Re: [lisp] LISP Interworking: Proxy Egress Tunnel Routers
Sam Hartman <hartmans-ietf@mit.edu> Mon, 21 September 2009 21:40 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: lisp@core3.amsl.com
Delivered-To: lisp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 879883A6ABA for <lisp@core3.amsl.com>; Mon, 21 Sep 2009 14:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.331
X-Spam-Level:
X-Spam-Status: No, score=-2.331 tagged_above=-999 required=5 tests=[AWL=-0.066, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIg0G4cfNUJK for <lisp@core3.amsl.com>; Mon, 21 Sep 2009 14:40:08 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by core3.amsl.com (Postfix) with ESMTP id A05013A68FB for <lisp@ietf.org>; Mon, 21 Sep 2009 14:40:08 -0700 (PDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 0244D413B; Mon, 21 Sep 2009 17:41:08 -0400 (EDT)
To: jnc@mercury.lcs.mit.edu
References: <20090921194205.B23C96BE5F2@mercury.lcs.mit.edu>
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Mon, 21 Sep 2009 17:41:08 -0400
In-Reply-To: <20090921194205.B23C96BE5F2@mercury.lcs.mit.edu> (Noel Chiappa's message of "Mon\, 21 Sep 2009 15\:42\:05 -0400 \(EDT\)")
Message-ID: <tslk4zsascr.fsf@mit.edu>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: lisp@ietf.org
Subject: Re: [lisp] LISP Interworking: Proxy Egress Tunnel Routers
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2009 21:40:09 -0000
>>>>> "Noel" == Noel Chiappa <jnc@mercury.lcs.mit.edu> writes: Noel> If a site can't originate packets from its ITR to non-LISP Noel> destinations (i.e. which will have to be non-wrapped, and Noel> therefore would have to have an EID source address, which Noel> uRPF will block), Depending on where LISP is going to be deployed, URPF may or may not be an issue. Since I still don't understand where we think LISP will be used, I can't evaluate whether this is something we need to solve. Obviously, based on what I'm doing with my implementation, I would not at all be surprised if LISP is deployed in situations where URPF is an issue. Noel> and also don't have access to an ETR, they Noel> _can't_ run LISP. Noel> So merely the existence of ISPs which enforce uRPF is enough Noel> to 'prove' that we needs PETRs, at least as far as the pure Noel> engineering assessment goes. No, I don't think that follows. I think it follows either that 1) You don't get end-to-end addressing talking to non-LISP sites (we probably all think that's not good as an only option) 2) Some box needs to source packets somewhere with your EID. A PETR is more than just some boxes sourcing packets with your EID. It has several properties: * It uses the LISP data encapsulation * It may not be connected with the person providing your EIDs * It's topologically close to you * It uses IP access lists for security Also, I think that showing the engineering requirement for something isn't good enough. We've said that we want LISP to be deployable. If we can't identify deployment incentives for critical parts, that raises a significant red flag in my mind. I actually suspect that once we have a broader idea about LISP deployment, coming up with incentives for PETRs won't be that difficult. However I agree with Robbin that it's a critical question that I'd rather have answered before going down this path. so, I'm finding that for me at least, PETRs are yet another thing that blocks behind understanding security and deployment. (I have not gone into the reasons why I'm concerned about PETRs and security. Basically I want to understand what our DOS prevention model is to understand how much work we need to do to make sure PETRs are not used in mounting DOS attacks.)
- [lisp] LISP Interworking: Proxy Egress Tunnel Rou… Darrel Lewis (darlewis)
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Robin Whittle
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Noel Chiappa
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Robin Whittle
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Noel Chiappa
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Sam Hartman
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Robin Whittle
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Joel M. Halpern
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Sam Hartman
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Noel Chiappa
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Darrel Lewis (darlewis)
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Sam Hartman
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Darrel Lewis (darlewis)
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Noel Chiappa
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… David Meyer
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Sam Hartman
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Sam Hartman
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… David Meyer
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Sam Hartman
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… David Meyer
- [lisp] Mostly pointless argument about V6 transit… Sam Hartman
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Sam Hartman
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Noel Chiappa
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Darrel Lewis (darlewis)
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Darrel Lewis (darlewis)
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Noel Chiappa
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Joel M. Halpern
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Noel Chiappa
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Joel M. Halpern
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Joel M. Halpern
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Dino Farinacci
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Jari Arkko
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Darrel Lewis (darlewis)
- [lisp] LISP Interworking: Proxy Egress Tunnel Rou… Darrel Lewis (darlewis)
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Michael Menth
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Darrel Lewis (darlewis)
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Michael Menth
- Re: [lisp] LISP Interworking: Proxy Egress Tunnel… Darrel Lewis (darlewis)