Return-Path: <adrian@olddog.co.uk>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 7C70E1A1B0B
 for <mpls@ietfa.amsl.com>; Mon, 18 May 2015 01:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102
X-Spam-Level: 
X-Spam-Status: No, score=-102 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_LOW=-0.7,
 USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Emo4evI-oGMQ for <mpls@ietfa.amsl.com>;
 Mon, 18 May 2015 01:57:20 -0700 (PDT)
Received: from asmtp4.iomartmail.com (asmtp4.iomartmail.com [62.128.201.175])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 2F0711A007E
 for <mpls@ietf.org>; Mon, 18 May 2015 01:57:20 -0700 (PDT)
Received: from asmtp4.iomartmail.com (localhost.localdomain [127.0.0.1])
 by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id t4I8vHvf024191;
 Mon, 18 May 2015 09:57:17 +0100
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com
 [81.140.15.32]) (authenticated bits=0)
 by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id t4I8vCMV024063
 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO);
 Mon, 18 May 2015 09:57:15 +0100
From: "Adrian Farrel" <adrian@olddog.co.uk>
To: "'Lizhong Jin'" <lizho.jin@gmail.com>
References: <031c01d090f2$b71ab2d0$25501870$@olddog.co.uk>
 <CAH==cJy6VPJ8MjtwOVBx8EcJQSq3ECOWSiGfke-gK1akb-tyrg@mail.gmail.com>
In-Reply-To: <CAH==cJy6VPJ8MjtwOVBx8EcJQSq3ECOWSiGfke-gK1akb-tyrg@mail.gmail.com>
Date: Mon, 18 May 2015 09:57:10 +0100
Message-ID: <038a01d09148$a2f87890$e8e969b0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLtMjKmdsdmJhBs/CHK4l2DStnr9gJhehHrmzUS0oA=
Content-Language: en-gb
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1576-8.0.0.1202-21552.006
X-TM-AS-Result: No--6.127-10.0-31-10
X-imss-scan-details: No--6.127-10.0-31-10
X-TMASE-MatchedRID: 8+bhjh9TQnE4HKI/yaqRmx3EEAbn+GRbGSqdEmeD/nV/tE9YIUrwYmH9
 qmSCMo1DglmCfhOu3g7I1TUbyXhF1HhOmBpkfkUrbMGKOuLn5FUJDfFL7Mvp7dqCxkzSpW/XosP
 l77f7gdzNAIQVxCmqmGYX2K+F1a0hxaWErlRokDyTEgTE0DYkgNcuriW22Uf/uX6NXIvOYLtMOy
 6GSjkBVo6N2tH+yqIRAaBq8YFGlhAlPCAsfAiuNN/wYmMFcJSI5TbwqVVpF+MREeTKxBqIeaYAH
 z7/p72b4EyJi38jHZoE40h/ri/5Sj3XUxeO5E+LYD9XTRdaMO1cSMp/1+Epp2sSgW01iDQLvPg6
 UssVFP8IS5UXqe5IMV+24nCsUSFNt7DW3B48kkHdB/CxWTRRuwihQpoXbuXFT6LBGWscvRiRKcr
 802/NVa7Fk6xwyDFN+N2v6VEahYoWKI4kP3UgRMCAPy/fTtWKFDl/hR7C9wps2cTgeXjWii3UKa
 d/I8O4CQKeQDeH+fUPvTV19UCLO5Iv06+1Rxr97r4PjzaceGueqD9WtJkSIw==
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/hImoaHKED6qEVJhQLR2nXUhxaHY>
Cc: draft-farrelll-mpls-opportunistic-encrypt@tools.ietf.org, mpls@ietf.org,
 mpls-chairs@tools.ietf.org
Subject: Re: [mpls] MPLS-RT review of
 draft-farrelll-mpls-opportunistic-encrypt-04.txt
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>,
 <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>,
 <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 08:57:22 -0000

Hi again,

>>>> Section 3, Everything that follows the control word is the entire=20
>>>> original MPLS packet encrypted.
>>>
>>> [Lizhong] also for Figure1, in the PHP case, the original MPLS =
packet will=20
>>> not have label, then if the packet is also encrypted and =
encapsulated=20
>>> after control work, then how to parse the packet correctly? The =
control
>>> word will not tell the following payload is MPLS or IP.
>>
>> Hmmm, you are talking, I suppose, about the hop-by-hop encryption =
mode
>> on a final hop of an LSP that is using PHP.
>> In this case there is nothing to encrypt except the payload.
>> Nevertheless, I am not sure I understand your question.
>> Consider what happens when the packet is not encrypted on the final =
hop
>> of an LSP from LSR Y to LSR Z with PHP in use. In this case LSR Y =
pops the last
>> remaining label from the packet and forwards it on the designated =
interface
>> to LSR Z. LSR Z has no control word or other means to use to =
determine
>> what the received packet is. It may sniff the first nibble if it =
knows the
>> packet is IPv4 or IPv6, or if it hopes to find a PW control word. Or =
LSR Z may
>> know something magic about the incoming interface (for example that =
it is
>> an MPLS interface and that the packet will have more labels).
>> Now if encryption is in use, then LSR Z has agreed to its use. That =
means
>> that LSR Z is expecting to label 15, the MEL, and a control word at =
the top
>> of the packet. So it will remove those three things, decrypt the =
packet, and
>> then treat the rest of the packet exactly as it would in the case =
where
>> encryption is not in use.
>>
>> We could clarify this by noting that the label stack shown on the =
left hand
>> side of Figure 1 is of arbitrary depth. That would include zero =
labels in the
>> PHP case. However, I think this is a bit obvious.
>
> [Lizhong] Let my try to describe with an example. In Ethernet =
environment,
> LSR Z receives the packet, and parse the payload by checking EthType, =
with
> "0x80" as IPv4. When MEL is inserted, the EthType has to be changed to
> "MPLS" type (0x8847/8848), and lost the original payload type =
information.
> And the MEL and control word does not have capability to indicate the
> payload type for parsing.=20

You're right. With PHP in my example, LSR Y (that strips the label) =
determines what the packet type is, and uses that to set the Ethertype. =
Using encryption, it would be LSR Z that had to do this. But it would be =
the same function.

An alternative here would be to run encryption only as far as the =
penultimate hop, but that leaves the last hop exposed.

So, to me it seems that if you want to run end-to-end encryption, you =
probably want to run it without PHP.

>>> When decryption at the egress LER, the TTL&TC processing of the =
first
>>> decrypted label should be a bit different with previous mechanism.=20
>>> The TTL&TC value may need to inherit from the label before MEL in
>>> uniform mode.
>>
>> Indeed. This is how tunnelling works. You think we should explain =
that?
>
> [Lizhong] Yes, it is better to mention that, or have a reference in =
the draft.

OK. Will do.

Cheers,
Adrian