Re: [mif-arch-dt] Text for PvD considerations in configuration sources
Dmitry Anipko <Dmitry.Anipko@microsoft.com> Mon, 04 November 2013 05:14 UTC
Return-Path: <Dmitry.Anipko@microsoft.com>
X-Original-To: mif-arch-dt@ietfa.amsl.com
Delivered-To: mif-arch-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B529711E8189 for <mif-arch-dt@ietfa.amsl.com>; Sun, 3 Nov 2013 21:14:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bh63Qfw-0Dg for <mif-arch-dt@ietfa.amsl.com>; Sun, 3 Nov 2013 21:13:47 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id A7A8811E8182 for <mif-arch-dt@ietf.org>; Sun, 3 Nov 2013 21:13:46 -0800 (PST)
Received: from SN2PR03MB077.namprd03.prod.outlook.com (10.255.175.153) by SN2PR03MB079.namprd03.prod.outlook.com (10.255.175.155) with Microsoft SMTP Server (TLS) id 15.0.815.6; Mon, 4 Nov 2013 05:13:39 +0000
Received: from SN2PR03MB077.namprd03.prod.outlook.com ([169.254.14.119]) by SN2PR03MB077.namprd03.prod.outlook.com ([169.254.14.119]) with mapi id 15.00.0815.000; Mon, 4 Nov 2013 05:13:38 +0000
From: Dmitry Anipko <Dmitry.Anipko@microsoft.com>
To: Suresh Krishnan <suresh.krishnan@ericsson.com>
Thread-Topic: Text for PvD considerations in configuration sources
Thread-Index: AQHOzmVpRbaRVfT9XUeGTLd5Ej7jHZoUnEFu
Date: Mon, 04 Nov 2013 05:13:37 +0000
Message-ID: <c7949ff3a2a748dc86d187cb46d1746a@SN2PR03MB077.namprd03.prod.outlook.com>
References: <526531F3.8020105@ericsson.com>
In-Reply-To: <526531F3.8020105@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [67.170.50.175]
x-forefront-prvs: 0020414413
x-forefront-antispam-report: SFV:NSPM; SFS:(189002)(199002)(377454003)(81542001)(76786001)(31966008)(69226001)(74366001)(76482001)(76796001)(81686001)(59766001)(56776001)(77982001)(33646001)(80976001)(19580405001)(83322001)(74662001)(76576001)(79102001)(65816001)(54316002)(81816001)(56816003)(80022001)(66066001)(87266001)(19580395003)(53806001)(51856001)(54356001)(4396001)(85306002)(63696002)(50986001)(74502001)(77096001)(74706001)(83072001)(47736001)(74876001)(49866001)(47446002)(47976001)(81342001)(46102001)(74316001)(2656002)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:SN2PR03MB079; H:SN2PR03MB077.namprd03.prod.outlook.com; CLIP:67.170.50.175; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "mif-arch-dt@ietf.org" <mif-arch-dt@ietf.org>
Subject: Re: [mif-arch-dt] Text for PvD considerations in configuration sources
X-BeenThere: mif-arch-dt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: MIF Architecture Design Team mailing list <mif-arch-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif-arch-dt>, <mailto:mif-arch-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif-arch-dt>
List-Post: <mailto:mif-arch-dt@ietf.org>
List-Help: <mailto:mif-arch-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif-arch-dt>, <mailto:mif-arch-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 05:14:05 -0000
Hi Suresh, Jouni, Shwetha, thank you for revising the text. Unless there are other comments from the design team, I will include this into the next draft update. -Dmitry ________________________________________ From: Suresh Krishnan <suresh.krishnan@ericsson.com> Sent: Monday, October 21, 2013 6:53 AM To: Dmitry Anipko Cc: mif-arch-dt@ietf.org Subject: Text for PvD considerations in configuration sources Hi Dmitry, Here is the revised text based on our last meeting. We would also like to propose a change to Section 2.1 (at the end of this message). Thanks Suresh, Jouni and Shwetha Conveying PVD information using DHCPv6 and Router Advertisements DHCPv6 and Router Advertisements are the two most common methods of configuring hosts and they would need to be extended to convey explicit PVD information. There are several things that need to be considered before finalizing a mechanism to augment DHCPv6 and RAs with PvD information. * Separate Messages or One Message When information from several PVDs is available at the same configuration source, there are two possibilities regarding how to send these out. One way is to send information from different provisioning domains in separate messages. The other is to combine information from several PVDs onto one message. The latter method has the advantage of being more efficient but could have issues due to authentication and authorization issues as well as potential issues with accommodating common information and information not tagged with any PVD information. * Securing the PVD information DHCPv6 and RAs both provide some form of authentication that ensures the identity of the source as well as the integrity of the contents that have been secured. While this is useful, the authenticity of the information provides no information whether the configuration source is actually allowed to provide information from a given PVD. In order to do be able to do this, there must be a mechanism for the owner of the PVD to attach some form of authorization token to the configuration information that is delivered. * Backward compatibility The extensions to RAs and DHCPv6 should be defined in such a manner than unmodified hosts (i.e. hosts not aware of PvDs) will continue to function as well as they did before the PvD information got added. This could imply that some information may need to be duplicated in order to be conveyed to legacy hosts. Similarly PvD aware hosts need to be able to handle legacy configuration sources which do not provide PvD information. There are also several initiatives ongoing that are aimed at adding some form of additional information to prefixes [refs to draft-bhandari and draft-korhonen] and any new mechanism should try to consider co-existence with these existing mechanisms. * Selective propagation When a configuration source has information regarding several PvDs it is not clear whether it should provide information about all of them to any host that requests info from it. While it may be reasonable in some cases, this might become an unreasonable burden once the number of PvDs starts increasing. One way to restrict the propagation of useless information is for the host to select the PvD information they desire in their request to the configuration source. One way this could be accomplished is by using an ORO with the PvDs that are of interest. The configuration source can then respond with only the requested information. By default, a configuration source SHOULD provide information related to all provisioning domains without expecting the client to select the PvD(s) it requires. This is necessary to ensure that hosts that do not support requesting selective PvD information will continue to work. Also note that IPv6 neighbor discovery does not provide any functionality analogous to the DHCPv6 ORO. In this case, when a host receives PvD information it does not require, the information can simply be discarded. Also, in constrained networks such as LLNs, the amount of configuration information needs to be restricted to ensure that the load on the hosts is bearable while keeping the information identical across all the hosts. In case selective propogation is required, some form of PvD discovery mechanism needs to be specified so that hosts/applications can be pre-provisioned to request a specific PvD. Alternately, the set of PvDs that the network can provide to the host can be propogated to the host using RAs or stateless DHCPv6. The discovery mechanism may potentially support the discovery of available PvDs on a per-host basis. * Retracting/updating PvD information After the PvD information is provided to the host it may be outdated or updated with newer information before the hosts would normally request updates. Thos would require the mchanism to be able to update and/or withdraw all (or some subset) of information related to a given PvD. For efficiency reasons, there should be a way to specify that all the information from the PvD needs to be reconfigured instead of individually updating each item associated with the PvD. Conveying configuration information using IKEv2 Internet Key Exchange protocol version 2 (IKEv2) [RFC5996][RFC5739] is another widely used and a popular method of configuring IP information in a host. In the case of IKEv2 the provisioning domain could actually be implicitly learnt from the Identification - Responder (IDr) payloads the IKEv2 initiator and the responder inject during the IKEv2 exchange. The IP configuration may depend on the named IDr. Another possibility could be adding specific provisioning domain identifying payload extensions to IKEv2. All of the considerations listed above for DHCPv6 and RAs potentialy apply to IKEv2 as well. Change to Section 2.1 ===================== OLD: Link-specific and/or vendor-proprietary mechanisms for discovery of PVD information, different from the IETF-defined mechanisms, can be used by the nodes separately from or together with IETF-defined mechanisms, as long as they allow to discover necessary elements of the PVD(s). In all cases, by default nodes must ensure that the lifetime of all dynamically discovered PVD configuration is appropriately limited by the relevant events - for example, if an interface media state change was indicated, the previously discovered information may no longer be valid and needs to be re-discovered or confirmed. NEW: Link-specific and/or vendor-proprietary mechanisms for discovery of PVD information, such as the technologies used in cellular networks, different from the IETF-defined mechanisms, can be used by the nodes separately from or together with IETF-defined mechanisms, as long as they allow to discover necessary elements of the PVD(s). Another example of a delivery mechanism for PVDs are key exchange ortunneling protocols, such as IKEv2 [RFC5996] that allow transporting host configuration information In all cases, by default nodes must ensure that the lifetime of all dynamically discovered PVD configuration is appropriately limited by the relevant events - for example, if an interface media state change was indicated, the previously discovered information may no longer be valid and needs to be re-discovered or confirmed.
- [mif-arch-dt] Text for PvD considerations in conf… Suresh Krishnan
- [mif-arch-dt] Text for PvD considerations in conf… Suresh Krishnan
- Re: [mif-arch-dt] Text for PvD considerations in … Dmitry Anipko