Re: [L2tpext] Propagating IP/ECN field when L2TP sits between IP as both L2 payload and PSN

Bob Briscoe <ietf@bobbriscoe.net> Thu, 01 June 2017 04:02 UTC

Return-Path: <ietf@bobbriscoe.net>
X-Original-To: l2tpext@ietfa.amsl.com
Delivered-To: l2tpext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08B40126CF9 for <l2tpext@ietfa.amsl.com>; Wed, 31 May 2017 21:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7m4RbNdsmtSe for <l2tpext@ietfa.amsl.com>; Wed, 31 May 2017 21:02:02 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF3331267BB for <l2tpext@ietf.org>; Wed, 31 May 2017 21:02:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=rDO9tQo+p+byTr70uweL8+J+LklwOZC/+4fqNPwmezI=; b=2xZPZ1Wjpd6lvr3AEi9ax3Y0tl AhskIcD4bmNdXvbNvvXkkomcGISKdoCa9bLYuHyb6Rri+KitKtyFBER8LkLHdOv5T4M6ORY6kkn9P au7qLtmImsSvbzgqfeoz+z2FuU26VWgz0HWc3QnBHD5nqOuBupEjnHlWdpff1Tgs2/v5xLqo2yHiu rZDYr1rlG2/zkYd6IfMMav+7ThTr3QtRlYw/kZHS9UEs0usXLYzTb/jXj08h9mJXcLIWTVzqGGbNp fLshC48DcIdq+PJ2U3JueB1T6BjuT40nlzd7Ao7b5EsReCssewts9Dk39pl0D20cWczdVaiGiJK2+ JO/ZtS8A==;
Received: from [31.185.135.175] (port=55752 helo=[192.168.0.2]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <ietf@bobbriscoe.net>) id 1dGHJA-00027v-Nn; Thu, 01 Jun 2017 05:02:00 +0100
To: Ignacio Goyret <ignacio.goyret@nokia.com>
Cc: "Black, David" <david.black@emc.com>, l2tp IETF list <l2tpext@ietf.org>
References: <149618019740.19809.6421141487388928973.idtracker@ietfa.amsl.com> <435f45b8-9659-b06f-9adc-415f355ba743@bobbriscoe.net> <e4c97c52-36c9-3091-b005-06ef82ec58e3@bobbriscoe.net> <201705310154.v4V1sYQH013223@cliff.eng.ascend.com> <67456091-a3e0-2db1-5f8a-5210a1f870f1@bobbriscoe.net> <B00A6885-6EB1-4361-8412-C408F23DC5E0@cisco.com> <70866121-f350-d6d2-d89a-89ca1315f5ab@bobbriscoe.net> <201705312359.v4VNxHEU008912@cliff.eng.ascend.com>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <096cc75b-0bfd-e2ec-d3a5-6b182040ff5a@bobbriscoe.net>
Date: Thu, 1 Jun 2017 05:02:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <201705312359.v4VNxHEU008912@cliff.eng.ascend.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/l2tpext/ztuPJwd7JphuvqThE4_MruItpIg>
Subject: Re: [L2tpext] Propagating IP/ECN field when L2TP sits between IP as both L2 payload and PSN
X-BeenThere: l2tpext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Layer Two Tunneling Protocol Extensions <l2tpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/l2tpext/>
List-Post: <mailto:l2tpext@ietf.org>
List-Help: <mailto:l2tpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2tpext>, <mailto:l2tpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 04:02:05 -0000

Ignacio,

On 01/06/17 00:55, Ignacio Goyret wrote:
> At 15:11 5/31/2017, Bob Briscoe wrote:
>
>>> I do not understand however why "Update", or what that implies to
>>> a compliant implementation. Many features of L2TP are specified in
>>> various WGs, not "Updating" the base specs.
>>>
>> By my understanding of the word extension, if a implementation that
>> is compliant with RFC3931 does not implement an extension, it is
>> still compliant with RFC3931. Is this how the word "extension" is
>> used in L2TP land?
>>
>> Whereas, if one IP header encapsulates another, if the ECN field
>> were processed in any way other than RFC6040, it would be invalid
>> (unless another RFC were written to update RFC6040). Therefore,
>> whenever L2TP is tunnelling IP in IP, it is mandatory to comply
>> with RFC6040. So I am asking the L2TPext WG for advice on how you
>> guys would make a mandatory update to L2TP, rather than 'just' an
>> optional extension.
> I'm not sure you will get much traction for a "mandatory" update
> because it would immediately invalidate any compliant deployed code
> out there.
I'm not asking for permission to make something mandatory. RFC6040 (or 
its predecessors {Note 1}) is already mandatory.
draft-ietf-tsvwg-rfc6040update-shim is just the "messenger", telling 
L2TP implementers that RFC6040 is already mandatory.

A mandatory update wouldn't invalidate any compliant deployed code, 
because the only way that deployed code could be compliant would be to 
already comply with RFC6040 or its predecessors. There is no other RFC 
that says how to construct an ECN field during tunnelling. The standards 
track predecessors of RFC6040 pre-dated L2TPv3 by 3.5 years. And the 
experimental track predecessor of ECN tunnelling pre-dated L2TPv2.

The ECN field is in the main IP header (v4 and v6). It cannot be 
omitted. When an L2TPv3 implementation creates an outer IP header during 
encap, or forwards an IP header after decap, it has to set the new ECN 
fields to some value. One would hope that an implementer would try to 
find a spec to follow, rather than guessing this value. There is only 
one RFC that says how to construct the ECN field during tunnelling 
(RFC6040 or its predecessors). If an implementer has not complied with 
one of these, she has not complied with the Internet Protocol.

draft-ietf-tsvwg-rfc6040update-shim is not changing the technical effect 
of the ECN tunnelling spec [RFC6040]. All it is really doing is:

a) Typing "Updates: 3931" at the top of a proposed RFC. This would 
ideally have been typed at the top of the original ECN RFC [RFC3168]. 
This flags to L2TP implementers that they need to take note of the 
standards track update to IP tunnelling that happened in 2001. Because, 
like you say, real life dictates there will be some L2TP implementations 
that don't do it right.

b) and helping to do it right, by providing the L2TP negotiation 
machinery (that is also already mandatory for any tunnelling of IP in IP).


{Note 1}: The predecessors of RFC6040 are RFC3168 and RFC4301. They all 
have the same technical effect - the deltas between them  merely altered 
trivia like handling combinations of ECN fields that wouldn't normally 
be expected and other tinkering round the edges.

> This goes back to the question of why negotiate it if it is mandatory.

The standards action that is mandatory is compliance with RFC6040, which 
made it mandatory to negotiate (or use configuration).

Specifically, RFC6040 made it mandatory for a tunnel ingress to check 
for (or be configured for) whether the egress supported ECN decap. In 
the predecessors to RFC6040, negotiation was only specified for IPsec. 
The only other type of tunnel considered was an RFC2003 tunnel, where no 
negotiation of tunnel set up process had been defined, so negotiation 
wasn't discussed for that case.

>
> Real life says that there will be some L2TP deployments that will
> support ECN and some that won't, thus, the negotiation is needed
> to maintain interoperability.
>
> But if the negotiation is required, then this can't be an update
> since it must allow for LCCEs that don't support ECN (which it must,
> because some deployments may choose (or may have to) stay with
> their non-ECN supporting code for a variety of reasons).

As above, the update is to make negotiation mandatory.

I hope this helps clarify.

Cheers



Bob

>
> Yes, I know: it is sort of a circular argument but hopefully you
> see what I mean.
>
> -Ignacio
>

-- 
________________________________________________________________
Bob Briscoe                               http://bobbriscoe.net/