Re: [pcp] fwd: I-D Action: draft-ietf-pcp-anycast-03.txt
Dave Thaler <dthaler@microsoft.com> Mon, 22 December 2014 21:01 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BCB01A8030 for <pcp@ietfa.amsl.com>; Mon, 22 Dec 2014 13:01:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.902
X-Spam-Level:
X-Spam-Status: No, score=-101.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmuPnCZjE_pK for <pcp@ietfa.amsl.com>; Mon, 22 Dec 2014 13:01:02 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0144.outbound.protection.outlook.com [65.55.169.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 037D51A7D84 for <pcp@ietf.org>; Mon, 22 Dec 2014 13:01:01 -0800 (PST)
Received: from BY2PR03MB412.namprd03.prod.outlook.com (10.141.141.25) by BY2PR03MB410.namprd03.prod.outlook.com (10.141.141.16) with Microsoft SMTP Server (TLS) id 15.1.49.12; Mon, 22 Dec 2014 21:00:59 +0000
Received: from BY2PR03MB412.namprd03.prod.outlook.com ([10.141.141.25]) by BY2PR03MB412.namprd03.prod.outlook.com ([10.141.141.25]) with mapi id 15.01.0049.002; Mon, 22 Dec 2014 21:00:59 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Sebastian Kiesel <ietf-pcp@skiesel.de>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] fwd: I-D Action: draft-ietf-pcp-anycast-03.txt
Thread-Index: AQHQHgkK7b0l0wa7hEKkH0lmqrTDc5ycC60g
Date: Mon, 22 Dec 2014 21:00:59 +0000
Message-ID: <BY2PR03MB412E6CB3927B71832A91AB6A3560@BY2PR03MB412.namprd03.prod.outlook.com>
References: <20141222170107.GC6678@gw01.ehlo.wurstkaes.de>
In-Reply-To: <20141222170107.GC6678@gw01.ehlo.wurstkaes.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [98.237.193.222]
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB410;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB410;
x-forefront-prvs: 0433DB2766
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(2656002)(87936001)(107886001)(107046002)(106356001)(74316001)(122556002)(77096005)(68736005)(106116001)(105586002)(62966003)(2950100001)(102836002)(66066001)(20776003)(2900100001)(64706001)(77156002)(101416001)(97736003)(76576001)(46102003)(92566001)(86612001)(86362001)(31966008)(54206007)(40100003)(120916001)(33656002)(230783001)(76176999)(21056001)(54356999)(50986999)(4396001)(99286002)(54606007)(2501002)(99396003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB410; H:BY2PR03MB412.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Dec 2014 21:00:59.3210 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB410
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/4bZdQCLZpdJV0llcQxifOmDwdno
Subject: Re: [pcp] fwd: I-D Action: draft-ietf-pcp-anycast-03.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 21:01:04 -0000
Sebastian Kiesel writes: > Section 2.1 (Client behavior) was reworded once again. We decided to > explicitly write down in which order the addresses should be tried, and not to > simply reference RFC 6724 (as suggested in Honolulu); first because that RFC is > a rather long document and we need only a tiny bit and second, because RFC > 6724 is only for IPv6 and saying that the same rules should be applied > analogously to IPv4 seems awkward. That is absolutely not true. RFC 6724 applies to IPv4 as well, as its abstract clearly states. RFC 6724, and RFC 3484 before it, have always applied to IPv4 and have been implemented and used as such for over a decade now. >From the Honolulu minutes: > Dave Thaler: server selection draft references RFC 6724. Need to confirm > whether that spec would already prefer on-link router address over > an offlink anycast address. If so, the ordering intended is still > preserved. I just confirmed that the spec, and hence existing implementations of it, would indeed already prefer an on-link router address over an offlink anycast address. For IPv4, it would get down to per rule 9 of section 6, which would have the intended effect; for IPv6, it would get it from rule 8. Section 1 of draft -03 states: > PCP clients usually send PCP requests to these addresses if > no other PCP server addresses are known or after communication > attempts to such other addresses have failed. Citing 6724 would give that. Section 2.1: > 2. for each supported address family, the PCP client creates an > ordered list, which contains the respective default router > address followed by the PCP anycast address (see Sections 4.1 and > 4.2 for the IPv4 and IPv6 PCP anycast addresses, respectively). > These lists are used for requesting mappings for the respective > address family, following the rules for timeouts and > retransmissions in [I-D.ietf-pcp-server-selection]. The above text is broken in that it falsely assumes there's only one default router (singular) per address family. There isn't. There can be multiple interfaces, and multiple default router addresses per interface. The text in RFC 6887 is much better in this respect by using the term "the default router list (for IPv4 and IPv6)". Second, it falsely implies that server-selection talks about a separate list per address family. It doesn't. There's one list, where not all addresses apply in all cases. Again RFC 6887's text is much better. Instead it should just say that the anycast addresses are to be treated as additional addresses at the end of the default router list mentioned in RFC 6887, and refer to server-selection. No text is then needed to "replace" the text in RFC 6887, as the text in RFC 6887 then becomes correct. Section 1: > it cannot provide timely information which CGN to interact with. s/which/on which/ Section 4.1 (and similarly in 4.2): > Typically used within a network operator's network domain, but in > principle globally routable. It wouldn't be globally routable in practice today because of prefix length constraints in practice. So either remove that phrase or augment "in principle" with something like "(if a /32 route were allowed in the default-free zone)". My preference would be to simply remove that phrase since section 5.1 already says "In the default-free zone, routers should be configured to drop such packets." Section 5.1: Since IPsec could in principle be used to secure communication with unicast PCP server addresses, it seems odd (though RFC 6887 is just as odd in that sense) to not mention whether IPsec can work or not with the anycast server addresses and what the operational problems with trying it would be. I believe that in theory it could work if the same keying material is used by all PCP servers with the same anycast address, but if there is a route change causing updates to go to a different PCP server, then the negotiated IPsec session state would not be present (I suspect IPsec would renegotiate and recover but someone more familiar with IPsec details should say). The other, perhaps bigger, operational problem is that the anycast address is the same in every network, but the PCP servers' keying information would be different in different networks, and so it may or may not be possible (again, I would need an IPsec expert to say for sure) to configure clients with per-network IPsec security info. Of course, this could all be avoided by using pcp-auth _instead of_ IPsec, but the doc should at least say so. (It does at least mention pcp-auth which is good.) -Dave
- [pcp] fwd: I-D Action: draft-ietf-pcp-anycast-03.… Sebastian Kiesel
- Re: [pcp] fwd: I-D Action: draft-ietf-pcp-anycast… Dave Thaler
- Re: [pcp] fwd: I-D Action: draft-ietf-pcp-anycast… Sebastian Kiesel