Re: [savi] AD review of draft-ietf-savi-fcfs

Hi

|  -----Mensaje original-----
|  De: savi-bounces@ietf.org [mailto:savi-bounces@ietf.org] En nombre de
|  Jean-Michel Combes
|  Enviado el: jueves, 13 de octubre de 2011 17:57
|  Para: marcelo bagnulo braun
|  CC: draft-ietf-savi-fcfs@tools.ietf.org; SAVI Mailing List
|  Asunto: Re: [savi] AD review of draft-ietf-savi-fcfs
|  
|  Sorry, in fact, proxy SEND checks validity of SENDized ND exchanges
(draft-
|  ietf-csi-proxy-send-05, section 5.2.1, 1.B). So, proxy SEND could be used
but:
|  - proxy SEND requires hosts, in the network, are compliant with proxy
SEND

Yes. We should assume the following scenario (scenario #1): a link in which
all receivers are capable of processing proxy SEND messages (aka 'SPND
nodes'), and nodes either generate SEND or Proxy SEND messages.

|  - proxy SEND is not "transparent" and so SAVI device will lose its
|  "invisibility" feature

I don't understand this. 
Maybe you are thinking about a different deployment scenario to the one I
commented above, an alternative way of 'mixing' SAVI and proxy SEND, in
which SAVI devices would act as Proxy SEND devices for non-SEND nodes
(scenario #2). 
I think this is a bad idea, because it provides without reason the same
confidence to SEND and non-SEND devices, and I'm sure that this is not what
we want to do. In the examples shown in the Proxy SEND draft, there is a
strong security link between the Proxy SEND device and the proxied nodes.

|  - proxy SEND requires many actions (certificate management, IP packet
|  modification, etc) and I am not sure that SAVI device will be able to do
this
|  as in common use cases the SAVI device is a L2 device.
In scenario #1, SAVI devices only validate Proxy SEND messages. They only
need to have the same capabilities of SPND nodes. So this features you
comment are not needed.
I think adding proxy SEND validation to SEND SAVI would be quite simple, and
without much trouble.

Makes sense?
If the answer is 'yes', then 
- I could add some comment on Proxy SEND in the SEND SAVI document
- A line in the fcfs-savi document such as the current 'So, when SEND is
deployed, it is recommended to use SEND SAVI' (or could be also this
alternative text 'So, when SEND or Proxy SEND is deployed, it is recommended
to use SEND SAVI') sounds ok to me.

Regards,
Alberto

|  - proxy SEND would need an API with FCFS SAVI
|  
|  Best regards.
|  
|  JMC.
|  
|  2011/10/13 Jean-Michel Combes <jeanmichel.combes@gmail.com>:
|  > Hi,
|  >
|  > 2011/10/13 marcelo bagnulo braun <marcelo@it.uc3m.es>:
|  >> Hi Jari,
|  >>
|  >> Please find the replies below marked with MB>
|  >>
|  >>
|  >> El 04/05/11 20:41, Jari Arkko escribió:
|  >>>
|  >
|  > [snip]
|  >
|  >>
|  >>>> So, when SEND is deployed, it is recommended to use SEND SAVI
|  >>>> [I-D.ietf-savi-send
|  >>>> <http://tools.ietf.org/html/draft-ietf-savi-fcfs-09#ref-I-D.ietf-sa
|  >>>> vi-send>]
|  >>>> rather than FCFS SAVI."
|  >>>
|  >>> Is there some reason why proxy SEND cannot be employed here?
|  >>>
|  >>
|  >> MB> I will let Alberto to reply this one.
|  >
|  > This text comes from my review as shepherd of this document.
|  >
|  > As proxy SEND doesn't permit to check the validity of SENDized ND
|  > exchanges, IMHO, proxy SEND cannot be used easily.
|  >
|  > Best regards.
|  >
|  > JMC.
|  >
|  >>
|  >> Regards, marcelo
|  >>
|  >>
|  >>> Jari
|  >>>
|  >>>
|  >>
|  >>
|  >> _______________________________________________
|  >> savi mailing list
|  >> savi@ietf.org
|  >> https://www.ietf.org/mailman/listinfo/savi
|  >>
|  >
|  _______________________________________________
|  savi mailing list
|  savi@ietf.org
|  https://www.ietf.org/mailman/listinfo/savi