Re: [netext] Stephen Farrell's Discuss on draft-ietf-netext-pmip-cp-up-separation-05: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 22 August 2014 23:10 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BE0A1A070A; Fri, 22 Aug 2014 16:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level:
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 297La19uL_4l; Fri, 22 Aug 2014 16:10:39 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id A14CC1A6F85; Fri, 22 Aug 2014 16:10:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id EE9AFBE00; Sat, 23 Aug 2014 00:10:30 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k478bgpscxMP; Sat, 23 Aug 2014 00:10:28 +0100 (IST)
Received: from [10.87.48.11] (unknown [86.46.28.247]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5C0A0BDFD; Sat, 23 Aug 2014 00:10:28 +0100 (IST)
Message-ID: <53F7CDE4.6000800@cs.tcd.ie>
Date: Sat, 23 Aug 2014 00:10:28 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>, The IESG <iesg@ietf.org>
References: <D01D1917.15B2BF%sgundave@cisco.com>
In-Reply-To: <D01D1917.15B2BF%sgundave@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/pc0kMI6ICOB7IjYTt1zbgZWb64I
Cc: "netext@ietf.org" <netext@ietf.org>, "netext-chairs@tools.ietf.org" <netext-chairs@tools.ietf.org>, "draft-ietf-netext-pmip-cp-up-separation@tools.ietf.org" <draft-ietf-netext-pmip-cp-up-separation@tools.ietf.org>
Subject: Re: [netext] Stephen Farrell's Discuss on draft-ietf-netext-pmip-cp-up-separation-05: (with DISCUSS and COMMENT)
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Aug 2014 23:10:42 -0000
On 23/08/14 00:08, Sri Gundavelli (sgundave) wrote: > Hi Stephen, > > Thanks for the review. > > >> In this case, you're not even requiring implementation. > So if say, a MAG-UP were to talk to a LMA that is both > CP and UP, then the latter node would support IPsec for > UP, if so configured, but the MAG-UP might not even > implement IPsec. > >> Does that mean that you need to a a requirement here to > make IPsec MTI for the MAG-UP and LMA-UP, so that they > can interop with non-split MAGs and LMAs? > > > Requiring IPsec implementation on both the MAG-UP and LMA-UP nodes is a fair requirement. We can certainly state that. If an operator chooses to do so they can configures IPSec policy on LMA-UP and MAG-UP for PMIP tunnel traffic protection. This will keep the spec consistent with the base RFC5213. > > The signaling between LMA-CP and MAG-CP needs to be protected by IPsec and that is a mandatory requirement in RFC5213. No change there. This specification still requires IPsec protection for control plane traffic between MAG-CP and LMA-CP. > > We will draft some text to reflect this and post it for your review. Great thanks, S. > > > > Regards > Sri > > > > On 8/22/14 3:51 PM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote: > > > Hiya, > > Sorry for the slow response... > > The indentation below is a bit messed up, I hope its clear > who's saying what. > > On 13/08/14 17:45, Sri Gundavelli (sgundave) wrote: > HI Stephen, > Please see inline. > On 8/13/14 5:21 AM, "Stephen Farrell" > <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie><mailto:stephen.farrell@cs.tcd.ie>> wrote: > Hiya, > A few follow ups... > On 09/08/14 17:54, Sri Gundavelli (sgundave) wrote: Hi Stephen, > Thanks for the review. Please see inline. On 8/7/14 5:50 AM, "Stephen > Farrell" > <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie><mailto:stephen.farrell@cs.tcd.ie>> wrote: > I have two questions. They could be easy or hard, I'm not sure:-) > Apologies in advance if I've forgotten what little I ever knew about > PMIPv6 and gotten stuff wrong here. Not at all. Thanks for the > discussion. > (1) PMIPv6 traffic between MAG and LMA is generally assumed to be > protected via IPsec, right? Assuming that's actually done, does > figure 1 here indicate a weakening of security since it shows that IP > encapsulation is used between MAG-UP and LMA-UP without any mention > of IPsec. Is that downgrading security? I get that the binding > messages are the most important and will presumably continue on the > control plane but what else changes? Yes. PMIPv6 allows the use of > IPsec security (Tunnel Mode ESP) protection > "allows"? Do you happen to know if that's really used or not in > practice? (That's not a DISCUSS point, but I do wonder.) > Security for user-plane traffic protection is used in very few > deployments. > > Ah. > > Taking the Service Provider Wi-Fi deployment as an > example, there is 802.1x security on the air interface, and then > there is typical end to end application security (even a Google > search is HTTPS protected). Now requiring security on the user plane > traffic between two points in the operator network (LMA and MAG) is > some what redundant, IMO. Use of IPsec for UP traffic protection is > optional per MIPv6/PMIPv6 specs. I'd say banking type > applications/deployments requires such multi-layer security. > > Hmm. I don't see that it makes any sense to assume IPsec is > done differently per-application. So I guess we ought assume > that IPsec isn't used for user traffic. > > Is it really used for control plane traffic do you know? > > But in a sense this spec is lowering the bar a little. > 5213 requires implementation of IPsec on the node that > carries the UP traffic, even if it doesn't require its > use. > > In this case, you're not even requiring implementation. > So if say, a MAG-UP were to talk to a LMA that is both > CP and UP, then the latter node would support IPsec for > UP, if so configured, but the MAG-UP might not even > implement IPsec. > > Does that mean that you need to a a requirement here to > make IPsec MTI for the MAG-UP and LMA-UP, so that they > can interop with non-split MAGs and LMAs? > > I'd assume that'd be easy enough and it'd clear up > that discuss point. > > for the user-plane traffic. This is optional and is based on > standard IPsec security. It requires no special interaction between > IPsec and the Proxy Mobile IPv6 entities. In the split mode (LMA ==> > LMA-CP & LMA-DP), > What's LMA-DP? That's not mentioned in the draft? I assume you mean > what the draft calls LMA-UP? (I.e. DP = data plane being the same as > UP = user plane?) > Apologies for the terminology mix up. Yes. LMA-DP (Data Plane) should > be the LMA-UP (User Plane) > the MAG (or MAG-DP) and the LMA-DP can optionally enable IPsec > security on the user-plane traffic. > Hmm. So you're saying IPsec can be on for the control plane and off > for the user plane independently? Is that a good plan? I guess it'd > be a bad plan if it were the other way around? > I'd say this is the approach in use for today's integrated LMA > (LMA-UP + LMA-CP) based deployments. IPsec security is enabled for CP > traffic by default, as it is mandated by PMIPv6 specs. However, the > IPsec security for UP is a optional requirement and most deployments > don't enable IPsec for UP traffic protection. > MAG-DP establishes a layer-3 p2p tunnel to LMA-DP and both these > peers can be configured to apply IPsec security on the tunneled > traffic. So, there is no loss of functionality here and the CP/DP > split approach is not resulting in weakened security. > Well, it might if IPsec is on for one and off for the other. > Or, if say MAG-CP and MAG-UP are from different vendors, then I don't > know how they signal to one another to turn on/off IPsec if what we > want is for IPsec to be on for both or off for both. > I'd look at IPsec as a security policy between two peers. Use of > IPsec for CP messages between two CP nodes (Ex: MAP-CP and LMA-CP) > should not have any bearing on the use/non-use of IPsec security > between two UP nodes (Ex: MAG-UP and LMA-UP). The security policy on > the two UP nodes strictly determine the use/non-use of IPsec for > tunnel traffic protection. But, if the hint is that this policy > should be controlled by the respective CP entity, I'd say yes, but > that CP to UP interface is out of scope for this work. The > controller/CP entity may have a provisioning interface to the UP > nodes and that interface may dictate this aspect, but has not > implication on this draft. > (2) How does the rest of the Internet know to use the LMA-UP for the > MN and not the LMA-CP? Sorry for being dense but I don't see how > packets from a random Internet node for the MN end up going down the > user plane. The IP address of the mobile node is topologically > anchored on the LMA-DP. > You mean LMA-UP there right? > Yes. Sorry for the terminology mix-up. >>From the point of view of Routing, the LMA-DP owns that larger IP > prefix > block from which it allocates to IP prefixes/address to individual > mobility sessions. The LMA-DP is in the path for the user-plane > traffic and is the entry point into the mobile network. However, the > LMA-CP is only terminating the control signaling from the MAG and is > not in the path for the user-plane traffic. > Is that written down somewhere? If say the LMA-UP and LMA-CP had > utterly different addresses then it couldn't work could it? > This was captured in Section 5.6.2 for IPv6 > http://tools.ietf.org/html/rfc5213#page-38 > Section 3.1.3 for IPv4 http://tools.ietf.org/html/rfc5844#page-15 > When we separate the functionality, the user plane (or the IP > address/prefixes allocated to the MN) must be anchored on the LMA-UP. > I think we missed capturing this in the spec. Thanks for pointing > this out. > OLD: > The LMA Control Plane and the LMA User Plane functions are typically > deployed on the same IP node and in such scenario the interface > between these functions is internal to the implementation. > Deployments may also choose to deploy the LMA Control Plane and the > LMA User Plane functions on seperate IP nodes. In such deployment > models, there needs to be a protocol interface between these two > functions and which is outside the scope of this document. Possible > options for such interface include OpenFlow [OpenFlow-Spec-v1.4.0 > <http://tools.ietf.org/html/draft-ietf-netext-pmip-cp-up-separation-06#ref-OpenFlow-Spec-v1.4.0>], > > FORCES [RFC5810 <http://tools.ietf.org/html/rfc5810>], use of routing > infrastructure > [I-D.matsushima-stateless-uplane-vepc > <http://tools.ietf.org/html/draft-ietf-netext-pmip-cp-up-separation-06#ref-I-D.matsushima-stateless-uplane-vepc>] > or vendor specific approaches. This specification does not mandate a > specific protocol interface and views this interface as a generic > interface relevant more broadly for many other protocol systems in > addition to Proxy Mobile IPv6. > NEW: > The LMA Control Plane and the LMA User Plane functions are typically > deployed on the same IP node and in such scenario the interface > between these functions is internal to the implementation. > Deployments may also choose to deploy the LMA Control Plane and the > LMA User Plane functions on seperate IP nodes. In such deployment > models, there needs to be a protocol interface between these two > functions and which is outside the scope of this document. Possible > options for such interface include OpenFlow [OpenFlow-Spec-v1.4.0 > <http://tools.ietf.org/html/draft-ietf-netext-pmip-cp-up-separation-06#ref-OpenFlow-Spec-v1.4.0>], > > FORCES [RFC5810 <http://tools.ietf.org/html/rfc5810>], use of routing > infrastructure > [I-D.matsushima-stateless-uplane-vepc > <http://tools.ietf.org/html/draft-ietf-netext-pmip-cp-up-separation-06#ref-I-D.matsushima-stateless-uplane-vepc>] > or vendor specific approaches. This specification does not mandate a > specific protocol interface and views this interface as a generic > interface relevant more broadly for many other protocol systems in > addition to Proxy Mobile IPv6. When the LMA Control Plane and the LMA > User Plane functions are deployed on separate IP nodes, the > requirement related to user-plane address anchoring specified in > Section 5.6.2 [RFC-5213] and Section 3.1.3 [RFC5844] must be met by > the node hosting the LMA user plane functionality. The LMA user > plane node must be topological anchor point for the IP > address/prefixes allocated to the mobile node. > > I'm not quite sure if that does sort out the issue or not, > but I'm willing to believe you and Brian if you're telling > me it does. > > So with that OLD/NEW and adding IPsec as MTI for the > *-UP nodes, I think we'd be done. > > Cheers, > S. > > ---------------------------------------------------------------------- > > COMMENT: > ---------------------------------------------------------------------- > > Did you need to say somewhere which PMIPv6 messages are to be sent in > the control plane and which in the user plane? That might be obvious > to some, but its not to me and I guess there are a bunch of PMIPv6 > extensions so I could imagine that someone somewhere might get it > wrong. > The signaling messages {IPv6 with Mobility Header, or IPv4 UDP Port > 5436) traffic is exchanged between MAG-CP and LMA-CP. There is no > implication on the use/non-use of other mobility options. > Sure. My question is: where is it written down which are signalling > messages and which are not? > PMIPv6 Signaling messages (aka control plane messages) are PBU/PBA, > BRI/BRA and UPN/UPA messages. The formats for these messages are > specified in RFC 5213, 5844, 5846, 5847, 7077. > Ex: http://tools.ietf.org/html/rfc5213#page-69 > http://tools.ietf.org/html/rfc6275#page-42 > The identification of any of these CP messages is the use of the > following selector. > 1. Any IPv4-UDP packets with UDP port 5436 2. Any IPv6 packets with > Mobility Header messages > Existing specs clearly explain this and I think its sufficiently > clear for the implementors on what traffic goes to LMA-CP and what > goes to the LMA-UP. > Regards Sri > Ta, S. > The tunneled traffic with L3 encapsulation is between MAG-DP and > LMA-DP. Regards Sri > _______________________________________________ netext mailing list > netext@ietf.org<mailto:netext@ietf.org><mailto:netext@ietf.org> > https://www.ietf.org/mailman/listinfo/netext > >
- [netext] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)
- Re: [netext] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)
- Re: [netext] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)
- Re: [netext] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)
- Re: [netext] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [netext] Stephen Farrell's Discuss on draft-i… Brian Haberman
- Re: [netext] Stephen Farrell's Discuss on draft-i… Sri Gundavelli (sgundave)