IETF Logo Mail Archive

Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Wed, 25 February 2015 03:24 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: l2tpext@ietfa.amsl.com
Delivered-To: l2tpext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 486791A00C5; Tue, 24 Feb 2015 19:24:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzIoeOUIGF2S; Tue, 24 Feb 2015 19:24:17 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A00541A001D; Tue, 24 Feb 2015 19:24:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33382; q=dns/txt; s=iport; t=1424834656; x=1426044256; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=VE3F7J6ZvNktcl3PkYGUN4Y+8Wxb88LQYQyp3kW5itU=; b=NZvZTQEwtWZReDwNGYLrJFbVq3/csdKp6LmWDId7n2LiwMb0i6VFNXkb Qpe4bBGUlrIghlW1kXugvXTdXPgYghTNd+ecDNtf21HaWrb16aSeyaR6w GSxo05lmr1789X82HB/z2paq+njNlrOfKxB7m8qqAprZfB8nApxIQTB9j 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BbBQCxP+1U/4cNJK1bgkNDUloEgwS9doIgAQmFJ0kCHIELQwEBAQEBAXyEEAEBBAEBASBLCxACAQg4BwMCAgIfBgsUEQIEDgWIGwMRDbs5k2MNhTEBAQEBAQEBAQEBAQEBAQEBAQEBAQETBIsTgkSCDxcEB4JoL4EUBY1pgXKDYIQfgUaBG4wZgkmDPiKDbm+BRH8BAQE
X-IronPort-AV: E=Sophos;i="5.09,642,1418083200"; d="scan'208,217";a="126661643"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-4.cisco.com with ESMTP; 25 Feb 2015 03:24:15 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id t1P3OFN6027234 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 25 Feb 2015 03:24:15 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.138]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.03.0195.001; Tue, 24 Feb 2015 21:24:15 -0600
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Giles Heron <giles.heron@gmail.com>
Thread-Topic: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01
Thread-Index: AQHQUD71+esL1IuaBkeo/MNuogpJyZ0BGSYA
Date: Wed, 25 Feb 2015 03:24:14 +0000
Message-ID: <611D19E3-B152-4869-A392-8673D7F677DD@cisco.com>
References: <232077E7-7135-41E8-B0DB-C786F8C410CA@employees.org> <24947916.dqx4YFu3F7@e7240.linfre> <C787CFA0-ABAF-4687-BECB-9F94B5C7EE3F@gmail.com> <1635584.UzB5GEszaB@e7240.linfre> <AB07ECAC-EB12-4679-9927-FCB086C41949@gmail.com>
In-Reply-To: <AB07ECAC-EB12-4679-9927-FCB086C41949@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.82.222.5]
Content-Type: multipart/alternative; boundary="_000_611D19E3B1524869A3928673D7F677DDciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/l2tpext/wXC8voO35lC645z_5I06KxmWMv4>
Cc: 6man WG <ipv6@ietf.org>, "l2tpext@ietf.org" <l2tpext@ietf.org>, L2TPExt Chairs <l2tpext-chairs@tools.ietf.org>
Subject: Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2tpext/>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 03:24:19 -0000

Hi Giles,

On Feb 24, 2015, at 9:33 AM, Giles Heron <giles.heron@gmail.com<mailto:giles.heron@gmail.com>> wrote:

Hi Karsten,

thanks again for your comments.  Apologies for my slow response - more inline:

On 20 Feb 2015, at 17:03, Karsten Thomann <karsten_thomann@linfre.de<mailto:karsten_thomann@linfre.de>> wrote:

Hi Giles

comments inline.

Am Mittwoch, 18. Februar 2015, 15:18:56 schrieb Giles Heron:
Hi Karsten,

thanks for your comments.  My apologies for the delay in processing them.

more inline:

On 22 Jan 2015, at 14:50, Karsten Thomann <karsten_thomann@linfre.de<mailto:karsten_thomann@linfre.de>> wrote:
Hi,

...
4. Is there any reason to not use src + dst ip for all cases instead to
only use it for the case that the local ip is used for more than one
tunnel? I think every device should know from which IPs it receives
packets for a specific local l2tp ip as the cookie must be configured and
should be unique per tunnel.
I'm not sure the cookie needs to be unique per tunnel?  The session ID is
unique per tunnel/IP address pair.  And in the 1:1 case the session ID is
ignored.
I will try rephrase it in another way, I was thinking about if it is possible to merge section 2 and 4 at chapter 2:
  The IPv6 L2TPv3 tunnel encapsulating device uniquely identifies each
  Ethernet L2 attachment connection by a port ID or a combination of
  port ID and VLAN ID(s) on the access side, and by a Source and Destination
  IPv6 address pair on the network side.

I can't think about a case where this should cause problems, as it won't forbid the use of a single address for multiple tunnels or are there any deployment scenarios where it should be possible to use multiple source IPs to send traffic to a single tunnel?

Agreed, there's no reason to use multiple source IPs to send to a single tunnel.  The canonical use-case for the 4th paragraph of section 2 is where tunnels terminate on loopback or anycast addresses (as discussed in section 3).

However in the case where you terminate a tunnel on a physical port or a port/VLAN performance may be higher if you don't check the remote IP (of course there may be security implications to that - but then we have the 64-bit cookie).

In fact it may be that we should rewrite the 4th paragraph to make it clear that in the loopback/anycast case the local end is identified by the loopback/anycast address and the remote end by the remote IP (as for the port and port/VLAN cases).

6. I'm not sure if it should be added to the security considerations
section, but in RFC 3931 it is mentioned that there are no checksums for
the packets as ipv6 and l2tp have none. I know it was especially
mentioned for the control packets, but it also applies to all other
packets with payload.
isn't that more of an issue of detecting corrupted packets than a security
consideration?  Re detecting corrupted packets we already have two
mechanisms: 1) the hop-by-hop FCS
2) the payload's own mechanisms (in general the keyed IP tunnel will be
carrying UDP and TCP traffic that has its own checksum).

so I guess the question is whether there's much value in inserting another
level of check in between those two (e.g. an end-to-end integrity check for
the tunnel itself)?
As noted I'm really sure if it should be added, I know there was a lenghty diskussion about checksums for some tunnel mechanisms, but not sure if it was mpls over udp or a gre over IPv6 draft...
If no one else is thinking that it should be noted that there is no end to end checksum I'm fine with it.


Yes, there's an option with MPLS PWE to cary the checksum end to end (RFC4720).  I'm not sure if any other tunnelling technologies that do the same.  Certainly we can make FCS retention an option if consensus is that it's a useful option.


L2TPv3 PWs also allow for FCS Retention already:
https://tools.ietf.org/html/rfc4720#section-4

So you can specify it as an option if it makes sense.

Thanks,

— Carlos.

Giles

Regards
Karsten

Giles

Regards

Karsten


_______________________________________________
L2tpext mailing list
L2tpext@ietf.org<mailto:L2tpext@ietf.org>
https://www.ietf.org/mailman/listinfo/l2tpext

v2.23.0 | Report a Bug | By Email