Re: [secdir] secdir review of draft-ietf-pwe3-redundancy-06
"Bocci, Matthew (Matthew)" <matthew.bocci@alcatel-lucent.com> Mon, 16 April 2012 16:27 UTC
Return-Path: <matthew.bocci@alcatel-lucent.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B760311E809D; Mon, 16 Apr 2012 09:27:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.223
X-Spam-Level:
X-Spam-Status: No, score=-108.223 tagged_above=-999 required=5 tests=[AWL=0.274, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_BASE64_TEXT=1.753, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hRIyfkpggyNR; Mon, 16 Apr 2012 09:27:36 -0700 (PDT)
Received: from smail6.alcatel.fr (smail6.alcatel.fr [64.208.49.42]) by ietfa.amsl.com (Postfix) with ESMTP id C899621F85EF; Mon, 16 Apr 2012 09:27:35 -0700 (PDT)
Received: from FRMRSSXCHHUB02.dc-m.alcatel-lucent.com (FRMRSSXCHHUB02.dc-m.alcatel-lucent.com [135.120.45.62]) by smail6.alcatel.fr (8.14.3/8.14.3/ICT) with ESMTP id q3GGRXGb022084 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 16 Apr 2012 18:27:33 +0200
Received: from FRMRSSXCHMBSA3.dc-m.alcatel-lucent.com ([135.120.45.34]) by FRMRSSXCHHUB02.dc-m.alcatel-lucent.com ([135.120.45.62]) with mapi; Mon, 16 Apr 2012 18:27:33 +0200
From: "Bocci, Matthew (Matthew)" <matthew.bocci@alcatel-lucent.com>
To: Radia Perlman <radiaperlman@gmail.com>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-pwe3-redundancy.all@tools.ietf.org" <draft-ietf-pwe3-redundancy.all@tools.ietf.org>
Date: Mon, 16 Apr 2012 18:27:31 +0200
Thread-Topic: secdir review of draft-ietf-pwe3-redundancy-06
Thread-Index: Ac0b7dMsg1U1ugp0RQC+KHqxcpU9kA==
Message-ID: <CBB2006D.291FE%matthew.bocci@alcatel-lucent.com>
In-Reply-To: <CAFOuuo5TLJpkwrej_J06mKTH2Y70yF-rvYDn2x06QQJFmCpA6g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.14.0.111121
acceptlanguage: en-US
Content-Type: text/plain; charset="euc-kr"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.69 on 155.132.188.84
X-Mailman-Approved-At: Mon, 16 Apr 2012 10:00:46 -0700
Subject: Re: [secdir] secdir review of draft-ietf-pwe3-redundancy-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2012 16:27:36 -0000
Radia, Many thanks for your review. Please see below for some comments and proposed amendments to the draft. Best regards, Matthew On 19/03/2012 22:22, "Radia Perlman" <radiaperlman@gmail.com> wrote: >I have reviewed this document as part of the security directorate's >ongoing effort to review all IETF documents being processed by the >IESG. These comments were written primarily for the benefit of the >security area directors. Document editors and WG chairs should treat >these comments just like any other last call comments. > >This is a requirements document (intended as informational) for a >routing protocol. > > > >At this level of abstraction, I don¹t think there are any interesting >security issues. There are some messages in the protocol that need to >be communicated securely, and the security considerations section >references some other RFCs and says the new messages will ³inherit at >least the same security properties² as the messages in those other >RFCs. I didn¹t look up what kind of protection existed there. > > > >The interesting routing protocol issue has to do with nesting of >routing algorithms and the needed multipliers in timeouts. It would >appear that pseudo-wires run over a conventional routed infrastructure >and also connect parts of a conventional routed infrastructure. The >spec assumes that failures within the inner routed infrastructure will >heal themselves quickly enough to not be noticed by the pwe3 redundancy >protocol (if they are capable of healing at all), and that pseudo-wire >failover (triggered by this inner failure) will happen quickly enough >to not disrupt the routing protocol that is running over the >pseudo-wires. > > > >But that requirement is not explicitly acknowledged in the document, >and it intuitively seems like a significant challenge. MB> Multi-layer resiliency mechanisms, where protection is provided at multiple nested levels are fairly common in provider networks, but there is indeed an assumption that lower layer protection mechanisms react and restore more rapidly than those in the next higher layer. I agree that this implicit assumption is worth acknowledging in the draft, and propose modifying the 2nd paragraph in the introduction as follows: "In single-segment PW (SS-PW) applications, protection for the PW is provided by the PSN layer. This may be a Resource Reservation Protocol with Traffic Engineering (RSVP-TE) labeled switched path (LSP) with a fast-Reroute (FRR) backup or an end-to-end backup LSP. It is assumed that these mechanisms can restore PSN connectivity rapidly enough to avoid triggering protection by PW redundancy." Regarding your second point about an assumption that PW redundancy will switch over quickly enough that any routing protocols running over the emulated service provided by the PW don't notice, I am not sure that that assumption is always correct. It is certainly possible to engineer PW redundancy to achieve this, but there are mechanisms that it relies on (e.g. Native service dual-homing protocols running on the ACs) that are outside the scope of the work in PWE3 that we can't really set a performance objective for in this document. Further, PWs provide a 'good enough' emulation rather than a perfect emulation of a native service (as detailed in the PWE3 charter). This means that the emulation may be good enough for a particular application, but isn't guaranteed to be indistinguishable from a network built entirely of the native service technology. > > > >Micro-level issues: > > > >In terminology (section 2), the Primary PW is defined as the one that >will be used when any one will do, and that if it goes down and comes >back the PW will revert to it. But it also defines non-revertive >protection switching as an option where the traffic will not switch >back to the primary unless the secondary fails, and in section 4.1 it >says that non-revertive protection MUST be supported and revertive is >optional. MB> I propose modifying the definition of Primary as follows: o Primary PW: the PW which a PW endpoint activates (i.e. uses for forwarding) in preference to any other PW when more than one PW qualifies for active state. When the primary PW comes back up after a failure and qualifies for the active state, the PW endpoint always reverts to it. The designation of Primary is performed by local configuration for the PW at the PE and is only required when revertive behaviour is used. > > > >Typos: > > > >Section 4.1: > >besupported -> be supported > >suported -> supported MB> Thanks > > > >Section 4.2: > >Orphaned bullet MB> Thanks
- [secdir] secdir review of draft-ietf-pwe3-redunda… Radia Perlman
- [secdir] secdir review of draft-ietf-mpls-tp-oam-… Tina TSOU
- Re: [secdir] secdir review of draft-ietf-pwe3-red… Stewart Bryant
- Re: [secdir] secdir review of draft-ietf-pwe3-red… Bocci, Matthew (Matthew)
- Re: [secdir] secdir review of draft-ietf-mpls-tp-… Sprecher, Nurit (NSN - IL/Hod HaSharon)
- Re: [secdir] secdir review of draft-ietf-mpls-tp-… Tina TSOU