IETF Logo Mail Archive

Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01

Giles Heron <giles.heron@gmail.com> Wed, 18 February 2015 15:18 UTC

Return-Path: <giles.heron@gmail.com>
X-Original-To: l2tpext@ietfa.amsl.com
Delivered-To: l2tpext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDAEC1A923D; Wed, 18 Feb 2015 07:18:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_T6ViYPnZe9; Wed, 18 Feb 2015 07:18:56 -0800 (PST)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6ADE1A8952; Wed, 18 Feb 2015 07:18:55 -0800 (PST)
Received: by mail-wg0-f46.google.com with SMTP id a1so1779830wgh.5; Wed, 18 Feb 2015 07:18:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SCv+dmwOkhN3jk7lZkV4UpmDYRdiPCl1vpa8Mx7XFk8=; b=eSwPA0cNfWTVdX9xHwyk7ewwJc51S1kIJS96hHY5+z7jwtQRUi6Lcc9JhsiS+NCfRG TlQyZB+1nQtQiQEtL4Cahk9tBbwGM8iae8vIkZE9zhopW9F77md4J91//8NMvyPz+oCw 4izStRZx4J8qn3pBKAk2NNmlqybgbqFGSeoVbDceHUBBG1AQoZ/0vHKxEkWPsk2i/AS0 OdYNrRXCIpYC5UBhoTyaSYKwxJgdnbdI8gztzqkR6oHXEtPoeILS0e4e/8pT7qWi5Ypc a+IX1tnWmeMhwcgk9+ZGtbZC3I4EMe3Xj+uJJjePspBZDQHC9G4OKP8zJKNznGPvnZCe B6Cw==
X-Received: by 10.180.91.79 with SMTP id cc15mr6099947wib.52.1424272734281; Wed, 18 Feb 2015 07:18:54 -0800 (PST)
Received: from ams-giheron-8917.cisco.com (173-38-208-170.cisco.com. [173.38.208.170]) by mx.google.com with ESMTPSA id nb9sm20220185wic.3.2015.02.18.07.18.52 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Feb 2015 07:18:53 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Giles Heron <giles.heron@gmail.com>
In-Reply-To: <24947916.dqx4YFu3F7@e7240.linfre>
Date: Wed, 18 Feb 2015 15:18:56 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <C787CFA0-ABAF-4687-BECB-9F94B5C7EE3F@gmail.com>
References: <232077E7-7135-41E8-B0DB-C786F8C410CA@employees.org> <1816705.A9t7GNQOdE@linne> <68C9F850-89F5-4759-9FD0-1A00B33DDD46@employees.org> <24947916.dqx4YFu3F7@e7240.linfre>
To: Karsten Thomann <karsten_thomann@linfre.de>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/l2tpext/RpF7Y6RcVUu0jjQJXPA8tbHJctM>
Cc: Ole Troan <otroan@employees.org>, 6man WG <ipv6@ietf.org>, l2tpext@ietf.org, l2tpext-chairs@tools.ietf.org
Subject: Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2tpext/>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 15:19:00 -0000

Hi Karsten,

thanks for your comments.  My apologies for the delay in processing them.

more inline:

On 22 Jan 2015, at 14:50, Karsten Thomann <karsten_thomann@linfre.de> wrote:

> Hi,
>  
> my comments about the draft:
> 1. As far as I know the IETF processes this must be a standards track draft instead of a informational, as it not only simplifies the tunnels like removing the control plane, but uses MUST where the L2TPv3 RFC only set it as optional (e.g. Cookie).

fixed

> 2. In my opinion the terms key, cookie and authentication key for the required 64bit cookie should be cleaned up, as the terms have in some context of the rfc the same meaning

fixed - using cookie everywhere.

> 3. Why is the explicit value for the hop limit mentioned? In my opinion it should be lower, or are there any implementations which really use that value as a default? Should be rewritten to something without a fixed hop limit

fixed.

> 4. Is there any reason to not use src + dst ip for all cases instead to only use it for the case that the local ip is used for more than one tunnel?
> I think every device should know from which IPs it receives packets for a specific local l2tp ip as the cookie must be configured and should be unique per tunnel.

I'm not sure the cookie needs to be unique per tunnel?  The session ID is unique per tunnel/IP address pair.  And in the 1:1 case the session ID is ignored.

> 5. I didn't understand the meaning of the last sentence:
>    o  Payload.  The customer data, with s-tag or s-tag/c-tag removed.
>       As noted above preamble and FCS are stripped before encapsulation.
>       A new FCS will be added at each hop when the IP packet is
>       transmitted.
> 
> There is no relation between the routing of the l2tp packet and the payload FCS, as there is no FCS in the payload.

good catch.  The intent of the section is to show that the original FCS doesn't need to be carried as an FCS is added at each hop.  I've reworded the sentence to reflect that.

> 6. I'm not sure if it should be added to the security considerations section, but in RFC 3931 it is mentioned that there are no checksums for the packets as ipv6 and l2tp have none. I know it was especially mentioned for the control packets, but it also applies to all other packets with payload.

isn't that more of an issue of detecting corrupted packets than a security consideration?  Re detecting corrupted packets we already have two mechanisms:
1) the hop-by-hop FCS
2) the payload's own mechanisms (in general the keyed IP tunnel will be carrying UDP and TCP traffic that has its own checksum).

so I guess the question is whether there's much value in inserting another level of check in between those two (e.g. an end-to-end integrity check for the tunnel itself)?

Giles

>  
> Regards
> 
> Karsten
> 
>  
>  
> Am Dienstag, 13. Januar 2015, 09:59:28 schrieb Ole Troan:
> > Thanks Karsten, I look forward to your review.
> > 
> > Best regards,
> > Ole
> > 
> > > On 12 Jan 2015, at 12:52 , Karsten Thomann <karsten_thomann@linfre.de>
> > > wrote:
> > > 
> > > As Jinmai already wrote, I can volunteer, but only under the same
> > > constrains, as I have no prior experience with reviews.
> > > 
> > > Some comments:
> > > I know it is also written in RFC4719, but why was "or" used at "Ethernet
> > > frame, without the preamble or frame check sequence (FCS)". At the
> > > payload section is "and" used...
> > > "As noted above preamble and FCS are stripped before encapsulation."
> > > 
> > > As already written by Jinmai, the hop limit is with 255 as a default
> > > setting a bit high, a default of 64 should be high enough for nearly all
> > > cases.
> > > 
> > > Kind regards
> > > Karsten
> > > 
> > > Am Dienstag, 6. Januar 2015, 12:14:14 schrieb Ole Troan:
> > > > Hi,
> > > > 
> > > > The chairs of l2tpext have asked for a 6man review of:
> > > > 
> > > > Title: Keyed IPv6 Tunnel
> > > > https://tools.ietf.org/html/draft-ietf-l2tpext-keyed-ipv6-tunnel-01
> > > > 
> > > > Can we get a couple of volunteers please? As well as any other comments
> > > > to
> > > > the lists are welcome of course. Please keep l2tpext@ietf.org in CC.
> > > > 
> > > > Best regards,
> > > > Ole
> > > > 
> > > > --------------------------------------------------------------------
> > > > IETF IPv6 working group mailing list
> > > > ipv6@ietf.org
> > > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > > > --------------------------------------------------------------------
>  
> _______________________________________________
> L2tpext mailing list
> L2tpext@ietf.org
> https://www.ietf.org/mailman/listinfo/l2tpext

v2.23.0 | Report a Bug | By Email