IETF Logo Mail Archive

Re: [mif-arch-dt] Text for PvD considerations in configuration sources

Dmitry Anipko <Dmitry.Anipko@microsoft.com> Mon, 04 November 2013 05:14 UTC

Return-Path: <Dmitry.Anipko@microsoft.com>
X-Original-To: mif-arch-dt@ietfa.amsl.com
Delivered-To: mif-arch-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B529711E8189 for <mif-arch-dt@ietfa.amsl.com>; Sun, 3 Nov 2013 21:14:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bh63Qfw-0Dg for <mif-arch-dt@ietfa.amsl.com>; Sun, 3 Nov 2013 21:13:47 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id A7A8811E8182 for <mif-arch-dt@ietf.org>; Sun, 3 Nov 2013 21:13:46 -0800 (PST)
Received: from SN2PR03MB077.namprd03.prod.outlook.com (10.255.175.153) by SN2PR03MB079.namprd03.prod.outlook.com (10.255.175.155) with Microsoft SMTP Server (TLS) id 15.0.815.6; Mon, 4 Nov 2013 05:13:39 +0000
Received: from SN2PR03MB077.namprd03.prod.outlook.com ([169.254.14.119]) by SN2PR03MB077.namprd03.prod.outlook.com ([169.254.14.119]) with mapi id 15.00.0815.000; Mon, 4 Nov 2013 05:13:38 +0000
From: Dmitry Anipko <Dmitry.Anipko@microsoft.com>
To: Suresh Krishnan <suresh.krishnan@ericsson.com>
Thread-Topic: Text for PvD considerations in configuration sources
Thread-Index: AQHOzmVpRbaRVfT9XUeGTLd5Ej7jHZoUnEFu
Date: Mon, 04 Nov 2013 05:13:37 +0000
Message-ID: <c7949ff3a2a748dc86d187cb46d1746a@SN2PR03MB077.namprd03.prod.outlook.com>
References: <526531F3.8020105@ericsson.com>
In-Reply-To: <526531F3.8020105@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [67.170.50.175]
x-forefront-prvs: 0020414413
x-forefront-antispam-report: SFV:NSPM; SFS:(189002)(199002)(377454003)(81542001)(76786001)(31966008)(69226001)(74366001)(76482001)(76796001)(81686001)(59766001)(56776001)(77982001)(33646001)(80976001)(19580405001)(83322001)(74662001)(76576001)(79102001)(65816001)(54316002)(81816001)(56816003)(80022001)(66066001)(87266001)(19580395003)(53806001)(51856001)(54356001)(4396001)(85306002)(63696002)(50986001)(74502001)(77096001)(74706001)(83072001)(47736001)(74876001)(49866001)(47446002)(47976001)(81342001)(46102001)(74316001)(2656002)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:SN2PR03MB079; H:SN2PR03MB077.namprd03.prod.outlook.com; CLIP:67.170.50.175; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "mif-arch-dt@ietf.org" <mif-arch-dt@ietf.org>
Subject: Re: [mif-arch-dt] Text for PvD considerations in configuration sources
X-BeenThere: mif-arch-dt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: MIF Architecture Design Team mailing list <mif-arch-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif-arch-dt>, <mailto:mif-arch-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif-arch-dt>
List-Post: <mailto:mif-arch-dt@ietf.org>
List-Help: <mailto:mif-arch-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif-arch-dt>, <mailto:mif-arch-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 05:14:05 -0000

Hi Suresh, Jouni, Shwetha, 

thank you for revising the text. Unless there are other comments from the design team, I will include this into the next draft update.

-Dmitry
________________________________________
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
Sent: Monday, October 21, 2013 6:53 AM
To: Dmitry Anipko
Cc: mif-arch-dt@ietf.org
Subject: Text for PvD considerations in configuration sources

Hi Dmitry,
  Here is the revised text based on our last meeting. We would also like
to propose a change to Section 2.1 (at the end of this message).

Thanks
Suresh, Jouni and Shwetha

Conveying PVD information using DHCPv6 and Router Advertisements

DHCPv6 and Router Advertisements are the two most common methods
of configuring hosts and they would need to be extended to convey
explicit PVD information. There are several things that need to
be considered before finalizing a mechanism to augment DHCPv6 and
RAs with PvD information.

* Separate Messages or One Message

When information from several PVDs is available at the same
configuration source, there are two possibilities regarding how
to send these out. One way is to send information from different
provisioning domains in separate messages. The other is to
combine information from several PVDs onto one message. The
latter method has the advantage of being more efficient but could
have issues due to authentication and authorization issues as
well as potential issues with accommodating common information
and information not tagged with any PVD information.

* Securing the PVD information

DHCPv6 and RAs both provide some form of authentication that
ensures the identity of the source as well as the integrity of
the contents that have been secured. While this is useful, the
authenticity of the information provides no information whether
the configuration source is actually allowed to provide
information from a given PVD. In order to do be able to do this,
there must be a mechanism for the owner of the PVD to attach some
form of authorization token to the configuration information that
is delivered.

* Backward compatibility

The extensions to RAs and DHCPv6 should be defined in such a
manner than unmodified hosts (i.e. hosts not aware of PvDs) will
continue to function as well as they did before the PvD
information got added. This could imply that some information may
need to be duplicated in order to be conveyed to legacy
hosts. Similarly PvD aware hosts need to be able to handle legacy
configuration sources which do not provide PvD information. There
are also several initiatives ongoing that are aimed at adding
some form of additional information to prefixes [refs to
draft-bhandari and draft-korhonen] and any new mechanism should
try to consider co-existence with these existing mechanisms.

* Selective propagation

When a configuration source has information regarding several
PvDs it is not clear whether it should provide information about
all of them to any host that requests info from it. While it may
be reasonable in some cases, this might become an unreasonable
burden once the number of PvDs starts increasing. One way to
restrict the propagation of useless information is for the host
to select the PvD information they desire in their request to the
configuration source. One way this could be accomplished is by
using an ORO with the PvDs that are of interest. The
configuration source can then respond with only the requested
information.

By default, a configuration source SHOULD provide information related to
all provisioning domains without expecting the client to select the
PvD(s) it requires. This is necessary to ensure that hosts that do not
support requesting selective PvD information will continue to work. Also
note that IPv6 neighbor discovery does not provide any functionality
analogous to the DHCPv6 ORO.

In this case, when a host receives PvD information it does not require,
the information can simply be discarded. Also, in constrained networks
such as LLNs, the amount of configuration information needs to be
restricted to ensure that the load on the hosts is bearable while
keeping the information identical across all the hosts.

In case selective propogation is required, some form of PvD
discovery mechanism needs to be specified so that
hosts/applications can be pre-provisioned to request a specific
PvD. Alternately, the set of PvDs that the network can provide to
the host can be propogated to the host using RAs or stateless
DHCPv6. The discovery mechanism may potentially support the
discovery of available PvDs on a per-host basis.

* Retracting/updating PvD information

After the PvD information is provided to the host it may be
outdated or updated with newer information before the hosts would
normally request updates. Thos would require the mchanism to be
able to update and/or withdraw all (or some subset) of
information related to a given PvD. For efficiency reasons, there
should be a way to specify that all the information from the PvD
needs to be reconfigured instead of individually updating each
item associated with the PvD.

Conveying configuration information using IKEv2

Internet Key Exchange protocol version 2 (IKEv2)
[RFC5996][RFC5739] is another widely used and a popular method of
configuring IP information in a host. In the case of IKEv2 the
provisioning domain could actually be implicitly learnt from the
Identification - Responder (IDr) payloads the IKEv2 initiator and
the responder inject during the IKEv2 exchange. The IP
configuration may depend on the named IDr. Another possibility
could be adding specific provisioning domain identifying payload
extensions to IKEv2. All of the considerations listed above for
DHCPv6 and RAs potentialy apply to IKEv2 as well.



Change to Section 2.1
=====================

OLD:
Link-specific and/or vendor-proprietary mechanisms for discovery of
PVD information, different from the IETF-defined mechanisms, can be
used by the nodes separately from or together with IETF-defined
mechanisms, as long as they allow to discover necessary elements of
the PVD(s). In all cases, by default nodes must ensure that the
lifetime of all dynamically discovered PVD configuration is
appropriately limited by the relevant events - for example, if an
interface media state change was indicated, the previously discovered
information may no longer be valid and needs to be re-discovered or
confirmed.

NEW:
Link-specific and/or vendor-proprietary mechanisms for discovery of
PVD information, such as the technologies used in cellular networks,
different from the IETF-defined mechanisms, can be used by the nodes
separately from or together with IETF-defined mechanisms, as long as
they allow to discover necessary elements of the PVD(s). Another
example of a delivery mechanism for PVDs are key exchange ortunneling
protocols, such as IKEv2 [RFC5996] that allow transporting host
configuration information In all cases, by default nodes must ensure
that the lifetime of all dynamically discovered PVD configuration is
appropriately limited by the relevant events - for example, if an
interface media state change was indicated, the previously discovered
information may no longer be valid and needs to be re-discovered or
confirmed.

v2.23.0 | Report a Bug | By Email