IETF Logo Mail Archive

Re: [manet-dlep-rg] DLEP multicast address

"Stan Ratliff (sratliff)" <sratliff@cisco.com> Thu, 21 November 2013 19:47 UTC

Return-Path: <sratliff@cisco.com>
X-Original-To: manet-dlep-rg@ietfa.amsl.com
Delivered-To: manet-dlep-rg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D18E1AE280 for <manet-dlep-rg@ietfa.amsl.com>; Thu, 21 Nov 2013 11:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.026
X-Spam-Level:
X-Spam-Status: No, score=-15.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRy4djd6CeOB for <manet-dlep-rg@ietfa.amsl.com>; Thu, 21 Nov 2013 11:47:19 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id E02AA1AE1BC for <manet-dlep-rg@ietf.org>; Thu, 21 Nov 2013 11:47:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10919; q=dns/txt; s=iport; t=1385063232; x=1386272832; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=XNtEd6EGFAp8kgqpGo5tVEbH2NnY8cisYK9ZTfdJjF4=; b=kIHTDt4MqoXNacIb+pUFoSN8K41T3vvR/KiYKF4u/P8COS8WSblpI+vP 8vEtWA29nuWT4R/TI5ilAah5LFvhUGjcBYJNbuHc7HjkWAryLWI+p6bCt udoa91u5XPPfCogAigOVwx+ZyRSegeGn0paCqj0Ef2PG2itPk1wg/G6zE o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhoFAPlijlKtJXG+/2dsb2JhbABZgwc4U7w9gSQWdIIlAQEBAwEBAQFrCxACAQgRBAEBAScHIQYLFAkIAgQOBYdvAwkGDbhSDYgtF4xygSQJEQGBBwgrBwaDGoESA5QwgXeBa4EwiyiFOIMogXE5
X-IronPort-AV: E=Sophos;i="4.93,746,1378857600"; d="scan'208";a="286767017"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-4.cisco.com with ESMTP; 21 Nov 2013 19:47:11 +0000
Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id rALJlBN3014828 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 21 Nov 2013 19:47:11 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.200]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.03.0123.003; Thu, 21 Nov 2013 13:47:11 -0600
From: "Stan Ratliff (sratliff)" <sratliff@cisco.com>
To: Teco Boot <teco@inf-net.nl>
Thread-Topic: [manet-dlep-rg] DLEP multicast address
Thread-Index: AQHO4Kj9T6zpymqzcUOJxQaYv69OEpoj+4SAgACFCqCAALvEgIAACw8AgAAB6oCABzr+AIAAvbeAgADGLACAAB9DAIACYMGA
Date: Thu, 21 Nov 2013 19:47:10 +0000
Message-ID: <765B5076-15CA-495A-99DF-5BFA965EE0A9@cisco.com>
References: <72FB622921C13746AD6349E70A8D9F307D9192F7@EXC-MBX03.tsn.tno.nl> <CAK=bVC85XAXR3Zkwq+JwELF-dvgrKwbowWCvwvnjeVn7VStnbw@mail.gmail.com> <72FB622921C13746AD6349E70A8D9F307D9193CD@EXC-MBX03.tsn.tno.nl> <5A8A5085482DA84995F4E70F5093AB50268E6C@XCH-BLV-503.nw.nos.boeing.com> <B2BA430A-F4E6-4DED-A7BB-7282A22802B7@inf-net.nl> <D02397F1-9D1B-4B36-81D0-4585ACDBA34A@gmail.com> <5D184300-2D97-4EC1-8D91-76D4A79B2BDA@inf-net.nl> <DDAE98C5-520E-4F8F-9F9B-2AB9A15A70EF@cisco.com> <0541163b-2d1c-4afd-ad06-ba9a25744310@SUCNPTEXC01.COM.AD.UK.DS.CORP> <B177F831FB91F242972D0C35F6A0733106FB0425@SUCNPTEXM01.com.ad.uk.ds.corp> <14B5C326-6499-439D-BC23-BB39A376825C@cisco.com> <CAGnRvuoxD_dxdoD_8qbHhq--6AF=2B7wNFEE5Xz=vKNwnBhhZw@mail.gmail.com> <9EB171E6-62E6-4136-BFDB-6FEB8DF23B74@cisco.com> <cb165b80-275e-45ff-ae0e-8ca5354a3568@SUCNPTEXC01.COM.AD.UK.DS.CORP> <B177F831FB91F242972D0C35F6A0733106FB081B@SUCNPTEXM01.com.ad.uk.ds.corp> <1EFB06F8-05B2-4A4B-8A6B-DDDB946B7D01@cisco.com> <2dde64e4-2a4a-4eb2-9717-4a9ffb8be0eb@SUCNPTEXC01.COM.AD.UK.DS.CORP> <B177F831FB91F242972D0C35F6A0733106FB0AC9@SUCNPTEXM01.com.ad.uk.ds.corp> <331538E2-23D3-4642-80FB-3309398BCC1C@inf-net.nl> <CAGnRvuq_63eQgKBncECMMYBJPcyG-XxTPRRK7h9hVY5Nc6vx4g@mail.gmail.com> <539cfe69-ecd3-47cf-b623-965dca5e580c@SUCNPTEXC01.COM.AD.UK.DS.CORP> <B177F831FB91F242972D0C35F6A0733106FB0F29@SUCNPTEXM01.com.ad.uk.ds.corp> <CAM4esxRNnWqd9LivxpoWMgJ1SBoPe7wYJk9kpwUVsXD-rMkyTg@mail.gmail.com> <38A5475DE83986499AEACD2CFAFC3F98FA593C5A@tss-server1.home.tropicalstormsoftware.com> <FB72E736-02BF-444B-8B3B-F96E45E4DEA6@cisco.com> <CAM4esxTdh_VkuYH33CMEyqd6u7gY5u9PxPhVd1eGeEBey1N=ig@mail.gmail.com> <BB87C522-651D-4F3E-8D9D-D0055F590C92@cisco.com> <CAM4esxTJOMyUZ2gHDzmpcOVYsa_zagYfGahS8X6FA-bWWOSiXw@mail.gmail.com> <F5C2EE51-0338-4B2D-B672-6B3D27CBC006@inf-net.nl>
In-Reply-To: <F5C2EE51-0338-4B2D-B672-6B3D27CBC006@inf-net.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.116.179.216]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <81D89D75FEE2604BA7659ED40996CD03@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "manet-dlep-rg@ietf.org Group, (manet-dlep-rg@ietf.org)" <manet-dlep-rg@ietf.org>, Rick Taylor <rick@tropicalstormsoftware.com>, Martin Duke <martin.h.duke@gmail.com>, "Taylor, Rick" <Rick.Taylor@cassidian.com>
Subject: Re: [manet-dlep-rg] DLEP multicast address
X-BeenThere: manet-dlep-rg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DLEP Radio Group <manet-dlep-rg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet-dlep-rg>, <mailto:manet-dlep-rg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet-dlep-rg/>
List-Post: <mailto:manet-dlep-rg@ietf.org>
List-Help: <mailto:manet-dlep-rg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet-dlep-rg>, <mailto:manet-dlep-rg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 19:47:22 -0000

On Nov 20, 2013, at 2:28 AM, Teco Boot <teco@inf-net.nl> wrote:

> 
> Op 20 nov. 2013, om 06:36 heeft Martin Duke <martin.h.duke@gmail.com> het volgende geschreven:
> 
>> I actually think it makes implementation simpler. The server sends UDP packets occasionally to a well-known port and listens on a TCP port. The client just has to listen ona UDP port; no other cases to handle.

Maybe we are saying the same thing here? What I'm proposing is that the Peer Discovery is sent to a well-known port. But it is sent to an IANA-assigned link-local MCAST address. This peer discovery MAY continue to be sent on a periodic timer pop (with the heuristics of said timer at the discretion of the implementation), or it MAY cease once a TCP connection is established (reference the discussion about multiple DLEP peers existing on the same interface). Where I'm opposed is the notion of the Peer Discovery message being sent to a *unicast* address (what I thought was being described as some Out-of-band operation). I don't like that, it introduces additional protocol complexity, and we've already said that discovery is a 1-hop operation. If you *have* the unicast address to send the Peer Discovery to, then you've already got a-priori config. Either config it, or let it discover, but *NOT* both. Unless there's a *specific* use case you'd like to share - everything I've seen to this point is somewhat vague, and seems to relate to multi-hop operation, which we've also already said introduces a whole lot of assumptions and problems. 

>> With discovery messages always coming in, there's no need to build TCP retry heuristics.
> 
> This is the model I had in mind.
> No need to specify TCP retry mechanism or wait for a discovery packet, both are fine.
> 
> 
>> Configuration: I agree that there are no problems if client and server are identically configured. But part of an interoperability spec is not providing ways for client and server to get out of sync.
> This needs collision handling. When two TCP connections are set up, one has to be cleared. During the period that two connections are active, it is difficult to predict what will happen with order messages.

I read the point from Martin and the one from Teco as two different issues. As to the point from Martin - if the a-priori configuration is bad, then fix it. I don't know of a protocol that will somehow mitigate or re-sync bad configuration. That's a really bad idea, IMO. When you take "what the human said" (e.g. the configuration) and somehow munge it around, then the human that configured it in the first place is now ticked off that the code didn't pay attention to his config. I'm adamantly opposed to the notion of *specifying* how a discovery protocol overrides a-priori configuration. IMHO, that will be seen as a security vulnerability, instead of a "feature". 

Now, as to Teco's point. If there are collisions - that being, a TCP connect comes in on the same 4-tuple as an existing connection - the problem should be handled as the current DLEP does it. The older session is immediately terminated, and the new connection is used, starting from the Peer Initialize. This indicates that the two peers have lost state with each other; the only way to recover is to nuke the older, existing session, and pick up anew. 

> 
> 
>> Regardless, I suggest the Peer Discovery contain the TCP server port, and that if there is no Peer Discovery message the configuration must include the server port. That way, we need only get the UDP port number from IANA.
> 
> No, I want a passive model supported, where a TCP client can set up the connection on the IANA assigned well known DLEP port. Having the port allocated for UDP and TCP isn't a problem, I think. This enables multi-hop reachability to (or from) the modem. I don't know how to do that _from_ the modem.

No, Teco. Or actually, the answer is "You're *both* right". What's in my current -05 spec is that the TCP port TLV is OPTIONAL. If it's not there, then the connecter falls back to the well-known port number. If it *is* there, it's used. Offers good flexibility, without much complexity.

> 
> 
> May I repeat one of my use cases, where the DLEP (or derivate) protocol passes a crypto device with built in data diode. TCP will not make it here. See http://tools.ietf.org/html/draft-ivancic-manet-modemlpa Figure 5 for description of this use case (thanks to authors of modemlpa). I have to use some kind of DLEP proxy/tunnel, making the protocol uni-directional tunnel. For now, I see standardization of such mechanism as future work.

Yes, future work. Waaaaaay in the future. Don't want to get wrapped around the axle of what crypto devices are or are not doing. That will extend this process out ad-nauseum.

Stan


> 
> 
> Teco
> 
> 
>> 
>> On Nov 19, 2013 9:47 AM, "Stan Ratliff (sratliff)" <sratliff@cisco.com> wrote:
>> 
>> On Nov 19, 2013, at 1:28 AM, Martin Duke <martin.h.duke@gmail.com> wrote:
>> 
>>> I don't think we want to rely just on TCP if we have OOB detection. Here are some cases where we need the peer discovery anyway:
>>> 
>>> 1. The router is configured with the modem address but the modem does not have the router address.
>> 
>> In the general case, the TCP client needs the address/port of the TCP server. 
>> 
>>> 
>>> 2. The modem has the router IP address but not the port. (I believe the latest concept requires zero standard TCP ports, and the Peer Discovery can simply include the port number.)
>> 
>> I don't think we should even try to cover all bases of mod-configuration. Your either provide a-priori config, or you don't. If you do, and it's wrong, then shame on you. ;-)
>> 
>>> 
>>> 3. The modem has the peer address, but powers up first; the TCP SYN gets no reply, backs off and times out.
>> 
>> "Heuristics for retrying the TCP session are left to the discretion of the implementation"… ;-) 
>> 
>>> 
>>> Clearly it is much cleaner for the router to send a UDP packet where we control the frequency and timeout.
>> 
>> This looks like a backup for bad a-priori config, or to address timing issues. IMO, it increases complexity of the implementation, and doesn't provide a whole lot of value-add. But I could be missing something. 
>> 
>> Regards,
>> Stan
>> 
>>> 
>>> On Thursday, November 14, 2013, Stan Ratliff (sratliff) wrote:
>>> If you've already got the the peer's address via some out-of-band mechanism, then why "discover" him? I've tried to separate things out so that the *only* thing discovery does is… wait for it… 'discover'. It tells you the address/port of where you need to go connect up. Pretty much all other init gets pushed back into the new Peer Initialization message. About the only thing that makes sense to me in discovery is the software level of the peers - If, for instance, I'm at DLEP Version 19, and I discover a potential DLEP peer at Version 1, I *might not* want to connect up in the first place.
>>> 
>>> Regards,
>>> Stan
>>> 
>>> 
>>> On Nov 14, 2013, at 10:56 AM, Rick Taylor <rick@tropicalstormsoftware.com>
>>> wrote:
>>> 
>>>> +1 - Good point, I think we need to suggest some final text for this whole discovery process soon or we will forget our rough consensus.
>>>> 
>>>> Rick (on his other email address)
>>>> 
>>>> From: manet-dlep-rg-bounces@ietf.org [manet-dlep-rg-bounces@ietf.org] on behalf of Martin Duke [martin.h.duke@gmail.com]
>>>> Sent: 14 November 2013 15:16
>>>> To: Taylor, Rick
>>>> Cc: manet-dlep-rg@ietf.org Group (manet-dlep-rg@ietf.org); Stan Ratliff (sratliff)
>>>> Subject: Re: [manet-dlep-rg] DLEP multicast address
>>>> 
>>>> I agree with almost all of what Stan and Rick said, but I don't think it would hurt to have a sentence like "A router MAY send unicast peer discovery messages to modems, regardless of logical distance, if it has obtained their IP address through an out-of-band process."
>>>> On Nov 14, 2013 2:13 AM, "Taylor, Rick" <Rick.Taylor@cassidian.com> wrote:
>>>>> From: manet-dlep-rg-bounces@ietf.org [mailto:manet-dlep-rg-
>>>>> bounces@ietf.org] On Behalf Of Stan Ratliff (sratliff)
>>>>> Subject: Re: [manet-dlep-rg] DLEP multicast address
>>>>> 
>>>>> +1. Henning's right; there's no need to go to the IEEE, IMO...
>>>>> 
>>>>> Seems like the issue for us is how to scope discovery. Is it
>>>>> 
>>>>> (a) a single-hop operation, exploiting link-local MCAST, or
>>>>> (b) a potentially multi-hop operation, utilizing some sort of site-local
>>>>> or other MCAST technique/address?
>>>>> 
>>>>> I'm leaning to making it link-local (1-hop) myself. Note that does *NOT*
>>>>> preclude multi-hop DLEP operation over a TCP socket; it just means that
>>>>> multi-hop DLEP sessions would rely on a-priori configuration. There are
>>>>> *lots* of other issues that are going to confound, confuse, and otherwise
>>>>> screw-up multi-hop DLEP... ;-) Given the amount of characters typed over
>>>>> lesser issues, I don't know how far we want to go into multi-hop DLEP at
>>>>> this juncture. Suffice it to say my position is to write the spec in such
>>>>> a way as to avoid *precluding* it, but not to attempt to describe it.
>>>>> Multi-hop DLEP *can* work, given a careful network design (including a
>>>>> careful addressing policy). But I do not believe it will "generalize" down
>>>>> to something that warrants a section in the spec.
>>>> 
>>>> This is a big +1 from me.
>>>> 
>>>> Yes, we should specify that link-local multicast SHOULD be used (sent by the router periodically) and not forwarded.
>>>> 
>>>> Yes, we should add some text to say "Other discovery methods may be used, but then you start the standard TCP part of DLEP session establishment"
>>>> 
>>>> Yes, we should not preclude multi-hop links between router and modem, but also we should not get caught up in defining it - the draft IMHO should define the 1-hop behaviour only.
>>>> 
>>>> (When I say 'we' - I mean Stan and the other authors, it's just easier than translating all sentences into the passive voice and using 'one' instead, which just makes my prose increasingly Shakespearean which is unkind on those for whom English is a second language - this sentence being a case in point)
>>>> 
>>>> Rick
>>>> 
>>>>> 
>>>>> Stan
>>> 
>> 
>> _______________________________________________
>> manet-dlep-rg mailing list
>> manet-dlep-rg@ietf.org
>> https://www.ietf.org/mailman/listinfo/manet-dlep-rg
>

v2.23.0 | Report a Bug | By Email