IETF Logo Mail Archive

Re: [mif-arch-dt] New Version Notification for draft-anipko-mif-mpvd-arch-00.txt

Tim Chown <tjc@ecs.soton.ac.uk> Thu, 01 August 2013 11:06 UTC

Return-Path: <tjc@ecs.soton.ac.uk>
X-Original-To: mif-arch-dt@ietfa.amsl.com
Delivered-To: mif-arch-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 165D421F9C10 for <mif-arch-dt@ietfa.amsl.com>; Thu, 1 Aug 2013 04:06:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.425
X-Spam-Level:
X-Spam-Status: No, score=-2.425 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGQ5mbO-D-Y7 for <mif-arch-dt@ietfa.amsl.com>; Thu, 1 Aug 2013 04:06:48 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [IPv6:2001:630:d0:f102::25e]) by ietfa.amsl.com (Postfix) with ESMTP id 29B6321F9815 for <mif-arch-dt@ietf.org>; Thu, 1 Aug 2013 04:06:33 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (localhost.ecs.soton.ac.uk [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id r71B6PM3001332 for <mif-arch-dt@ietf.org>; Thu, 1 Aug 2013 12:06:25 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk r71B6PM3001332
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=201304; t=1375355185; bh=XxRZR735CLkLfSMWx/upOsG/55Y=; h=Mime-Version:Subject:From:In-Reply-To:Date:References:To; b=ivDSfvZw7dg7oWncO/j7SabWWbktLV71GCB+4A5k0KcA4DlAKZ94EtACjH+zOSKEl TyKRo5+vlaPA0fhVqJGaV0Mcgi9lSaAKzWm/AlfScTywm0JtnaEgYlozqeSAvEGUx0 23TCn4Wa/O+EBU1mYR8gs9PeGkmQHWWuTs6wjTxQ=
Received: from gander.ecs.soton.ac.uk ([2001:630:d0:f102:250:56ff:fea0:401]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102:250:56ff:fea0:68da]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP (valid=N/A) id p70C6P0544500367p7 ret-id none; Thu, 01 Aug 2013 12:06:25 +0100
Received: from dhcp-142f.meeting.ietf.org (dhcp-142f.meeting.ietf.org [130.129.20.47]) (authenticated bits=0) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id r71B6L93011503 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <mif-arch-dt@ietf.org>; Thu, 1 Aug 2013 12:06:22 +0100
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <c00478f9e7ee4ab6948959623dd3a09d@SN2PR03MB077.namprd03.prod.outlook.com>
Date: Thu, 01 Aug 2013 12:06:21 +0100
Content-Transfer-Encoding: quoted-printable
Message-ID: <EMEW3|af056da0114b24ddf2bdbb51763430fbp70C6P03tjc|ecs.soton.ac.uk|0B1F4D00-3811-4E53-8D88-A67E15B8CD18@ecs.soton.ac.uk>
References: <20130714041913.29430.66253.idtracker@ietfa.amsl.com> <e7573b69f58a4f0b903cf7a3ae03cf48@SN2PR03MB077.namprd03.prod.outlook.com> <024f01ce836a$0c59b220$250d1660$@com> <9f84e98ff5bc45e2ac0465c72bdc24e1@SN2PR03MB077.namprd03.prod.outlook.com> <002801ce851f$f8eb8cb0$eac2a610$@com> <8D23D4052ABE7A4490E77B1A012B63077521C9E7@mbx-01.win.nominum.com> <8AD05C25-AA13-48BF-810C-439C178EE1D3@ecs.soton.ac.uk> <EMEW3|25fe7aca8d4acd7aafc4345bd0e9fa99p6LDwI03tjc|ecs.soton.ac.uk|8AD05C25-AA13-48BF-810C-439C178EE1D3@ecs.soton.ac.uk> <c00478f9e7ee4ab6948959623dd3a09d@SN2PR03MB077.namprd03.prod.outlook.com> <0B1F4D00-3811-4E53-8D88-A67E15B8CD18@ecs.soton.ac.uk>
To: "mif-arch-dt@ietf.org" <mif-arch-dt@ietf.org>
X-Mailer: Apple Mail (2.1508)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=p70C6P054450036700; tid=p70C6P0544500367p7; client=relay,forged,no_ptr,ipv6; mail=; rcpt=; nrcpt=1:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: r71B6PM3001332
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Subject: Re: [mif-arch-dt] New Version Notification for draft-anipko-mif-mpvd-arch-00.txt
X-BeenThere: mif-arch-dt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: MIF Architecture Design Team mailing list <mif-arch-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif-arch-dt>, <mailto:mif-arch-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif-arch-dt>
List-Post: <mailto:mif-arch-dt@ietf.org>
List-Help: <mailto:mif-arch-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif-arch-dt>, <mailto:mif-arch-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 11:06:51 -0000

On 27 Jul 2013, at 03:05, Dmitry Anipko <Dmitry.Anipko@microsoft.com> wrote:

> Hi Tim,
> 
> Thank you for review and comments. They were discussed during the call on Monday, and I will try to summarize below my understanding of what was agreed on during the call. Please let me know whether you agree/disagree with the proposed changes/actions or if it appears the comment was not understood correctly.

Hi, comments in line. I agree with anything I've snipped.

>>> Are PVD IDs unique per PVD, per association between the client and PVD, per location, or...? e.g. if I am with a WiFi provider, will I always see the same PVD when I use that provider, anywhere? Would a friend on that provider see the same ID? Can any assumptions be made? As yet I don't think this is stated.
> 
> [d.a.] It seemed at least two question are raised here: 1) whether the PVD ID should be the same or different across networks, operated by the same provider. 2) whether everyone on the same link should see same set of PVDs, or on the same link different nodes might see different PVDs. 
> 
> On the call, there seemed to be agreement:
> 
> For 1), that both are possible and that the architecture shall not constraint either way. 
> For 2), that in the current scope of the document on a single link, all nodes should receive information about the same PVDs. That said, individual nodes may have different policy/trust settings, based on which they decide to use different subsets of the received PVDs. Future extensions, where different nodes on the same link may see different PVDs from the network, are suggested to be out of scope for the current version of the architecture.
> 
> The clarifications for both points will be added.

OK. Although presumably nodes learning of PVDs via DHCP as per 2.1 may be on the same link but be given different PVD information.  That might be how an ISP "colours" different devices in a home network differently, perhaps.

Do we think PVD IDs would be exposed to users, to be able to make choices as we might today with 3G vs WiFi? I suspect users in general have seen enough hotspots etc to "get" SSIDs, and selecting a provider by SSID, for example.

On a related note, can PVDs be chained, or would hierarchies require different, non-overlapping PVDs? An example might be an LLN gateway attaching to an ISP via a homenet.  Here the LLN gateway would be provisioned by the homenet router, and may be unaware of what ISP(s) or other domains may be upstream of that. Would the LLN be just one of the homenet or ISP PVDs? Or could there be nested "onion"-style PVD scopes? Maybe this is something for Section 3.

>>> So if there is an explicit vs implicit distinction for learning PVDs, perhaps a similar model should be applied here, explicit being e.g. a user toggle (explicit choice, rather like 3G vs WiFi, as hinted at in section 2.3), the implicit being e.g. connectivity tests (Happy PVDs?).
> 
> [d.a.] It didn't feel like there was a common understanding of how this comment could be actioned on. Please feel free to elaborate or suggest specific text which you'd want to see in the document in this regard.

The question is given a set of PVDs, how the client chooses which PVDs to use for which services. It could apply some policy (explicit, like using the VPN PVD for corporate use), perhaps with user toggles/choices involved (as we do know with 3G vs Wifi), or it could implicitly try to figure out the best PVD to use via connectivity tests (4.3). Of course, if a policy is used, there may be conflicting policy…

>>> There may be cases for split PVDs, e.g. a host with VPN running, uses the VPN to the corporate network and the default provision for all other traffic (cue security comments...).
> 
> [d.a.] Sure, this seems to be one of the PVD use cases for different connections, but it was not clear how the text should be adjusted. Do you think the current text doesn't cover that or contradicts to that? If that's the case, can you suggest the specific changes?

I think this is part of section 4. Under 4.1 it can be noted that a node may learn of one or more PVDs, but need not use a single PVD for all services.  At this stage, we probably don't need to say more than that.

>>> eduroam is an interesting example here. Users authenticate to their home site using their home credentials, but the visited site then makes a provisioning (and authorisation) decision based on that result.  The visited site is the PVD, but the authentication is to the home site.  The authentication to eduroam can be mutual between the device and the visited network.

I'll have a think about that one.  I think something under 6.2 would be appropriate.

> [d.a.] Can you suggest more specific text which you'd like to see included?
> 
>>> And a final question for now - are we including application configuration in this work, or is it purely network services?
> 
> [d.a.] There didn't seem to be agreement on the call on this, and this was also discussed on previous calls. It may be good topic to talk about in the MIF meeting.

OK, I saw that that was on the slides.

Tim

v2.23.0 | Report a Bug | By Email