Re: [L2tpext] Comments on draft-ietf-l2tpext-keyed-ipv6-tunnel-01
Giles Heron <giles.heron@gmail.com> Wed, 18 February 2015 15:21 UTC
Return-Path: <giles.heron@gmail.com>
X-Original-To: l2tpext@ietfa.amsl.com
Delivered-To: l2tpext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D1C91A923D for <l2tpext@ietfa.amsl.com>; Wed, 18 Feb 2015 07:21:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O72rSe-dPxTo for <l2tpext@ietfa.amsl.com>; Wed, 18 Feb 2015 07:21:00 -0800 (PST)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24B301A89EB for <l2tpext@ietf.org>; Wed, 18 Feb 2015 07:21:00 -0800 (PST)
Received: by mail-wi0-f170.google.com with SMTP id hi2so39644907wib.1 for <l2tpext@ietf.org>; Wed, 18 Feb 2015 07:20:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ldg6PMlZPNZiLkO3S+C+gNxqhhM4rjS5bTwTHKS5QQ0=; b=iMBdRVaVtKqBHtWngEJIodRAc7bV6vc1lEDvo2u5mHspRV0WbR08Vmpv9RLkOHNBn1 kpDD3GmPCGUsOe/nnR0qJyi3ifmmWZ0fUY0m1tRSZME8DNIj8KdWffoo8sYAoipk1d1q vIR4X/XvApFmYv42AtIiKL8cQmesjxyQC8oWj6O5k/18wwQrUHl9uaVLSIIX/6k2zogp w2F1rX8sErcCBMpiWrq1cooGqr/xeW1coYmxtAt6wgNjuXHfdbecKoSprPtLjRMPQ3Ge I2EtlW0qoo8usddIGPk2AZCgTQoSJMBgmKYemBobGRHg+wOw3pa+FL1pZvl16vAPc9qN ZElA==
X-Received: by 10.180.87.165 with SMTP id az5mr5907633wib.29.1424272858474; Wed, 18 Feb 2015 07:20:58 -0800 (PST)
Received: from ams-giheron-8917.cisco.com (173-38-208-169.cisco.com. [173.38.208.169]) by mx.google.com with ESMTPSA id jg3sm29924573wid.0.2015.02.18.07.20.57 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Feb 2015 07:20:57 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Giles Heron <giles.heron@gmail.com>
In-Reply-To: <243541F0-021D-4EC3-A709-D9FA97150902@gmail.com>
Date: Wed, 18 Feb 2015 15:21:01 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <F5B49DAD-E3C2-4AE6-9E5F-F868B188195D@gmail.com>
References: <243541F0-021D-4EC3-A709-D9FA97150902@gmail.com>
To: Qi Sun <sunqi.csnet.thu@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/l2tpext/XFQgBGCO4UbSdmTwJNxm5cYs_Qc>
Cc: draft-ietf-l2tpext-keyed-ipv6-tunnel@tools.ietf.org, l2tpext@ietf.org
Subject: Re: [L2tpext] Comments on draft-ietf-l2tpext-keyed-ipv6-tunnel-01
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2tpext/>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 15:21:03 -0000
Hi Qi Sun, thanks for your comments! my feedback inline: On 14 Jan 2015, at 16:12, Qi Sun <sunqi.csnet.thu@gmail.com> wrote: > Dear WG & authors, > > I have reviewed this draft and I think it's very useful, as it greatly simplifies the l2tpv3 tunnels by taking parts from l2tpv3. > > Also I have some comments about it. The tricky one would be the intended status of this document. Currently it’s an Informational document, which means it doesn’t change RFC3931. However, there are a number of normative language, which might be confusing. > yes - the new version is standards track. > I’ve made a list of features of the keyed IPv6 tunnel, with some comparison to RFC3931. Please correct me if anything is wrong. > 1) Not use L2TPv3 Control Plane defined in RFC3931. yes. > 2) A mapping table of v6 address and the port ID. yes - each v6 address corresponds to a local port or port/VLAN. > 3) One session per tunnel. yes. > 4) The Session ID field is there, but it may be processed. (This is a “MUST" in RFC3931.) So we distinguish two cases: a) implementation of this draft at both ends - in which case the session ID may be ignored (and we recommend setting it to all ones). b) interoperability between this draft and existing implementations which require a session ID (which is therefore configured to a fixed value). > 5) Cookie length MUST be 64 (which can be 32-/64-bit in RFC3931). Yes. > 6) The cookie can be randomly selected, or all ones. (It MUST be configured or signalled with a random value in RFC3931.) No. The draft says it SHOULD be randomly selected but that it MUST be checked. I guess the difference here is that we're mandating a 64 bit cookie, whereas RFC3931 has an optional cookie which may be 32 or 64 bits. So the question may be whether there are platforms that are unable to create a random value? (I'm certainly not qualified to debate what is "random" here). > 7) Local and remote endpoints SHOULD send different cookie values. The value of the cookie MUST be able to be changed at any time. The receiver must be willing to accept both "old" and "new" cookie values. Cookie values SHOULD be changed periodically. > > I think item 4) ~ 7) potentially change the behaviour of LCCE when processing a l2tpv3 (i.e. keyed-v6-tunnel) packet. Agreed. Which is why the draft says it is "based" on L2TPv3. However, as the draft also states, we need to be able to interoperate with existing implementations. I guess one caveat to that is that the draft will only interoperate with an LCCE that supports the 64 bit cookie. I've added a paragraph to that effect. > Could the wg shed some light on why this document is Informational instead of Standard Track? Thanks! that has been fixed now :) > The other comments are mainly about the technical/editorial content of the draft, detailed as follows. > <comments> > 1. Sec 2, para 3 > IPv6 address is treated as the IPv6 L2TPv3 tunnel endpoint. > > [Qi] How about “… IPv6 address is treated as the identifier of the IPv6 L2TPv3 tunnel endpoint”? fixed. > 2. Sec 2, para 4 > Certain deployment scenarios may require using a single IPv6 address > to identify a tunnel endpoint for many IPv6 L2TPv3 tunnels. > [Qi] s/many/multiple/ fixed. > 3. In Sec 3, the last sentence of this section misses the period at the end. fixed. > 4. Sec 4 > The s-tag (or in the multi-stack access case the s-tag and c-tag) > SHOULD be removed before the packet is encapsulated. > [Qi] Maybe a reference related to “s-tag” and “c-tag” would be helpful here. I've changed that throughout S-tag and C-tag (and have aligned section 2 with that also). I've also made changes so that the draft says tag instead of S-tag when discussing a single-tagged frame (as that VID may in fact be a C-tag) and have made it clear that it's only "service-delimiting" tags that are stripped at ingress. have also added refs to 802.1Q/802.1ad. > 5. Sec 4, Session ID > o Session ID. In the "Static 1:1 mapping" case described in > Section 2, the IPv6 address resolves to an L2TPv3 session > immediately, thus the Session ID may be ignored upon receipt. For > compatibility with other tunnel termination platforms supporting > only 2-stage resolution (IPv6 Address + Session ID), this > specification recommends supporting explicit configuration of > Session ID to any value other than zero. For cases where both > tunnel endpoints support one-stage resolution (IPv6 Address only), > this specification recommends setting the Session ID to all ones > for easy identification in case of troubleshooting. The Session > ID of zero MUST NOT be used, as it is reserved for use by L2TP > control messages RFC3931 [RFC3931]. > [Qi] > 1) Could the authors give the definitions of “2-stage resolution” and “one-stage” resolution? didn't we already do that? "2-stage" (now changed to "two-stage") is IPv6 address + Session ID and "one-stage" is IPv6 Address only. > 2) The session ID can be explicitly configured to any value other than zero, or all ones, right? Is there a 3rd type of session ID configuration? no - just those two, since the first is for two-stage and the second for one-stage. > 3) The text is a little confused to me. I think that ignoring the Session ID is the behaviour of the receiving device, and setting Session ID is the behaviour of the sending device, right? I would expect it to be explicitly described here. yes, but surely that's obvious? It's pretty hard for a sending device to ignore session ID or for a receiving device to set it ;) > 4) In section 3, it says: > "The cookie MUST be 64-bits > long in order to provide sufficient protection against spoofing and > brute force blind insertion attacks." > However, the text in this section recommends setting the Session ID to all ones. Can the all-ones cookie provide sufficient protection? are you confusing the session ID and the cookie? > 6. Sec 6, paragraph 3 > …, this document recommends that Ethernet OAM as defined in IEEE > 802.1ag [IEEE802.1ag] and/or ITU Y.1731 [Y.1731] is enabled for keyed > IP tunnels. > [Qi] > 1) Is the Ethernet OAM method configured per tunnel, or per device? configuration would be per tunnel I think, as we can't assume that all remote devices support E-OAM. > 2) s/this document recommends/ it is RECOMMENDED in this document/ ?? hmmm - I'm not sure. I think recommends is better as RFC2119 language is about ensuring interoperable implementations etc. I don't think that applies here. > 7. Sec 8, para 3 > [Qi] This paragraph is taken from the L2TPv3 RFC3931, with the reference to RFC1750 changed to RFC4086 (Note: RFC4086 obsoletes RFC1750). > Should there be a reference to the related section of RFC3931 besides taking text from it? Yes - in fact I think it's better just to refer to RFC3931 rather than duplicating text. So I've done that. > 8. Sec 8, the last para > The L2TPv3 64-bit cookie must not be regarded as a substitute for > security such as that provided by IPsec when operating over an open > or untrusted network where packets may be sniffed, decoded, and > correlated for use in a coordinated attack. > [Qi] s/must not/MUST NOT/ ?? again that's not about interop so I think it's better not to use RFC2119 language. > </comments> > > Hope that helps. yes - great comments. Thanks! Giles > Best Regards, > Qi Sun > > > _______________________________________________ > L2tpext mailing list > L2tpext@ietf.org > https://www.ietf.org/mailman/listinfo/l2tpext