Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01
Giles Heron <giles.heron@gmail.com> Tue, 24 February 2015 14:34 UTC
Return-Path: <giles.heron@gmail.com>
X-Original-To: l2tpext@ietfa.amsl.com
Delivered-To: l2tpext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D31581A06E9; Tue, 24 Feb 2015 06:34:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvRcdY89g5UC; Tue, 24 Feb 2015 06:34:04 -0800 (PST)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02E741A0203; Tue, 24 Feb 2015 06:34:04 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id bs8so25607187wib.4; Tue, 24 Feb 2015 06:34:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XtPRIPpEMZuzpQCWQXI+dELN9YUXF4ij3Ubq5zNVMrg=; b=0z9uTLve26AbwGpK3U69zpi3yTwA3msORgo70c8D9AY6ocIYRzhmW0prNvqqmMPK89 npApPakH6KGkvpbr+pjzQEzl9xauWOBJ5cOedwEUqLKXMMbTJl2ae02k04cA1NFmp0Sq eQojiF198KL0Vxje9tZY3XFRlJbAfuL8NZ7WxN+CF1SAUSVpReW54A5DQxMuFueg1u4P 3CfUOeTu9IWvXXTIx0LLkki5GTnrVl2A3uVz2RMPwDXx8Lo1Wp8I4SI+spYRhyjuibIg sRScvvxtmoVuwugBf2kpkhlw2BgirHwhwXpfbolHDfhMTal7WPsW1gI2HXk99UDo7dfR 7U8w==
X-Received: by 10.180.20.52 with SMTP id k20mr30911993wie.15.1424788442773; Tue, 24 Feb 2015 06:34:02 -0800 (PST)
Received: from ams-giheron-89111.cisco.com (173-38-208-169.cisco.com. [173.38.208.169]) by mx.google.com with ESMTPSA id bd3sm13245410wib.17.2015.02.24.06.34.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 24 Feb 2015 06:34:01 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Giles Heron <giles.heron@gmail.com>
In-Reply-To: <1635584.UzB5GEszaB@e7240.linfre>
Date: Tue, 24 Feb 2015 14:33:59 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <AB07ECAC-EB12-4679-9927-FCB086C41949@gmail.com>
References: <232077E7-7135-41E8-B0DB-C786F8C410CA@employees.org> <24947916.dqx4YFu3F7@e7240.linfre> <C787CFA0-ABAF-4687-BECB-9F94B5C7EE3F@gmail.com> <1635584.UzB5GEszaB@e7240.linfre>
To: Karsten Thomann <karsten_thomann@linfre.de>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/l2tpext/zlCO6OyqE4IV4jL17FjJdjvYC6M>
Cc: 6man WG <ipv6@ietf.org>, l2tpext@ietf.org, L2TPExt Chairs <l2tpext-chairs@tools.ietf.org>
Subject: Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpext-keyed-ipv6-tunnel-01
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2tpext/>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 14:34:06 -0000
Hi Karsten, thanks again for your comments. Apologies for my slow response - more inline: On 20 Feb 2015, at 17:03, Karsten Thomann <karsten_thomann@linfre.de> wrote: > Hi Giles > > comments inline. > > Am Mittwoch, 18. Februar 2015, 15:18:56 schrieb Giles Heron: > > Hi Karsten, > > > > thanks for your comments. My apologies for the delay in processing them. > > > > more inline: > > > > On 22 Jan 2015, at 14:50, Karsten Thomann <karsten_thomann@linfre.de> wrote: > > > Hi, > > > > ... > > > 4. Is there any reason to not use src + dst ip for all cases instead to > > > only use it for the case that the local ip is used for more than one > > > tunnel? I think every device should know from which IPs it receives > > > packets for a specific local l2tp ip as the cookie must be configured and > > > should be unique per tunnel. > > I'm not sure the cookie needs to be unique per tunnel? The session ID is > > unique per tunnel/IP address pair. And in the 1:1 case the session ID is > > ignored. > I will try rephrase it in another way, I was thinking about if it is possible to merge section 2 and 4 at chapter 2: > The IPv6 L2TPv3 tunnel encapsulating device uniquely identifies each > Ethernet L2 attachment connection by a port ID or a combination of > port ID and VLAN ID(s) on the access side, and by a Source and Destination > IPv6 address pair on the network side. > > I can't think about a case where this should cause problems, as it won't forbid the use of a single address for multiple tunnels or are there any deployment scenarios where it should be possible to use multiple source IPs to send traffic to a single tunnel? Agreed, there's no reason to use multiple source IPs to send to a single tunnel. The canonical use-case for the 4th paragraph of section 2 is where tunnels terminate on loopback or anycast addresses (as discussed in section 3). However in the case where you terminate a tunnel on a physical port or a port/VLAN performance may be higher if you don't check the remote IP (of course there may be security implications to that - but then we have the 64-bit cookie). In fact it may be that we should rewrite the 4th paragraph to make it clear that in the loopback/anycast case the local end is identified by the loopback/anycast address and the remote end by the remote IP (as for the port and port/VLAN cases). > > > 6. I'm not sure if it should be added to the security considerations > > > section, but in RFC 3931 it is mentioned that there are no checksums for > > > the packets as ipv6 and l2tp have none. I know it was especially > > > mentioned for the control packets, but it also applies to all other > > > packets with payload. > > isn't that more of an issue of detecting corrupted packets than a security > > consideration? Re detecting corrupted packets we already have two > > mechanisms: 1) the hop-by-hop FCS > > 2) the payload's own mechanisms (in general the keyed IP tunnel will be > > carrying UDP and TCP traffic that has its own checksum). > > > > so I guess the question is whether there's much value in inserting another > > level of check in between those two (e.g. an end-to-end integrity check for > > the tunnel itself)? > As noted I'm really sure if it should be added, I know there was a lenghty diskussion about checksums for some tunnel mechanisms, but not sure if it was mpls over udp or a gre over IPv6 draft... > If no one else is thinking that it should be noted that there is no end to end checksum I'm fine with it. > Yes, there's an option with MPLS PWE to cary the checksum end to end (RFC4720). I'm not sure if any other tunnelling technologies that do the same. Certainly we can make FCS retention an option if consensus is that it's a useful option. Giles > Regards > Karsten > > > Giles > > > > > Regards > > > > > > Karsten > > >
- [L2tpext] 6MAN cross-wg review: draft-ietf-l2tpex… Ole Troan
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… 神明達哉
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Karsten Thomann
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Ole Troan
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Karsten Thomann
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Giles Heron
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Karsten Thomann
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Giles Heron
- Re: [L2tpext] 6MAN cross-wg review: draft-ietf-l2… Carlos Pignataro (cpignata)