[shim6] AD review of draft-garcia-shim6-applicability-00.txt

Jari Arkko <jari.arkko@piuha.net> Tue, 20 December 2011 13:12 UTC

Return-Path: <jari.arkko@piuha.net>
X-Original-To: shim6@ietfa.amsl.com
Delivered-To: shim6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A874221F8B2D for <shim6@ietfa.amsl.com>; Tue, 20 Dec 2011 05:12:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.368
X-Spam-Level:
X-Spam-Status: No, score=-102.368 tagged_above=-999 required=5 tests=[AWL=-0.069, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mFDLjISgSGr for <shim6@ietfa.amsl.com>; Tue, 20 Dec 2011 05:12:50 -0800 (PST)
Received: from p130.piuha.net (p130.piuha.net [IPv6:2001:14b8:400::130]) by ietfa.amsl.com (Postfix) with ESMTP id C929D21F8880 for <shim6@ietf.org>; Tue, 20 Dec 2011 05:12:49 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 8B8652CC4D; Tue, 20 Dec 2011 15:12:48 +0200 (EET)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAnUjjJm6X9G; Tue, 20 Dec 2011 15:12:47 +0200 (EET)
Received: from [127.0.0.1] (p130.piuha.net [IPv6:2001:14b8:400::130]) by p130.piuha.net (Postfix) with ESMTP id A11E12CC31; Tue, 20 Dec 2011 15:12:47 +0200 (EET)
Message-ID: <4EF089CF.5070300@piuha.net>
Date: Tue, 20 Dec 2011 15:12:47 +0200
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111110 Thunderbird/8.0
MIME-Version: 1.0
To: shim6 <shim6@ietf.org>, =?ISO-8859-1?Q?Alberto_Garc=EDa?= <alberto@it.uc3m.es>, marcelo bagnulo braun <marcelo@bagnulo.net>, Joe Abley <joe.abley@icann.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [shim6] AD review of draft-garcia-shim6-applicability-00.txt
X-BeenThere: shim6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SHIM6 Working Group Mailing List <shim6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shim6>, <mailto:shim6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shim6>
List-Post: <mailto:shim6@ietf.org>
List-Help: <mailto:shim6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shim6>, <mailto:shim6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2011 13:12:50 -0000

This document has been revived from an expired status, and I was told that it should be ready enough to be published. I have therefore reviewed it.

The document is in relatively good shape and can progress forward, but first we have to make sure that it properly highlights the major issues with Shim6 usage (ingress filtering, lack of initial contact support, lack of firewall implementations with Shim6 support, on/off vs. load balanced multihoming) as well as talk about the needs for site network admins to control the behaviour of Shim6.

I'm expecting a revised draft. How soon can you make one, Alberto?

My detailed comments follow.

>     The Shim6 protocol is defined only for IPv6.  However, there is no
>     fundamental reason why a Shim6-like approach could not support IPv4
>     addresses as locators, either to provide multihoming support to IPv4-
>     numbered sites, or as part of an IPv4/IPv6 transition strategy.  Some
>     extensions to the Shim6 protocol for supporting IPv4 locators have
>     been proposed in [I-D.nordmark-shim6-esd  <http://tools.ietf.org/html/draft-garcia-shim6-applicability-02#ref-I-D.nordmark-shim6-esd>].
>
>     The Shim6 protocol, as specified for IPv6, incorporates cryptographic
>     elements in the construction of locators (see [RFC3972  <http://tools.ietf.org/html/rfc3972>], [RFC5535  <http://tools.ietf.org/html/rfc5535>]).
>     Since IPv4 addresses are insufficiently large to contain addresses
>     constructed in this fashion, direct implementation of Shim6 as
>     specified for IPv6 for use with IPv4 addresses might require protocol
>     modifications.

I think this is too optimistic. The devil is in the details, and I'm not sure how the security would actually work in this case.

Suggested edit:

    The Shim6 protocol is defined only for IPv6.  While some Shim6-like
    approaches have been suggested to support IPv4 addresses as locator
    [I-D.nordmark-shim6-esd], at this time it is not clear if such extensions
    are feasible.
    The Shim6 protocol, as specified for IPv6, incorporates cryptographic
    elements in the construction of locators (see [RFC3972], [RFC5535]).
    Since IPv4 addresses are insufficiently large to contain addresses
    constructed in this fashion, direct implementation of Shim6 as
    specified for IPv6 for use with IPv4 addresses is not possible.

> which with the current rate of IPv4 addresses
>     would be problematic.

which would obviously be problematic given that IPv4 addresses are not easily available any more.

The source address problem discussed in one paragraph in Section 4 should be highlighted much earlier. It is a key missing pieces for Shim6 to work, and it would be honest to tell this to the reader. Similarly, the initial contact issue from Section 5.1.1 should also be highlighted up front.

Section 5.2 should highlight the fact that transport-layer solutions are much more amenable for load balancing solutions, and that work for such solutions is already ongoing at MP-TCP WG.

Section 5.3 should highlight that it is the hosts, not the site admin that get to set these bits. In general, the document should highlight more of the issues from the perspective of a site admin. Not that that is the only relevant viewpoint, but the reader should get a balanced view of the benefits and disadvantages of Shim6.

>     In order to identify the DNS server most appropriate to resolve a
>     particular query, nodes can be configured with policy information.
>     [RFC3484  <http://tools.ietf.org/html/rfc3484>] policy information needs be configured in such way that
>     only source addresses of the node could be used by Shim6 to establish
>     the communication with the DNS if Shim6 could be used for accessing
>     to the DNS.

The "mif" style issues take perhaps a too big of a role here. You should indicate that these issues exist and that they exist independent of Shim6. Also, only certain configurations exhibit the above problems, e.g., walled garden situations. Normal Internet access through ISP would not be affected, and it would not be a problem to use just a regular DNS.

Section 7 should indicate if there is any implementation of deployment experience with these combinations. I'm doubtful on whether all the ipsec layering mechanisms and so on would actually work in real implementations without someone having tested such combinations.

Jari