IETF Logo Mail Archive

Re: [pcp] fwd: I-D Action: draft-ietf-pcp-anycast-03.txt

Dave Thaler <dthaler@microsoft.com> Mon, 22 December 2014 21:01 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BCB01A8030 for <pcp@ietfa.amsl.com>; Mon, 22 Dec 2014 13:01:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.902
X-Spam-Level:
X-Spam-Status: No, score=-101.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmuPnCZjE_pK for <pcp@ietfa.amsl.com>; Mon, 22 Dec 2014 13:01:02 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0144.outbound.protection.outlook.com [65.55.169.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 037D51A7D84 for <pcp@ietf.org>; Mon, 22 Dec 2014 13:01:01 -0800 (PST)
Received: from BY2PR03MB412.namprd03.prod.outlook.com (10.141.141.25) by BY2PR03MB410.namprd03.prod.outlook.com (10.141.141.16) with Microsoft SMTP Server (TLS) id 15.1.49.12; Mon, 22 Dec 2014 21:00:59 +0000
Received: from BY2PR03MB412.namprd03.prod.outlook.com ([10.141.141.25]) by BY2PR03MB412.namprd03.prod.outlook.com ([10.141.141.25]) with mapi id 15.01.0049.002; Mon, 22 Dec 2014 21:00:59 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Sebastian Kiesel <ietf-pcp@skiesel.de>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] fwd: I-D Action: draft-ietf-pcp-anycast-03.txt
Thread-Index: AQHQHgkK7b0l0wa7hEKkH0lmqrTDc5ycC60g
Date: Mon, 22 Dec 2014 21:00:59 +0000
Message-ID: <BY2PR03MB412E6CB3927B71832A91AB6A3560@BY2PR03MB412.namprd03.prod.outlook.com>
References: <20141222170107.GC6678@gw01.ehlo.wurstkaes.de>
In-Reply-To: <20141222170107.GC6678@gw01.ehlo.wurstkaes.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [98.237.193.222]
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB410;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB410;
x-forefront-prvs: 0433DB2766
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(2656002)(87936001)(107886001)(107046002)(106356001)(74316001)(122556002)(77096005)(68736005)(106116001)(105586002)(62966003)(2950100001)(102836002)(66066001)(20776003)(2900100001)(64706001)(77156002)(101416001)(97736003)(76576001)(46102003)(92566001)(86612001)(86362001)(31966008)(54206007)(40100003)(120916001)(33656002)(230783001)(76176999)(21056001)(54356999)(50986999)(4396001)(99286002)(54606007)(2501002)(99396003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB410; H:BY2PR03MB412.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Dec 2014 21:00:59.3210 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB410
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/4bZdQCLZpdJV0llcQxifOmDwdno
Subject: Re: [pcp] fwd: I-D Action: draft-ietf-pcp-anycast-03.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 21:01:04 -0000

Sebastian Kiesel writes: 
> Section 2.1 (Client behavior) was reworded once again.  We decided to
> explicitly write down in which order the addresses should be tried, and not to
> simply reference RFC 6724 (as suggested in Honolulu); first because that RFC is
> a rather long document and we need only a tiny bit and second, because RFC
> 6724 is only for IPv6 and saying that the same rules should be applied
> analogously to IPv4 seems awkward.

That is absolutely not true.  RFC 6724 applies to IPv4 as well, as its abstract
clearly states.  RFC 6724, and RFC 3484 before it, have always applied to IPv4
and have been implemented and used as such for over a decade now.

>From the Honolulu minutes:
> Dave Thaler: server selection draft references RFC 6724.  Need to confirm
>    whether that spec would already prefer on-link router address over
>    an offlink anycast address.  If so, the ordering intended is still
>    preserved.

I just confirmed that the spec, and hence existing implementations of it,
would indeed already prefer an on-link router address over an offlink
anycast address. For IPv4, it would get down to per rule 9 of section 6,
which would have the intended effect; for IPv6, it would get it from 
rule 8.

Section 1 of draft -03 states:
> PCP clients usually send PCP requests to these addresses if
> no other PCP server addresses are known or after communication
> attempts to such other addresses have failed.

Citing 6724 would give that.

Section 2.1:
> 2.  for each supported address family, the PCP client creates an
>       ordered list, which contains the respective default router
>       address followed by the PCP anycast address (see Sections 4.1 and
>       4.2 for the IPv4 and IPv6 PCP anycast addresses, respectively).
>       These lists are used for requesting mappings for the respective
>       address family, following the rules for timeouts and
>       retransmissions in [I-D.ietf-pcp-server-selection].

The above text is broken in that it falsely assumes there's only one
default router (singular) per address family.  There isn't.  There 
can be multiple interfaces, and multiple default router addresses
per interface.  The text in RFC 6887 is much better in this respect
by using the term "the default router list (for IPv4 and IPv6)".
Second, it falsely implies that server-selection talks about a separate
list per address family.  It doesn't.  There's one list, where not all
addresses apply in all cases.  Again RFC 6887's text is much better.

Instead it should just say that the anycast addresses are to be
treated as additional addresses at the end of the default router list
mentioned in RFC 6887, and refer to server-selection.
No text is then needed to "replace" the text in RFC 6887, as
the text in RFC 6887 then becomes correct.

Section 1:
> it cannot provide timely information which CGN to interact with.

s/which/on which/

Section 4.1 (and similarly in 4.2):
> Typically used within a network operator's network domain, but in
> principle globally routable.

It wouldn't be globally routable in practice today because of prefix
length constraints in practice.   So either remove that phrase or
augment "in principle" with something like "(if a /32 route were
allowed in the default-free zone)".  My preference would be 
to simply remove that phrase since section 5.1 already says
"In the default-free zone, routers should be configured to drop such packets."

Section 5.1:	
Since IPsec could in principle be used to secure communication
with unicast PCP server addresses, it seems odd (though RFC 6887
is just as odd in that sense) to not mention whether IPsec
can work or not with the anycast server addresses and what the
operational problems with trying it would be.  I believe that
in theory it could work if the same keying material is used by
all PCP servers with the same anycast address, but if
there is a route change causing updates to go to a different PCP
server, then the negotiated IPsec session state would not be
present (I suspect IPsec would renegotiate and recover but
someone more familiar with IPsec details should say).
The other, perhaps bigger, operational problem is that the
anycast address is the same in every network, but the PCP
servers' keying information would be different in different
networks, and so it may or may not be possible (again, I 
would need an IPsec expert to say for sure) to configure clients
with per-network IPsec security info.   Of course, this
could all be avoided by using pcp-auth _instead of_ IPsec,
but the doc should at least say so.  (It does at least mention
pcp-auth which is good.)

-Dave

v2.23.0 | Report a Bug | By Email