Re: [RTG-DIR] [L2tpext] RTG-DIR review: draft-ietf-l2tpext-keyed-ipv6-tunnel-05

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Wed, 18 November 2015 16:56 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D922F1A8863; Wed, 18 Nov 2015 08:56:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.185
X-Spam-Level:
X-Spam-Status: No, score=-12.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_82=0.6, MANGLED_MEDS=2.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G25yBWSeY1Ip; Wed, 18 Nov 2015 08:55:59 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A01B1A87B2; Wed, 18 Nov 2015 08:55:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=71908; q=dns/txt; s=iport; t=1447865758; x=1449075358; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=l8kFD4d4R8/9JER8jrep1uEhCDHqFln25y2g36nJFOo=; b=as5utg54frnleBuLP5IZcVRlcRZV5DM5JX7c3gQnAxK/ihlERNb7nWRu wv0ii4CFl7HW8S+oRlkUx2wtllkljOFtK57eucy9fIwmK7ct6Eg7jSb5M ktp+L8EHhhm6ogISSIm48b5fLI/8Ix7uFHX6b3fF/ljCmE3rRSOeG4iXU g=;
X-Files: signature.asc : 841
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DSAgD7rExW/4cNJK1UCoJuTVNhDga+Tg6BYgMXAQuFIkoCgU44FAEBAQEBAQGBCoQ0AQEBAwEBAQEXCUgCAQsFCQICAQgUBCABBgMCAhYRCxQRAgQBDQUOC4gNCA2uapBGAQEBAQEBAQEBAQEBAQEBAQEBAQEBDwkEhlCCEIJuhCoGCwE/DAGCbS+BFQWHQYcNhASDeAGCVoFgaoJxhRmBW0mDd4Mld5INAREOAUOCER2BVnIBg0o6gQcBAQE
X-IronPort-AV: E=Sophos;i="5.20,313,1444694400"; d="asc'?scan'208,217";a="209547522"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 18 Nov 2015 16:55:54 +0000
Received: from XCH-RTP-020.cisco.com (xch-rtp-020.cisco.com [64.101.220.160]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id tAIGtrSI026437 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Nov 2015 16:55:54 GMT
Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-020.cisco.com (64.101.220.160) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 18 Nov 2015 11:55:52 -0500
Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1104.000; Wed, 18 Nov 2015 11:55:52 -0500
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>, Maciek Konstantynowicz <maciek@cisco.com>, "Giles Heron (giheron)" <giheron@cisco.com>, Rainer Schatzmayr <rainer.schatzmayr@telekom.de>, Wim Henderickx <wim.henderickx@alcatel-lucent.com>
Thread-Topic: [L2tpext] RTG-DIR review: draft-ietf-l2tpext-keyed-ipv6-tunnel-05
Thread-Index: AQHRIiH7I2yQqDdPbUqQoys3rglGcw==
Date: Wed, 18 Nov 2015 16:55:52 +0000
Message-ID: <743196D6-DD0E-44C7-916B-E70824FE2A15@cisco.com>
References: <DB3PR03MB07802A1F72B4B0E8459E60779D590@DB3PR03MB0780.eurprd03.prod.outlook.com> <8FEFEEB2-0AC5-4C81-9727-AB9D49DB1913@cisco.com>
In-Reply-To: <8FEFEEB2-0AC5-4C81-9727-AB9D49DB1913@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.115.60]
Content-Type: multipart/signed; boundary="Apple-Mail=_CB6579AE-DF29-4212-8ECB-2D29E03BC4F2"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtg-dir/7dASmVOWET7G6xrhSTwJpMFnubY>
Cc: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>, "draft-ietf-l2tpext-keyed-ipv6-tunnel.all@tools.ietf.org" <draft-ietf-l2tpext-keyed-ipv6-tunnel.all@tools.ietf.org>, "rtg-ads@ietf.org" <rtg-ads@ietf.org>, "l2tpext-chairs@ietf.org" <l2tpext-chairs@ietf.org>, "Mark Townsley (townsley)" <townsley@cisco.com>, "Stewart Bryant (stbryant)" <stbryant@cisco.com>
Subject: Re: [RTG-DIR] [L2tpext] RTG-DIR review: draft-ietf-l2tpext-keyed-ipv6-tunnel-05
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2015 16:56:05 -0000

Authors,

We have now 68 days of silent wait. Can you please answer the RTG-Directorate review comments below???

Thanks,

— Carlos.

> On Oct 15, 2015, at 3:21 PM, Carlos Pignataro (cpignata) <cpignata@cisco.com> wrote:
> 
> Deborah, Authors of draft-ietf-l2tpext-keyed-ipv6-tunnel,
> 
> Following up on this email — who has the token on the next step?
> 
> Authors, should you answer Sasha’s review?
> 
> Thanks,
> 
> — Carlos.
> 
> 
>> On Sep 18, 2015, at 1:34 PM, Alexander.Vainshtein@ecitele.com <mailto:Alexander.Vainshtein@ecitele.com> wrote:
>> 
>> Hello,
>> I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see ​http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir <http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir>
>> Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft.
>> 
>> Document: draft-ietf-l2tpext-keyed-ipv6-tunnel-05txt
>> Reviewer: Alexander (“Sasha”) Vainshtein
>> Review Date: 18-Sep-15
>> IETF LC End Date: Not Known
>> Intended Status: Proposed Standard
>> 
>> Caveat:
>> I am not an IPv6 expert and this can be the reason for some of my concerns about the draft.
>> My experience with L2TPv3 is also outdated. So I’d like to ask the Routing ADs to take my comments with a big grain of salt.
>> 
>> Summary:
>> I have one significant concern about this document and recommend that the Routing ADs discuss these issues further with the authors. I also have several minor concerns about the document that I think should be resolved before publication, and I have find a couple of nits.
>> 
>> Comments:
>> As I see it, the draft is built around three key ideas:
>> 1.      IPv6 addresses, due to their unlimited availability, can be used to identify attachment circuits (or VSI forwarders)  of L2TPv3 sessions (and not just tunnel endpoints as in RFC 3931).
>> 2.      With IPv6 addresses used for identifying L2 circuits or VSI) to be connected by L2TPv3 PWs, L2TPv3 Session ID processing in the data plane can be bypassed. I can guess that this really simplifies data plane handling and that this was the prime driver for the technology the draft defines, but this is just a guess.
>> 3.      L2TPv3 sessions identified by IPv6 addresses can be used to provide operator-managed services that neither need nor use L2TPv3 control plane. The control plane functionality is moved to an external management entity that can access both endpoints of the service, sets the service up and continuously intervenes in its operation until it tears down the service.
>> 
>> The term “keyed IPv6 tunnel” refers to an L2TPv3 session that bypasses Session ID processing and relies on IPv6 addresses of its endpoints. Depending on the nature of emulated Ethernet service, these IPv6 addresses are used to identify either L2 attachment circuits for P2P services or Virtual Switching Instances (VSI) for MP2MP services.
>> 
>> Since L2TPv3 control plane is by design left out of scope of the draft, it mainly deals with the data plane. Additional information about the management plane aspects can be found in the YANG Data Model <https://datatracker.ietf.org/doc/draft-ietf-l2tpext-keyed-v6-tunnel-yang/?include_text=1> draft.
>> 
>> The draft is not easy to read and understand (at least to me), mainly because pieces of important information are often distributed throughout the text. One example illustrating this complaint:
>> ·         The first sentence in Section 2 states that “Static local configuration creates a one-to-one mapping between the  access-side L2 attachment circuit and the IP address used in the network-side IPv6 encapsulation.  The L2TPv3 Control Plane defined in RFC3931 is not used”. This suggests(at least to me) that the management plane is involved just in setting up and tearing down a keyed IPv6 tunnel – similar to how static PWs over MPLS PSN are operated.
>> 
>> ·         The catch comes with the last sentence of Section 3: “Cookie values SHOULD be changed periodically” thus indicating that continuous intervention of the management entity is expected for the entire life cycle of the service – something that strongly smells of Lifecycle Service Orchestration (LSO) to me, even if the term is never mentioned.
>> 
>> In the process of preparing this review I have sent my comments to the authors, to Carlos (the draft shepherd) and to Mark (who is listed as a contributing author). I have received very useful feedback  from them that has helped me to understand both the draft and the nature of our disagreements.  I would like to thank Giles, Rayner, Carlos and Mark for a very useful discussion, even if we did not reach an agreement on some of the points yet.
>> 
>> Major Issue:
>> Specification of encapsulation of Ethernet frames in Section 4 of the draft is incomplete and, to some extent, contradictory:
>> 1.      L2TPv3 L2-specific sublayer  defined in RFC 3931 is not mentioned anywhere in the text.
>> 2.      As the draft borrows encapsulation of Ethernet frames from RFC 4719, one could expect that its usage is OPTIONAL (same as in RFC 4719)
>> 3.      On the other hand, L2-specific sublayer does not appear in the diagram depicting the encapsulation on page 5, so one could easily assume that it cannot be used with keyed IPv6 tunnels
>> 
>> 4.      To add to this confusion, the draft mentions ability to use VCCV in a keyed IPv6 tunnel (Section 6, last para), and references RFC 5085. But this RFC, in Section 6.1 states that “In order to carry VCCV messages within an L2TPv3 session data packet, the PW MUST be established such that an L2-Specific Sublayer (L2SS) that defines the V-bit is present”
>> 
>> From my POV the authors must clearly and unequivocally specify whether L2-specific sublayer can or cannot be used in keyed IPv6 tunnels. If they decide that it cannot be used, the references to VCCV must be removed from the draft.
>> 
>> I believe that this gap is acknowledged by the document shepherd and by one of the authors.
>> 
>>                Minor Issues:
>> 
>> 1.      The draft does not explain the motivation for replacing the mechanism defined in RFC 4791 (which, AFAIK, was supposed to work equally well over IPv4 and IPv6). I can guess that bypassing processing of Session ID  simplifies the data plane processing, but this is just my guess. Some text explaining the benefits of keyed IPv6 tunnels in comparison with RFC 4719 would be most helpful IMO.
>> 2.      To the best of my understanding, the technology defined in the draft heavily depends on availability of an external management entity that not only sets up and tears down the service (as is common with services that uses statically configured PWs, say, in MPLS-TP), but also intervenes in the operation of the service during its entire life cycle. However, the authors do not spell out their expectations from such an entity, the only exception being the need to periodically change the cookie values in a coordinated manner. I do not expect the draft to provide a detailed specification of such an entity, but I think that both the implementers and operators planning to deploy this technology would benefit from some additional information. In particular, the following aspects of behavior of the service that uses keyed IPv6 tunnels could be of special interest:
>> a.       What happens to a P2P service that uses a keyed IPv6 tunnel to connect two Ethernet L2 circuits if failure of one of these circuits is detected (e.g., using Ethernet service CFM  between the Down MEP at the tunnel endpoint and a matching MEP in the CE as defined in Section 6, the first bullet on page 8)? Is transmission across the IPv6 PSN at the other endpoint expected to be throttled by the management entity?
>> b.      The possibility to use an anycast address for identification of a keyed IPv6 tunnel endpoint is mentioned twice in the draft - in Section 2, 3rd para and in Section 4, first bullet on page 6. What happens if an anycast address assigned to one of the endpoints of a keyed IPv6 tunnel moves across the network? Is the management entity expected to handle these transitions, say, by de-activating the former endpoint associated with an anycast address and activating the new one?
>> c.       Is the management entity expected to emulate the PW redundancy mechanisms (defined in RFC 67180 and RFC 6870 for PWs over an MPLS PSN and in RFC 5641 for the PWs using L2TPv3? It should be noted that, in the case of MPLS PWs, PW redundancy switchover does not require involvement of a management entity even for statically configured PWs. Instead, static PW status messages (RFC 6478) are used
>> d.      The draft mentions the possibility to use keyed IPv6 tunnels to connect VSI participating in an MP2MP Ethernet service (even if the term VSI is never used). To me this implies that local FIB in each of the VSI connected over keyed IPv6 tunnels would use MAC learning to populate its local FIB. In order to speed up convergence of such services following various external events, RFC 4672 introduces a dedicated mechanism for MAC withdrawal, and the PALS WG currently holds a WG item extending this functionality for VPLS services that use static PWs. Is the management entity expected to provide similar functionality as well? (It should be noted that MAC withdrawal mechanisms have been defined as OPTIONAL in RFC 4762, but, AFAIK, they are widely implemented and deployed in the field).
>> 3.      The draft mentions (in many places) that it expects consistent configuration of the endpoints of a keyed IPv6 tunnel. However, the draft (probably following a similar omission in RFC 4719) never mentions whether the management entity should prevent setting up a keyed IPv6 tunnel between a pair of endpoints with different MTU of L2 circuits. (This is a clear-cut requirement in RFC 4448 for Ethernet PWs over an MPLS PSN, and a parallel requirement for PWs over L2TPv3 can be found in RFC 4667).  A short statement and a reference to RFC 4667 (missing in RFC 4719) would suffice IMO,
>> 4.      As mentioned before, the draft de-facto assigns IPv6 addresses to access-side L2 circuits that are not IP interfaces (the draft uses the term “mapping”, but I do not see any difference). The draft RECOMMENDS (in para 2 of Section 2) that “local IPv6 addresses identifying L2TPv3 tunnels are assigned from  dedicated subnets used only for such tunnel endpoints”. From my POV this requirement is vague and the readers could benefit from clarification of associated issues. Again, I do not expect a detailed specification, but I would like to see the some answers to the following naïve questions:
>> a.       Is  an IPv6 address identifying an endpoint of a keyed IPv6 tunnel that is associated with a L2 circuit expected to remain reachable if the L2 circuit to which it is associated fails?
>> b.      Are addresses (or subnets) used for identification of endpoints of keyed IPv6 tunnels expected to be exposed beyond the boundaries of the management domain controlled by the above-mentioned management entity? Could they appear in the public Internet routing tables?
>> 5.      The draft says (Section 2, 3rd para) that “Certain deployment scenarios may require using a single IPv6 address (typically a globally routable unicast or anycast address assigned to a virtual interface) to identify a tunnel endpoint for multiple IPv6 L2TPv3 tunnels.  For such cases the tunnel encapsulating device  identifies each tunnel by a unique combination of local and remote    IPv6 addresses”. From my POV the readers would benefit from the following clarifications:
>> a.       What exactly “a globally routable address” means in this context?
>> b.      How, from the point of view of network reachability, are IPv6 addresses used in this scenario different from IPv6 addresses used to identify L2 circuits in other deployment scenarios?
>> c.       Since the text mentions identification of the tunnel by an “encapsulation device”, how is the tunnel identified by the decapsulating device? At least from the POV of MAC learning in the case of keyed IPv6 tunnels connecting VSI, identification of the tunnel by the decapsulating device seems more relevant to me
>> d.      How should the device  know whether a specific keyed IPv6 tunnel can be identified by just one IPv6 address or by a “a unique combination of local and remote    IPv6 addresses”?
>> 6.      As I have mentioned above, some details pertaining to the management functionality associated with keyed IPv6 tunnels are defined in another L2TPEXT WG draft, but this draft is not mentioned in the draft I am reviewing.  I think that an Informative reference to this draft would be very much in place in this one.
>> 7.      I wonder whether an Informative reference to a long (13-Jan-1999 according to the Datatracker) expired draft <https://datatracker.ietf.org/doc/draft-ietf-pppext-l2tphc/> of a concluded WG in the last sentence on page 3 has any value for the reader. If the ideas of this draft have found their way to some RFC, it should be used as a reference instead; otherwise I believe that this reference cold be safely removed.
>> 
>> Some of the issues I have raised could be addressed in a suitable Applicability Statement section, but there are clearly other ways to handle them.
>> 
>> Nits:
>> I (or, rather, my spellchecker) has found two typos:
>> ·         Section 2, para 2: s/endponts/endpoints/
>> ·         Section 5, para 3 on page 7:  s/Fragmention/Fragmentation/
>> 
>> Regards,
>> Sasha
>> 
>> Office: +972-39266302
>> Cell:      +972-549266302
>> Email:   Alexander.Vainshtein@ecitele.com <mailto:Alexander.Vainshtein@ecitele.com>
>> 
>> _______________________________________________
>> L2tpext mailing list
>> L2tpext@ietf.org <mailto:L2tpext@ietf.org>
>> https://www.ietf.org/mailman/listinfo/l2tpext <https://www.ietf.org/mailman/listinfo/l2tpext>
> _______________________________________________
> L2tpext mailing list
> L2tpext@ietf.org
> https://www.ietf.org/mailman/listinfo/l2tpext