Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01
Karsten Thomann <karsten_thomann@linfre.de> Fri, 20 February 2015 17:05 UTC
Return-Path: <karsten_thomann@linfre.de>
X-Original-To: l2tpext@ietfa.amsl.com
Delivered-To: l2tpext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970FB1A1BA5; Fri, 20 Feb 2015 09:05:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.561
X-Spam-Level:
X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LbGLpvaBK6A; Fri, 20 Feb 2015 09:05:11 -0800 (PST)
Received: from linfre.de (linfre.de [83.151.26.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAD581A0187; Fri, 20 Feb 2015 09:05:09 -0800 (PST)
Received: from e7240.linfre (109.47.3.62) by linfreserv.linfre (Axigen) with (ECDHE-RSA-AES256-SHA encrypted) ESMTPSA id 110E28; Fri, 20 Feb 2015 18:04:42 +0100
From: Karsten Thomann <karsten_thomann@linfre.de>
To: Giles Heron <giles.heron@gmail.com>, 6man WG <ipv6@ietf.org>
Date: Fri, 20 Feb 2015 18:03:39 +0100
Message-ID: <1635584.UzB5GEszaB@e7240.linfre>
User-Agent: KMail/4.14.4 (Linux/3.17.1-52.g5c4d099-desktop; KDE/4.14.4; x86_64; ; )
In-Reply-To: <C787CFA0-ABAF-4687-BECB-9F94B5C7EE3F@gmail.com>
References: <232077E7-7135-41E8-B0DB-C786F8C410CA@employees.org> <24947916.dqx4YFu3F7@e7240.linfre> <C787CFA0-ABAF-4687-BECB-9F94B5C7EE3F@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="nextPart178058516.ygeVq0WHir"
Content-Transfer-Encoding: 7bit
X-AXIGEN-DK-Result: No records
DomainKey-Status: no signature
X-AxigenSpam-Level: 5
Archived-At: <http://mailarchive.ietf.org/arch/msg/l2tpext/OfQwihZf68kfxJ8jb5OTjCe3ms0>
Cc: l2tpext@ietf.org, l2tpext-chairs@tools.ietf.org
Subject: Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2tpext/>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 17:05:13 -0000
Hi Giles comments inline. Am Mittwoch, 18. Februar 2015, 15:18:56 schrieb Giles Heron: > Hi Karsten, > > thanks for your comments. My apologies for the delay in processing them. > > more inline: > > On 22 Jan 2015, at 14:50, Karsten Thomann <karsten_thomann@linfre.de> wrote: > > Hi, > > ... > > 4. Is there any reason to not use src + dst ip for all cases instead to > > only use it for the case that the local ip is used for more than one > > tunnel? I think every device should know from which IPs it receives > > packets for a specific local l2tp ip as the cookie must be configured and > > should be unique per tunnel. > I'm not sure the cookie needs to be unique per tunnel? The session ID is > unique per tunnel/IP address pair. And in the 1:1 case the session ID is > ignored. I will try rephrase it in another way, I was thinking about if it is possible to merge section 2 and 4 at chapter 2: The IPv6 L2TPv3 tunnel encapsulating device uniquely identifies each Ethernet L2 attachment connection by a port ID or a combination of port ID and VLAN ID(s) on the access side, and by a Source and Destination IPv6 address pair on the network side. I can't think about a case where this should cause problems, as it won't forbid the use of a single address for multiple tunnels or are there any deployment scenarios where it should be possible to use multiple source IPs to send traffic to a single tunnel? > > 6. I'm not sure if it should be added to the security considerations > > section, but in RFC 3931 it is mentioned that there are no checksums for > > the packets as ipv6 and l2tp have none. I know it was especially > > mentioned for the control packets, but it also applies to all other > > packets with payload. > isn't that more of an issue of detecting corrupted packets than a security > consideration? Re detecting corrupted packets we already have two > mechanisms: 1) the hop-by-hop FCS > 2) the payload's own mechanisms (in general the keyed IP tunnel will be > carrying UDP and TCP traffic that has its own checksum). > > so I guess the question is whether there's much value in inserting another > level of check in between those two (e.g. an end-to-end integrity check for > the tunnel itself)? As noted I'm really sure if it should be added, I know there was a lenghty diskussion about checksums for some tunnel mechanisms, but not sure if it was mpls over udp or a gre over IPv6 draft... If no one else is thinking that it should be noted that there is no end to end checksum I'm fine with it. Regards Karsten > Giles > > > Regards > > > > Karsten > >
- [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpex… Ole Troan
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… 神明達哉
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Karsten Thomann
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Ole Troan
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Karsten Thomann
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Giles Heron
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Karsten Thomann
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Giles Heron
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Carlos Pignataro (cpignata)