Re: [lisp] Fwd: Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6830bis-20: (with DISCUSS and COMMENT)
Dino Farinacci <farinacci@gmail.com> Fri, 28 September 2018 22:57 UTC
Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EB20127148 for <lisp@ietfa.amsl.com>; Fri, 28 Sep 2018 15:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZbepXM0IL_m for <lisp@ietfa.amsl.com>; Fri, 28 Sep 2018 15:57:00 -0700 (PDT)
Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90EC4129C6B for <lisp@ietf.org>; Fri, 28 Sep 2018 15:57:00 -0700 (PDT)
Received: by mail-pf1-x442.google.com with SMTP id d4-v6so5264959pfn.0 for <lisp@ietf.org>; Fri, 28 Sep 2018 15:57:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/j0LcxUDl6Z03KR6p4mCb6J+JROApzs6mlQTStYBlD0=; b=gH4tMx5kCJIQMk6LYKWlQ+rHndwJo1aSYEdAy4mFaqRD9LB1PUoGGfjUh26cjqFR11 OzlxO28XsNAUONr5wKIliC5Z+gHuX2temaTBoBes+nhdz3SvO+v1263wpsBPvPc0VlhG 9AOxncq37T5jn66wBsVqfLg35sUllj7R52yEMJ9LUzthov5ygyDXUnYDZKJ+QwgFRpzf nZ9wOlaQcU99zgJTIaZDcGrmzfL/5+XUMFJ1S/+x8Bo7kJjUSoA4PqIbhOwnT4e5jG4S qjGZ5VZoyEdFGbLBzOSq9C6FfM3Uv5afL5yke+KiD40xpqHR3RLPsckpy1cSsaYiB3rf o4jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/j0LcxUDl6Z03KR6p4mCb6J+JROApzs6mlQTStYBlD0=; b=QJ4UxyIP+GHfg+RwlaotDghHdEUPzavdtrr5i/fWAet7DNy7jbBxXk9lKyFi4tRANv DklLfHYo2zS/oAkCfZtthu3wqeU1FwXV/VQlYkCCEOOjGhzQ38PFmbfXl7Xx2Fm4nLf+ DDW6U9H00K6/kMZwxvWsC0t3eYDzQcWE52+nj4gxx+3lOh5hVhBMeinCo8i5ky9nnoX9 693pN6J8LmgI3Va+WDLD9kC1Z0Sx5SLGG4NYRJyFotCyxkxpVkKpIOfFin4eN8YB3dZ1 1CFqyOzrKVaheshRRcqIY0N1k0OBPt7B+EhXuNQFXFZU3t+dJx7/qu6moLmHUbFjcZhh YHFQ==
X-Gm-Message-State: ABuFfojZ29C23j8DvmUbwRiWa7R53fEFEMZFTaFLwDH7ub1LBdeaYPHW ONLoQnZ+agnzTkLxCQORXAedbTWf
X-Google-Smtp-Source: ACcGV60dkvYRTMoeXfav0ntrAbadXW5kJBWMNKk7+U3wI7fpQ0J/6nKhW5QE/+dGkV2OfscCtcZBPw==
X-Received: by 2002:a17:902:820a:: with SMTP id x10-v6mr627554pln.261.1538175419903; Fri, 28 Sep 2018 15:56:59 -0700 (PDT)
Received: from [10.228.203.131] (72-172-185-190.bayarea.net. [72.172.185.190]) by smtp.gmail.com with ESMTPSA id a11-v6sm3820077pgw.54.2018.09.28.15.56.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Sep 2018 15:56:59 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <7924707d-e6c5-5080-7586-dcf1f96fed46@joelhalpern.com>
Date: Fri, 28 Sep 2018 15:56:58 -0700
Cc: "lisp@ietf.org" <lisp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E182230D-2EFA-426B-BC8A-4014A0568668@gmail.com>
References: <20180928220340.GO24695@kduck.kaduk.org> <7924707d-e6c5-5080-7586-dcf1f96fed46@joelhalpern.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/ZisG1JNRHHt1AElQkcKE0RFYlAk>
Subject: Re: [lisp] Fwd: Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6830bis-20: (with DISCUSS and COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 22:57:06 -0000
(a) Desirable, because more security is always more desirable. But the choices don’t seem to be comparable. Is “Desirable” more important or more mandatory than “Acceptable”? I would like better clarification what I’m voting for if I choose “acceptable” instead of “desirable”. Dino > On Sep 28, 2018, at 3:38 PM, Joel M. Halpern <jmh@joelhalpern.com> wrote: > > As co-chair, I would like to hear from the working group as to whether making LISP-SEC mandatory to Implement (not Mandatory to Use) for LISP6830bis and 6833bis implementations is > a) desirable > b) acceptable > c) undesirable but livable > d) unacceptable or worse. > > Please, do not just pick a letter. Include explanation of your opinion. > This is not a decision the ADs and Authors can make for the working group. > > Yours, > Joel > > > -------- Forwarded Message -------- > Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6830bis-20: (with DISCUSS and COMMENT) > Date: Fri, 28 Sep 2018 17:03:40 -0500 > From: Benjamin Kaduk <kaduk@mit.edu> > To: Joel M. Halpern <jmh@joelhalpern.com> > CC: The IESG <iesg@ietf.org>, draft-ietf-lisp-rfc6830bis@ietf.org, Luigi Iannone <ggx@gigix.net>, lisp-chairs@ietf.org, lisp@ietf.org > > Hi Joel, > > > On Wed, Sep 26, 2018 at 11:53:02PM -0400, Joel M. Halpern wrote: >> Is there text we can add about the scoping that will change your discuss into a series of useful comments? > > I had attempted to structure my Discuss points so that they would either be > useful comments as is, or rendered moot by a reduced scope. I guess I can > try to clarify those below. (To be clear, reducing the scope is only going > to move from "has potentially existentially bad problems" to "has > substantial issues that likely require reengineering to resolve".) > >> If so, Some indication of how you would like that phrased would help us address these. > > I think Ekr's ballot position on 6833bis has a good summary of the > architecture assumptions that the reduced scope allows us to make. > In order to have the document be able to plausibly make those claims, it > looks like we'd need to at least: > (1) update the Abstract/Introduction to clarify that the EID namespace is > only defined within a single administrative domain. > (2) (optionally, if it makes sense) mention in the introduction that this > administrative domain can include transport over other networks in the > same way that a VPN would function[*], without requiring cooperation > from or interaction with the other networks' administrators > (3) remove the "global" text from the EID-to-RLOC Database and Map-Cache > definitions > (4) update the EID-Prefix definition to talk about the local site or > administrative domain's "address allocation authority" > (5) Take a look at the EID definition to consider whether references to "on > the public Internet" are still valid, and the text about assignment > in a hierarchical manner should be revised for the new scope as well. > Likewise for EID-internal structure that is "not visible to the global > routing system" > > (I stopped skimming and looking for problematic text around section 6) > > [*] Ideally this would be done without using the term "VPN" itself, since > I'd like to get a movement going to restrict "VPN" to include > confidentiality (i.e., privacy) protection. "virtual network" or "overlay > network" may or may not be good candidate replacement terms. > >> If not, we seem to have a larger problem. > > Well, we appear to have five ADs that are supporting making LISP-SEC a > normative reference and thus MTI; I don't know if that scale of change > meets your threshold for a "larger problem". > >> Yours, >> Joel >> On 9/26/18 11:44 PM, Benjamin Kaduk wrote: >> > Benjamin Kaduk has entered the following ballot position for >> > draft-ietf-lisp-rfc6830bis-20: Discuss >> > > When responding, please keep the subject line intact and reply to all >> > email addresses included in the To and CC lines. (Feel free to cut this >> > introductory paragraph, however.) >> > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> > for more information about IESG DISCUSS and COMMENT positions. >> > > > The document, along with other ballot positions, can be found here: >> > https://datatracker.ietf.org/doc/draft-ietf-lisp-rfc6830bis/ >> > > > > ---------------------------------------------------------------------- >> > DISCUSS: >> > ---------------------------------------------------------------------- >> > > I have grave concerns about the suitability of LISP as a whole, in its >> > present form, for advancement to the Standards-Track. While some of my >> > concerns are not specific to this document, as the core protocol >> > (data-plane) spec, it seems an appropriate place to attach them to. >> > > I am told, out of band, that the intended deployment model is no longer to >> > cover the entire Internet (c.f. the MISSREF-state >> > draft-ietf-lisp-introduction's "with LISP, the dge of the Internet and the >> > core can be logically separated and interconnected by LISP-capable >> > routers", etc.), and that full Internet-scale operation is no longer a >> > goal. However, since that does not seem to be reflected in the current >> > batch of documents up for IESG review, I am forced to ballot on them >> > "as-is", namely as targetting global Internet deployment. The requirements >> > placed on the mapping system are so stringent so as to be arguably >> > unachievable at Internet-scale, though that arguably has more of an >> > interaction with the control-plane than the data-plane. It's still in >> > scope here, though, as part of the overall description of the protocol >> > flow. > > (rendered moot by scope reduction) > >> > There are an almost innumerable number of downgrade attacks possible, and >> > the control-plane and data-plane security mechanisms are not normative >> > dependencies of the current corpus of documents, and as such are not up for >> > consideration as mitigating the security concerns with the core documents. > > The downgrade attacks will probably require some further analysis; LISP-SEC > would protect a lot of the header bits but I think there may be some other > data flows to be looked at. > >> > Section 3 defines the EID-to-RLOC Datbaase: >> > > EID-to-RLOC Database: The EID-to-RLOC Database is a global >> > distributed database that contains all known EID-Prefix-to-RLOC >> > mappings. Each potential ETR typically contains a small piece of >> > the database: the EID-to-RLOC mappings for the EID-Prefixes >> > "behind" the router. These map to one of the router's own >> > globally visible IP addresses. Note that there MAY be transient >> > conditions when the EID-Prefix for the site and Locator-Set for >> > each EID-Prefix may not be the same on all ETRs. This has no >> > negative implications, since a partial set of Locators can be >> > used. >> > > No compelling architecture for a trustworthy global distributed database >> > has been presented that I've seen so far, and LISP relies heavily on the >> > mapping system's database for its functionality. I am concerned that so >> > many requirements are placed on the mapping system so as to be in effect >> > unimplementable, in which case it would seem that the architecture as a >> > whole (that is, for a global Internet-scale system) is not fit for purpose. > > (rendered moot by scope reduction) > >> > Section 4.1's Step (6) only mentions parsing "to check for format >> > validity". I think it is appropriate to mention (and refer to) source >> > authentication checks as well, since bad Map-Reply data can allow all sorts >> > of attacks to occur. > > (not affected by scope reduction) > >> > There are some fairly subtle ordering requirements between the order of >> > entries in Map-Reply messages and the Locator-Status-Bits in data-plane >> > traffic (so that the semantic meaning of the status bits are meaningful), >> > which is only given a minimal treatment in the control-plane document. The >> > need for synchronization in interpreting these bits should be mentioned >> > more prominently in the data-plane document as well. > > (not affected by scope reduction) > >> > > The usage of the Instance ID does not seem to be adequately covered; from >> > what I've been able to pick up so far it seems that both source and >> > destination participants must agree on the meaning of an Instance ID, and >> > the source and destination EIDs must be in the same Instance. This does >> > not seem like it is compatible with Internet scale, especially if there are >> > only 24 usable bits of Instance ID. > > (not affected by scope reduction) > >> > > There seems to be a lot of intra-site synchronization requirements, notably >> > with respect to Map-Version consistency, the contents and ordering of >> > locator sets for EIDs in the site, etc.; the actual hard requirements for >> > synchronization within a site should be clearly called out, ideally in a >> > single location. > > (not affected by scope reduction, since ETRs are affected and not just > Map-Servers) > >> > > The security considerations attempt to defer substantially to the >> > threat-analysis in RFC 7835, which does not really seem like a complete >> > threat analysis and does not provide analysis as to what requirements are >> > placed on the boundaries between the different components of LISP (data >> > plane, control plane, mapping system, various extensions, etc.). The >> > secdir reviewer had some good thoughts in this space. > > (not affected by scope reduction) > >> > > The security considerations throughout the LISP documents place a heavy >> > focus on the risk of over-claiming for routing EID-prefixes. This is a >> > real concern, to be clear, but it should not overshadow the risk of an >> > attacker who is able to move traffic around at will, strip security >> > protections, cause denial of service, alter data-plane payloads, etc. >> > Similarly, this document's security considerations call out denial of >> > service as a risk from Map-Cache insertion/spoofing, but the risks from an >> > attacker being able to read and modify the traffic, perhaps even without >> > detection, seems a much greater threat to me. > > (not affected by scope reduction) > >> > > I am not convinced that this protocol meets the current IETF requirements >> > for the security properties of Standards-Track Protocols without at least >> > LISP-SEC as a mandatory-to-implement component, and possibly additional or >> > stronger requirements. (I did not do a full analysis of the system in the >> > presence of those security mechanisms, since that is not what is being >> > presented for review.) > > (noting that LISP-SEC needs to be MTI and analysis performed under the new > assumptions) > >> > Having an EID that is associated to user-correlatable devices has severe >> > privacy considerations, but I could not find this mentioned anywhere in all >> > of the LISP documents I've read so far. > > (not affected by scope reduction) > > -Benjamin > >> > > > ---------------------------------------------------------------------- >> > COMMENT: >> > ---------------------------------------------------------------------- >> > > I apologize for the somewhat scattered nature of these comments; there are >> > a lot of them and I was focusing my time more on trying to understand the >> > broader system, and the intended security posture, so they did not get as >> > much clean-up as I would have liked. (Most of my review was performed on the >> > -18, though I have tried to update to the -20 as relevant.) >> > > > The instance ID provides for organizational correlation, another privacy >> > exposure. >> > > Is there anything different between an "EID-to-RLOC Map-Request" and just a >> > "Map-Request"? (Same question for "Map-Reply", too.) >> > > There's a lot of stuff that seems to work best if there is symmetric >> > bidirectional traffic, with inline signalling of map version and >> > reachability changes, though clearly everything is designed to also work >> > with asymmetric connectivity or unidirectional traffic. It would be nice >> > to have a high-level summary in or near the introduction about what kinds >> > of behavior/performance differences are expected for bidirectional vs. >> > unidirectional traffic. >> > > Section 2 >> > > That's not the 8174 boilerplate; it's more than just adding a cite to the >> > 2119 boilerplate. >> > > Section 3 >> > > nit: "An address family that pertains to the Data-Plane." is a sentence >> > fragment. >> > > Ingress Tunnel Router (ITR): An ITR is a router that resides in a >> > [...] >> > mapping lookup in the destination address field. Note that this >> > destination RLOC MAY be an intermediate, proxy device that has >> > better knowledge of the EID-to-RLOC mapping closer to the >> > > This doesn't seem like a 2119 MAY is necessary, but rather a statement of >> > fact that may not be known to the encapsulating ITR. >> > > Specifically, when a service provider prepends a LISP header for >> > Traffic Engineering purposes, the router that does this is also >> > regarded as an ITR. The outer RLOC the ISP ITR uses can be based >> > on the outer destination address (the originating ITR's supplied >> > RLOC) or the inner destination address (the originating host's >> > supplied EID). >> > > I'm confused here, perhaps in multiple ways. Are there now *two* LISP >> > headers on the packet? Is the "outer RLOC the ISP ITR uses" the source >> > RLOC or the destination RLOC? >> > > Negative Mapping Entry: A negative mapping entry, also known as a >> > negative cache entry, is an EID-to-RLOC entry where an EID-Prefix >> > is advertised or stored with no RLOCs. That is, the Locator-Set >> > for the EID-to-RLOC entry is empty or has an encoded Locator count >> > of 0. >> > > Is "empty" a distinct representation from "locator count of zero"? >> > > Perhaps something of an aside, but the check described for >> > Route-Returnability is a somewhat weak check, and in some cases could still >> > be spoofed. (I don't expect this to surprise anyone, of course, but >> > perhaps some more qualifiers could be added to the text.) >> > > Section 4 >> > > An additional LISP header MAY be prepended to packets by a TE-ITR >> > when re-routing of the path for a packet is desired. A potential >> > use-case for this would be an ISP router that needs to perform >> > Traffic Engineering for packets flowing through its network. In such >> > a situation, termed "Recursive Tunneling", an ISP transit acts as an >> > additional ITR, and the RLOC it uses for the new prepended header >> > would be either a TE-ETR within the ISP (along an intra-ISP traffic >> > engineered path) or a TE-ETR within another ISP (an inter-ISP traffic >> > engineered path, where an agreement to build such a path exists). >> > > "the RLOC it uses for the new prepnded header", again, this is as the >> > destination RLOC (vs. source RLOC)? >> > > Section 4.1 >> > > o Map-Replies are sent on the underlying routing system topology >> > using the [I-D.ietf-lisp-rfc6833bis] Control-Plane protocol. >> > > Just to check my understanding: is the "underlying routing system topology" >> > the same as the "underlay"? >> > > Is step (3) just describing more of what step (2) says is "not described in >> > this example"? >> > > Section 5.3 >> > > The word "nonce" is normally used for something used exactly once. >> > E.g., with some AEAD algorithms, if the same "nonce" input is used for >> > different encryptions, the entire security of the system is compromised. >> > It would be better to refer to this field with a different term, given >> > that "the same nonce can be used for a period of time when encapsulating to >> > the same ETR". "Uniquifier" or "random value" might be reasonable choices. >> > > Why is there no discussion of the Map-Version or Instance-ID fields >> > in this section? >> > > When doing ETR/PETR decapsulation: >> > > o The inner-header 'Time to Live' field (or 'Hop Limit' field, in >> > the case of IPv6) SHOULD be copied from the outer-header 'Time to >> > Live' field, when the Time to Live value of the outer header is >> > less than the Time to Live value of the inner header. Failing to >> > perform this check can cause the Time to Live of the inner header >> > to increment across encapsulation/decapsulation cycles. This >> > check is also performed when doing initial encapsulation, when a >> > packet comes to an ITR or PITR destined for a LISP site. >> > > Er, what is "this check" that is also performed for initial encapsulation? >> > How are there multiple TTL values to compare? >> > > o The inner-header 'Differentiated Services Code Point' (DSCP) field >> > (or the 'Traffic Class' field, in the case of IPv6) SHOULD be >> > copied from the outer-header DSCP field ('Traffic Class' field, in >> > the case of IPv6) to the inner-header. >> > > nit: the first "inner-header" seems like an editing remnant? >> > > Section 7.1 >> > > How is this stateless if it invovles knowledge about the routers between >> > the ITR and all possible ETRs (i.e., a set that could change over time)? >> > > Section 8 >> > > This 32-bit vs 24-bit thing is pretty hokey for a standards-track >> > specification (yes, I know that LISP-DDT is not standards track at the >> > moment). >> > > Section 9 >> > > Alternatively, RLOC information MAY be gleaned from received tunneled >> > > What is this an alternative to? The list of four options above? >> > > packets or EID-to-RLOC Map-Request messages. A "gleaned" Map-Cache >> > entry, one learned from the source RLOC of a received encapsulated >> > packet, is only stored and used for a few seconds, pending >> > verification. Verification is performed by sending a Map-Request to >> > the source EID (the inner-header IP source address) of the received >> > encapsulated packet. >> > > The source EID is some random end system, right? So this relys on some >> > magic in the ETR to detect that there's a Map-Request and reply directly >> > instead of passing it on to the EID that won't know what to do with it? >> > > Talking about the "R-bit" of the Map-Reply" is detail from 6833bis and >> > might benefit from an explicit section reference to the other document. >> > > Section 10 >> > > What is the "CE" of "CE-based ITRs"? Presumably Customer Edge, but it >> > is not marked as well-known at >> > https://www.rfc-editor.org/materials/abbrev.expansion.txt so expansion is >> > probably in order. >> > > Again, when we are talking about the internal structure of the Map-Reply, a >> > detailed section refernce to 6833bis is useful. >> > > Modifying LSBs seems like a fine DoS attack vector for an on-path attacker. >> > > value of 1. Locator-Status-Bits are associated with a Locator-Set >> > per EID-Prefix. Therefore, when a Locator becomes unreachable, the >> > Locator-Status-Bit that corresponds to that Locator's position in the >> > list returned by the last Map-Reply will be set to zero for that >> > particular EID-Prefix >> > > Doesn't this imply a stateful relationship between the ordering of >> > Map-Replys and data-plane traffic? >> > > Section 10.1 >> > > Note that "ITR" and "ETR" are relative terms here. Both devices MUST >> > be implementing both ITR and ETR functionality for the echo nonce >> > mechanism to operate. >> > > Perhaps they could be given actual names so as to disambiguate which steps >> > are performed with ITR vs. ETR role? >> > > The echo-nonce algorithm is bilateral. That is, if one side sets the >> > E-bit and the other side is not enabled for echo-noncing, then the >> > echoing of the nonce does not occur and the requesting side may >> > erroneously consider the Locator unreachable. An ITR SHOULD only set >> > the E-bit in an encapsulated data packet when it knows the ETR is >> > enabled for echo-noncing. This is conveyed by the E-bit in the RLOC- >> > probe Map-Reply message. >> > > Why is this even optional? If it was mandatory to use, then there would >> > not be a question. But at least clarify that the "this" that is conveyed >> > is whether the peer supports the echo-nonce algorithm. (Also, subject to >> > downgrade.) >> > > Section 13 >> > > When a Locator record is removed from a Locator-Set, ITRs that have >> > the mapping cached will not use the removed Locator because the xTRs >> > will set the Locator-Status-Bit to 0. So, even if the Locator is in >> > the list, it will not be used. For new mapping requests, the xTRs >> > can set the Locator AFI to 0 (indicating an unspecified address), as >> > well as setting the corresponding Locator-Status-Bit to 0. This >> > forces ITRs with old or new mappings to avoid using the removed >> > Locator. >> > > The behavior describe here seems like it would be better described as "when >> > a Locator is taken out of service" than "removed from a Locator-Set", since >> > if it is not in the set at all, it has no index, and no LSB or AFI to set. >> > Should actually depopulating it like this be forbidden? >> > > I guess the Map Versioning is supposed to help with this, but we need to >> > nail down the semantics more and/or give a clearer reference to it. >> > > Section 13.1 >> > > An ITR, when it encapsulates packets to ETRs, can convey its own Map- >> > Version Number. This is known as the Source Map-Version Number. >> > > Replacing "its own Map-Version Number" with something like "the Map-Version >> > numer for the LISP site of which it is a part". Writing this causes me to >> > note that the semantics of the Map-Version are unclear, here -- what is it >> > scoped to? An EID-Prefix? An RLOC? Oh, you say that in the next >> > paragraph (EID-Prefix). >> > > A Map-Version Number can be included in Map-Register messages as >> > well. This is a good way for the Map-Server to assure that all ETRs >> > for a site registering to it will be synchronized according to Map- >> > Version Number. >> > > Huh? I must be confused how this works. (Also, wouldn't this be better in >> > the control plane document which covers Map-Register?) >> > > Section 15 >> > > o When a tunnel-encapsulated packet is received by an ETR, the outer >> > destination address may not be the address of the router. This >> > makes it challenging for the control plane to get packets from the >> > hardware. This may be mitigated by creating special Forwarding >> > Information Base (FIB) entries for the EID-Prefixes of EIDs served >> > by the ETR (those for which the router provides an RLOC >> > translation). These FIB entries are marked with a flag indicating >> > that Control-Plane processing SHOULD be performed. >> > > I assume this is just my lack of background showing, but I'm confused how >> > it makes sense to mark these for control-plane processing. Isn't the >> > control plane much slower, and we're not putting all of the LISP data-plane >> > traffic onto the slow path? >> > > Section 18 >> > > o Data-Plane gleaning for creating map-cache entries has been made >> > optional. If any ITR implementations depend or assume the remote >> > ETR is gleaning should not do so. >> > > nit: this is ungrammatical; "they should not" or "Any ITR implementations >> > that depend on or assume that" would fix it. >> > > Section 19.1 >> > > Presumably IANA also updated the reference column to point to this >> > document? >> > > > > > _______________________________________________ > lisp mailing list > lisp@ietf.org > https://www.ietf.org/mailman/listinfo/lisp
- [lisp] Benjamin Kaduk's Discuss on draft-ietf-lis… Benjamin Kaduk
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Joel M. Halpern
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Dino Farinacci
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- [lisp] Fwd: Re: Benjamin Kaduk's Discuss on draft… Joel M. Halpern
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Joel M. Halpern
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Fabio Maino
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Fabio Maino
- Re: [lisp] Fwd: Re: Benjamin Kaduk's Discuss on d… Dino Farinacci
- Re: [lisp] Fwd: Re: Benjamin Kaduk's Discuss on d… Fabio Maino
- Re: [lisp] Fwd: Re: Benjamin Kaduk's Discuss on d… Dino Farinacci
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [lisp] Fwd: Re: Benjamin Kaduk's Discuss on d… Joel Halpern Direct
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Dino Farinacci
- Re: [lisp] Fwd: Re: Benjamin Kaduk's Discuss on d… Vina Ermagan (vermagan)
- Re: [lisp] Fwd: Re: Benjamin Kaduk's Discuss on d… Alberto Rodriguez-Natal
- [lisp] Making LISP-SEC mandatory to implement Joel Halpern