2nX8I0DX8vutCcqn+607U6gTBkh4gTlmhjDjCa35d5mYTGcjUdU w=;
X-IronPort-AV: E=Sophos;i="4.93,577,1378857600"; d="scan'208";a="274082025"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-9.cisco.com with ESMTP; 26 Oct 2013 21:15:57 +0000
Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id r9QLFulX001948 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 26 Oct 2013 21:15:56 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.143]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.02.0318.004; Sat, 26 Oct 2013 16:15:56 -0500
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: "Maciek Konstantynowicz (mkonstan)" <mkonstan@cisco.com>
Thread-Topic: Review of Keyed IPv6 Tunnel [draft-mkonstan-keyed-ipv6-tunnel-00]
Thread-Index: AQHOyrtw5a015OQscUOKZg/mloPb3ZoHi6dM
Date: Sat, 26 Oct 2013 21:15:56 +0000
Message-ID: <1E6E9EB2-9C1D-4B2C-9981-3555A5E8E43D@cisco.com>
References: <95067C434CE250468B77282634C96ED322E0E780@xmb-aln-x02.cisco.com>, <96EE5A5F6E4E6448B2AC953A71A9739B2A750D26@xmb-rcd-x06.cisco.com>
In-Reply-To: <96EE5A5F6E4E6448B2AC953A71A9739B2A750D26@xmb-rcd-x06.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Maciek Konstantynowicz <maciek@cisco.com>, "Giles Heron (giheron)" <giheron@cisco.com>, "l2tpext@ietf.org" <l2tpext@ietf.org>, Rainer Schatzmayr <rainer.schatzmayr@telekom.de>, "Mark Townsley (townsley)" <townsley@cisco.com>, "pwe3-chairs@tools.ietf.org" <pwe3-chairs@tools.ietf.org>
Subject: Re: [L2tpext] Review of Keyed IPv6 Tunnel [draft-mkonstan-keyed-ipv6-tunnel-00]
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2tpext>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Oct 2013 21:16:05 -0000
Hi, Maciek, Thanks for your response! Please find two follow-ups inline and implicit Ack for all the rest. > On Oct 16, 2013, at 6:02 PM, "Maciek Konstantynowicz (mkonstan)" <mkonstan@cisco.com> wrote: > > Carlos, > > Sorry, took a while to get back to you.. > > Many thanks for your comments. See inline. > >> On 15 Aug 2013, at 21:13, Carlos Pignataro (cpignata) wrote: >> >> Hi, Rainer, Giles, Maciek, Mark, >> >> After the presentation of this draft in Berlin at the PWE3 meeting (with thanks to the PWE3 chairs!) available at http://tools.ietf.org/agenda/87/slides/slides-87-pwe3-2.pdf, I wanted to provide some review comments with the chair hat off. >> >> I hope these are useful and clear, they are prefaced with "CMP" > > All useful and clear - thanks for your review ! > >> >> >> http://tools.ietf.org/html/draft-mkonstan-keyed-ipv6-tunnel-00 >> >> Network Working Group R. Schatzmayr >> Internet-Draft Deutsche Telekom AG >> Intended status: Informational G. Heron, Ed. >> >> CMP: I do not think that the intended status of this document should be Informational, as you are proposing protocol changes. >> >> >> Abstract >> >> This document describes a simple L2 Ethernet over IPv6 tunnel >> encapsulation with mandatory 64-bit authentication key for connecting >> L2 Ethernet attachment circuits identified by IPv6 addresses. The >> encapsulation is based on L2TPv3 over IP. >> >> and >> >> 3. 64-bit Authentication Key >> >> All packets MUST carry a 64-bit authentication key in the L2TPv3 >> >> CMP: a cookie does not provide an authentication key. It is a simple context lookup check. > > Indeed the key in the cookie field is used for additional context check and to prevent spoofing and brute-force insertion attacks in line with RFC3931. > > Will correct the current text and align with RFC3931. > >> >> 1. Introduction >> >> CMP: It might be useful to mention in the introduction that there is precedence with proposals to do away with the session id lookup when considered redundant, as for example with draft-ietf-l2tpext-l2tphc. > > Agree. Will add reference to draft-ietf-l2tpext-l2tphc. > >> >> >> 2. Static 1:1 Mapping Without a Control Plane >> >> Use of the L2TPv3 Control Plane is optional. When the control plane >> is not used, local configuration creates a one-to-one mapping between >> the access-side L2 attachment circuit and the IP address used in the >> network-side IPv6 encapsulation. >> >> CMP: I am not sure I understand how it would work *with* the L2TPv3 Control Plane. Instead of saying that it is optional, I would say that it is out of scope or similar, and this behavior is specified for static sessions only. Optional means it can be used, and they you would have to say "how" (which new AVPs, etc). > > Agree. The intention here is to use static tunnels mapping. > Will update draft text accordingly. > >> >> Further, circuit monitoring is >> performed using Ethernet OAM mechanisms (802.1ag and/or Y.1731). >> >> CMP: Why Ethernet OAM and not L2TPv3/PW OAM? e.g., [RFC 5085]. > > Based on feedback from network operators to keep things simple and universal, with consistent tooling :) > > Most / all implementations of L2TPv3 / PW support Ethernet OAM with maintenance points at the tunnel endpoints, so it makes sense to use it to provide actual payload based connectivity verification. > Transport connectivity verification is achieved using IPv6 toolset. > Simple and universal is great. Using Ethernet OAM and IPv6 OAM are fine for checking the AC and the PSN respectively -- but not the PW itself. I'd explain this with more details than a single-liner. >> >> In the event that an IPv6 address used in L2TPv3 does not directly >> correspond to one and only one attachment circuit on both sides of >> the L2TPv3 tunnel, the Session ID may be used for additional >> granularity. This allows for other addressing schemes that may >> require additional bits beyond those which can fit in the IPv6 header >> address field. >> >> CMP: Assuming there are some gains in processing the session context from the IPv6 address instead of the session id, which could be described, is that lost with this last paragraph? Why have both? > > The idea here was to provide compatibility with existing RFC3931 implementations. > This is interesting. Perhaps the last sentence could be expanded into a subsection explaining this backward compat. Thanks! Carlos. >> >> >> 4. Encapsulation >> >> o Session ID. In the "Static 1:1 mapping" case described in >> Section 2, the IPv6 address resolves to an L2TPv3 session >> immediately, thus the Session ID may be ignored upon receipt. For >> compatibility with other tunnel termination platforms supporting >> only 2-stage resolution (IPv6 Address + Session ID), this >> specification recommends supporting explicit configuration of >> Session ID to any value other than zero. For cases where both >> tunnel endpoints support one-stage resolution (IPv6 Address only), >> this specification recommends setting the Session ID to all ones >> for easy identification in case of troubleshooting. >> >> CMP: Could you add that it is non-zero? > > Yes, will add. > >> >> 8.2. Informative References >> >> >> >> [RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", RFC 1700, >> October 1994. >> >> CMP: THis reference is not cited in the doc, please remove. > > Yes, will remove the reference. > > Thanks, > Maciek. > >> >> >> Thanks, >> >> -- Carlos. >
- [L2tpext] Review of Keyed IPv6 Tunnel [draft-mkon… Carlos Pignataro (cpignata)
- Re: [L2tpext] Review of Keyed IPv6 Tunnel [draft-… Maciek Konstantynowicz (mkonstan)
- Re: [L2tpext] Review of Keyed IPv6 Tunnel [draft-… Carlos Pignataro (cpignata)
- Re: [L2tpext] Review of Keyed IPv6 Tunnel [draft-… Maciek Konstantynowicz (mkonstan)
- Re: [L2tpext] Review of Keyed IPv6 Tunnel [draft-… Carlos Pignataro (cpignata)