Re: [mpls] MPLS-RT review of draft-farrelll-mpls-opportunistic-encrypt-04.txt
"Adrian Farrel" <adrian@olddog.co.uk> Mon, 18 May 2015 08:57 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C70E1A1B0B for <mpls@ietfa.amsl.com>; Mon, 18 May 2015 01:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102
X-Spam-Level:
X-Spam-Status: No, score=-102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_LOW=-0.7, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Emo4evI-oGMQ for <mpls@ietfa.amsl.com>; Mon, 18 May 2015 01:57:20 -0700 (PDT)
Received: from asmtp4.iomartmail.com (asmtp4.iomartmail.com [62.128.201.175]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F0711A007E for <mpls@ietf.org>; Mon, 18 May 2015 01:57:20 -0700 (PDT)
Received: from asmtp4.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id t4I8vHvf024191; Mon, 18 May 2015 09:57:17 +0100
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id t4I8vCMV024063 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 18 May 2015 09:57:15 +0100
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Lizhong Jin' <lizho.jin@gmail.com>
References: <031c01d090f2$b71ab2d0$25501870$@olddog.co.uk> <CAH==cJy6VPJ8MjtwOVBx8EcJQSq3ECOWSiGfke-gK1akb-tyrg@mail.gmail.com>
In-Reply-To: <CAH==cJy6VPJ8MjtwOVBx8EcJQSq3ECOWSiGfke-gK1akb-tyrg@mail.gmail.com>
Date: Mon, 18 May 2015 09:57:10 +0100
Message-ID: <038a01d09148$a2f87890$e8e969b0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLtMjKmdsdmJhBs/CHK4l2DStnr9gJhehHrmzUS0oA=
Content-Language: en-gb
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1576-8.0.0.1202-21552.006
X-TM-AS-Result: No--6.127-10.0-31-10
X-imss-scan-details: No--6.127-10.0-31-10
X-TMASE-MatchedRID: 8+bhjh9TQnE4HKI/yaqRmx3EEAbn+GRbGSqdEmeD/nV/tE9YIUrwYmH9 qmSCMo1DglmCfhOu3g7I1TUbyXhF1HhOmBpkfkUrbMGKOuLn5FUJDfFL7Mvp7dqCxkzSpW/XosP l77f7gdzNAIQVxCmqmGYX2K+F1a0hxaWErlRokDyTEgTE0DYkgNcuriW22Uf/uX6NXIvOYLtMOy 6GSjkBVo6N2tH+yqIRAaBq8YFGlhAlPCAsfAiuNN/wYmMFcJSI5TbwqVVpF+MREeTKxBqIeaYAH z7/p72b4EyJi38jHZoE40h/ri/5Sj3XUxeO5E+LYD9XTRdaMO1cSMp/1+Epp2sSgW01iDQLvPg6 UssVFP8IS5UXqe5IMV+24nCsUSFNt7DW3B48kkHdB/CxWTRRuwihQpoXbuXFT6LBGWscvRiRKcr 802/NVa7Fk6xwyDFN+N2v6VEahYoWKI4kP3UgRMCAPy/fTtWKFDl/hR7C9wps2cTgeXjWii3UKa d/I8O4CQKeQDeH+fUPvTV19UCLO5Iv06+1Rxr97r4PjzaceGueqD9WtJkSIw==
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/hImoaHKED6qEVJhQLR2nXUhxaHY>
Cc: draft-farrelll-mpls-opportunistic-encrypt@tools.ietf.org, mpls@ietf.org, mpls-chairs@tools.ietf.org
Subject: Re: [mpls] MPLS-RT review of draft-farrelll-mpls-opportunistic-encrypt-04.txt
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 08:57:22 -0000
Hi again, >>>> Section 3, Everything that follows the control word is the entire >>>> original MPLS packet encrypted. >>> >>> [Lizhong] also for Figure1, in the PHP case, the original MPLS packet will >>> not have label, then if the packet is also encrypted and encapsulated >>> after control work, then how to parse the packet correctly? The control >>> word will not tell the following payload is MPLS or IP. >> >> Hmmm, you are talking, I suppose, about the hop-by-hop encryption mode >> on a final hop of an LSP that is using PHP. >> In this case there is nothing to encrypt except the payload. >> Nevertheless, I am not sure I understand your question. >> Consider what happens when the packet is not encrypted on the final hop >> of an LSP from LSR Y to LSR Z with PHP in use. In this case LSR Y pops the last >> remaining label from the packet and forwards it on the designated interface >> to LSR Z. LSR Z has no control word or other means to use to determine >> what the received packet is. It may sniff the first nibble if it knows the >> packet is IPv4 or IPv6, or if it hopes to find a PW control word. Or LSR Z may >> know something magic about the incoming interface (for example that it is >> an MPLS interface and that the packet will have more labels). >> Now if encryption is in use, then LSR Z has agreed to its use. That means >> that LSR Z is expecting to label 15, the MEL, and a control word at the top >> of the packet. So it will remove those three things, decrypt the packet, and >> then treat the rest of the packet exactly as it would in the case where >> encryption is not in use. >> >> We could clarify this by noting that the label stack shown on the left hand >> side of Figure 1 is of arbitrary depth. That would include zero labels in the >> PHP case. However, I think this is a bit obvious. > > [Lizhong] Let my try to describe with an example. In Ethernet environment, > LSR Z receives the packet, and parse the payload by checking EthType, with > "0x80" as IPv4. When MEL is inserted, the EthType has to be changed to > "MPLS" type (0x8847/8848), and lost the original payload type information. > And the MEL and control word does not have capability to indicate the > payload type for parsing. You're right. With PHP in my example, LSR Y (that strips the label) determines what the packet type is, and uses that to set the Ethertype. Using encryption, it would be LSR Z that had to do this. But it would be the same function. An alternative here would be to run encryption only as far as the penultimate hop, but that leaves the last hop exposed. So, to me it seems that if you want to run end-to-end encryption, you probably want to run it without PHP. >>> When decryption at the egress LER, the TTL&TC processing of the first >>> decrypted label should be a bit different with previous mechanism. >>> The TTL&TC value may need to inherit from the label before MEL in >>> uniform mode. >> >> Indeed. This is how tunnelling works. You think we should explain that? > > [Lizhong] Yes, it is better to mention that, or have a reference in the draft. OK. Will do. Cheers, Adrian
- Re: [mpls] MPLS-RT review of draft-farrelll-mpls-… Lizhong Jin
- Re: [mpls] MPLS-RT review of draft-farrelll-mpls-… Adrian Farrel
- Re: [mpls] MPLS-RT review of draft-farrelll-mpls-… Lizhong Jin
- Re: [mpls] MPLS-RT review of draft-farrelll-mpls-… Adrian Farrel
- Re: [mpls] MPLS-RT review of draft-farrelll-mpls-… Lizhong Jin