[L2tpext] Comments on draft-ietf-l2tpext-keyed-ipv6-tunnel-01
Qi Sun <sunqi.csnet.thu@gmail.com> Wed, 14 January 2015 16:12 UTC
Return-Path: <sunqi.csnet.thu@gmail.com>
X-Original-To: l2tpext@ietfa.amsl.com
Delivered-To: l2tpext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 812D61A898E for <l2tpext@ietfa.amsl.com>; Wed, 14 Jan 2015 08:12:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdWZmjeC691v for <l2tpext@ietfa.amsl.com>; Wed, 14 Jan 2015 08:12:41 -0800 (PST)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCE8F1A8BB6 for <l2tpext@ietf.org>; Wed, 14 Jan 2015 08:12:40 -0800 (PST)
Received: by mail-we0-f172.google.com with SMTP id k11so9674993wes.3 for <l2tpext@ietf.org>; Wed, 14 Jan 2015 08:12:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :cc:to:mime-version; bh=Fg5r9SVR76613m91gq+wduC6eo5AMJCcy4w3CfadEJw=; b=mmYZ/iRBWdhPP3Q2ZzGV0l/UyleTFkYF9YCqokq80v2Dy8GJ7j7kS+S10sOKVG1MeP I9fqFN6KNWiCTyDUR/pUWKbm91ZI35UJIHsRNp5ufaZpwVy+J8O3V2SLjtU1imdC+T64 FZP03oa4kCNj/11KX/apKeAyg2023Hrq2hZL8anErXhfUk5yWbDOmG7z9scCTk9MHLBa tZUhAII/SkLoOhA0Lx1y0IiunzBqVs3/tc6je0a2UDv80i05+D3+a1BkanOpderaizjJ rhP4P6IvATq8ECUixIEQNhO9iwKgNVj+H6x0rs72uzPGYosELQH/ZnmDqsxNPHB/7U1u KJQw==
X-Received: by 10.194.235.165 with SMTP id un5mr8906293wjc.1.1421251959683; Wed, 14 Jan 2015 08:12:39 -0800 (PST)
Received: from sunqideair.lan ([62.225.30.140]) by mx.google.com with ESMTPSA id fw6sm3961991wib.1.2015.01.14.08.12.37 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 Jan 2015 08:12:38 -0800 (PST)
From: Qi Sun <sunqi.csnet.thu@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 14 Jan 2015 17:12:35 +0100
Message-Id: <243541F0-021D-4EC3-A709-D9FA97150902@gmail.com>
To: l2tpext@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
X-Mailer: Apple Mail (2.1874)
Archived-At: <http://mailarchive.ietf.org/arch/msg/l2tpext/xE4zf9cUmXUxAzaQSFUQ1JjAQl4>
Cc: draft-ietf-l2tpext-keyed-ipv6-tunnel@tools.ietf.org
Subject: [L2tpext] Comments on draft-ietf-l2tpext-keyed-ipv6-tunnel-01
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2tpext/>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 16:12:46 -0000
Dear WG & authors,
I have reviewed this draft and I think it's very useful, as it greatly simplifies the l2tpv3 tunnels by taking parts from l2tpv3.
Also I have some comments about it. The tricky one would be the intended status of this document. Currently it’s an Informational document, which means it doesn’t change RFC3931. However, there are a number of normative language, which might be confusing.
I’ve made a list of features of the keyed IPv6 tunnel, with some comparison to RFC3931. Please correct me if anything is wrong.
1) Not use L2TPv3 Control Plane defined in RFC3931.
2) A mapping table of v6 address and the port ID.
3) One session per tunnel.
4) The Session ID field is there, but it may be processed. (This is a “MUST" in RFC3931.)
5) Cookie length MUST be 64 (which can be 32-/64-bit in RFC3931).
6) The cookie can be randomly selected, or all ones. (It MUST be configured or signalled with a random value in RFC3931.)
7) Local and remote endpoints SHOULD send different cookie values. The value of the cookie MUST be able to be changed at any time. The receiver must be willing to accept both "old" and "new" cookie values. Cookie values SHOULD be changed periodically.
I think item 4) ~ 7) potentially change the behaviour of LCCE when processing a l2tpv3 (i.e. keyed-v6-tunnel) packet.
Could the wg shed some light on why this document is Informational instead of Standard Track? Thanks!
The other comments are mainly about the technical/editorial content of the draft, detailed as follows.
<comments>
1. Sec 2, para 3
IPv6 address is treated as the IPv6 L2TPv3 tunnel endpoint.
[Qi] How about “… IPv6 address is treated as the identifier of the IPv6 L2TPv3 tunnel endpoint”?
2. Sec 2, para 4
Certain deployment scenarios may require using a single IPv6 address
to identify a tunnel endpoint for many IPv6 L2TPv3 tunnels.
[Qi] s/many/multiple/
3. In Sec 3, the last sentence of this section misses the period at the end.
4. Sec 4
The s-tag (or in the multi-stack access case the s-tag and c-tag)
SHOULD be removed before the packet is encapsulated.
[Qi] Maybe a reference related to “s-tag” and “c-tag” would be helpful here.
5. Sec 4, Session ID
o Session ID. In the "Static 1:1 mapping" case described in
Section 2, the IPv6 address resolves to an L2TPv3 session
immediately, thus the Session ID may be ignored upon receipt. For
compatibility with other tunnel termination platforms supporting
only 2-stage resolution (IPv6 Address + Session ID), this
specification recommends supporting explicit configuration of
Session ID to any value other than zero. For cases where both
tunnel endpoints support one-stage resolution (IPv6 Address only),
this specification recommends setting the Session ID to all ones
for easy identification in case of troubleshooting. The Session
ID of zero MUST NOT be used, as it is reserved for use by L2TP
control messages RFC3931 [RFC3931].
[Qi]
1) Could the authors give the definitions of “2-stage resolution” and “one-stage” resolution?
2) The session ID can be explicitly configured to any value other than zero, or all ones, right? Is there a 3rd type of session ID configuration?
3) The text is a little confused to me. I think that ignoring the Session ID is the behaviour of the receiving device, and setting Session ID is the behaviour of the sending device, right? I would expect it to be explicitly described here.
4) In section 3, it says:
"The cookie MUST be 64-bits
long in order to provide sufficient protection against spoofing and
brute force blind insertion attacks."
However, the text in this section recommends setting the Session ID to all ones. Can the all-ones cookie provide sufficient protection?
6. Sec 6, paragraph 3
…, this document recommends that Ethernet OAM as defined in IEEE
802.1ag [IEEE802.1ag] and/or ITU Y.1731 [Y.1731] is enabled for keyed
IP tunnels.
[Qi]
1) Is the Ethernet OAM method configured per tunnel, or per device?
2) s/this document recommends/ it is RECOMMENDED in this document/ ??
7. Sec 8, para 3
[Qi] This paragraph is taken from the L2TPv3 RFC3931, with the reference to RFC1750 changed to RFC4086 (Note: RFC4086 obsoletes RFC1750).
Should there be a reference to the related section of RFC3931 besides taking text from it?
8. Sec 8, the last para
The L2TPv3 64-bit cookie must not be regarded as a substitute for
security such as that provided by IPsec when operating over an open
or untrusted network where packets may be sniffed, decoded, and
correlated for use in a coordinated attack.
[Qi] s/must not/MUST NOT/ ??
</comments>
Hope that helps.
Best Regards,
Qi Sun