Re: [shim6] I-D Action: draft-garcia-shim6-applicability-00.txt

[Alberto García <alberto@it.uc3m.es>]

Hi Brian,
Thanks for your suggestion + comments.
Answers inline...

|  -----Mensaje original-----
|  De: shim6-bounces@ietf.org [mailto:shim6-bounces@ietf.org] En nombre
|  de Brian E Carpenter
|  Enviado el: miércoles, 05 de octubre de 2011 23:38
|  Para: draft-ietf-v6ops-ipv6-multihoming-without-ipv6nat@tools.ietf.org
|  CC: shim6-wg
|  Asunto: Re: [shim6] I-D Action: draft-garcia-shim6-applicability-00.txt
|  
|  Hi,
|  
|  Thanks for updating this draft. I have one suggestion and then some
|  comments.
|  
|  The suggestion is to add a section at the end, just before the Security
|  section, summarising the unsolved issues for shim6 deployment that can be
|  found in the text. For example it seems that use of HBA or CGA is

Well, I'm not really convinced that summarising the unsolved issues would be
good for the document. I think the whole document is a contextualized
discussion of 
- advantages, 
- unsolved issues and 
- things that could be solved but are not yet, 
around Shim6 operation. I'm not sure that extracting the issues (without its
explanation) in a section would improve readability. 

|  incompatible with using DHCPv6 for address assignment, which is probably
|  quite a problem. (I also wonder whether the Security section should
|  mention this.)

This issue is described in some detail in section 3.3, in which it is
commented that HBAs could be easily configured by DHCP, but configuring CGAs
in this way would be problematic. (By the way, I've renamed section 3.3 to
"Address Generation and Configuration", instead of just "Address Generation"
as it was, since it also discusses configuration.)
To include a comment on CGA/HBA address configuration this in the Security
Considerations section, I think the best way is to add in the third
paragraph, which discusses the protection provided by the use of CGA/HBA,
the following text:
'Note that for nodes using CGA addresses, security depends on the secure
handling of the private key associated to the signature and validation of
locators. In particular, any address configuration method MUST assure that
the private key remains secret, as discussed in section 3.3.' 

|  
|  The comment is that, clearly, exit selection is an unsolved problem.
|  You do point out that REAP will eliminate address pairs for which correct
|  exit selection fails, but how about the various techniques described in
|  draft-ietf-v6ops-ipv6-multihoming-without-ipv6nat?
|  Also, I suspect that shim6 interactions with MIF and HOMENET need to be
|  investigated - maybe not in this draft, but they could be mentioned as
open
|  issues.

I think this comment raises quite interesting issues. I've been browsing the
MIF, HOMENET wg documents, and
draft-ietf-v6ops-ipv6-multihoming-without-ipv6nat, and I have included new
text to address some topics related with them (or at least, topics which
were inspired by reading this documents).
- Regarding to exit selection, I've changed the section named 'Shim6 and
Ingress Filtering' to another named 'Shim6 in Multihomed Nodes'. Now the
section comments briefly the problems identified in
draft-ietf-mif-problem-statement, and discusses how Shim6 could interact
with some of the solutions presented in
draft-ietf-v6ops-ipv6-multihoming-without-ipv6nat. I removed the previous
discussion on a source-routing solution for exit selection, since I think
the document should not discuss solutions to problems with broader scope
than Shim6.
- I've added a new subsection named 'Shim6 and Firewalls' in the
'Interaction with Other Protocols and Mechanisms' section. In short,
filtering based in the state created from outgoing packets is problematic
for remote nodes changing the locators.
- I've added a new subsection named 'Shim6 and IPv6 NAT' after the firewall
section. In short, IPv6 NATs may allow communicating with the ULID pair
(with the initial locators), but communication will break with some cases in
which locators are changed.

Since there are many changes, I have generated a new version of the draft:
https://datatracker.ietf.org/doc/draft-garcia-shim6-applicability/

What do you think? 

Thanks,
Alberto

|  
|  In any case I support this draft going forward to the AD quite soon.
|  
|  Regards
|     Brian Carpenter
|  
|  
|  
|  
|  On 2011-09-01 23:06, internet-drafts@ietf.org wrote:
|  > A New Internet-Draft is available from the on-line Internet-Drafts
|  directories.
|  >
|  > 	Title           : Applicability Statement for the Level 3
Multihoming
|  Shim Protocol (Shim6)
|  > 	Author(s)       : Joe Abley
|  >                           Marcelo Bagnulo
|  >                           Alberto Garcia-Martinez
|  > 	Filename        : draft-garcia-shim6-applicability-00.txt
|  > 	Pages           : 22
|  > 	Date            : 2011-09-01
|  >
|  >    This document discusses the applicability of the Shim6 IPv6 protocol
|  >    and associated support protocols and mechanisms to provide site
|  >    multihoming capabilities in IPv6.
|  >
|  >
|  > A URL for this Internet-Draft is:
|  > http://www.ietf.org/internet-drafts/draft-garcia-shim6-applicability-0
|  > 0.txt
|  >
|  > Internet-Drafts are also available by anonymous FTP at:
|  > ftp://ftp.ietf.org/internet-drafts/
|  >
|  > This Internet-Draft can be retrieved at:
|  > ftp://ftp.ietf.org/internet-drafts/draft-garcia-shim6-applicability-00
|  > .txt _______________________________________________
|  > I-D-Announce mailing list
|  > I-D-Announce@ietf.org
|  > https://www.ietf.org/mailman/listinfo/i-d-announce
|  > Internet-Draft directories: http://www.ietf.org/shadow.html or
|  > ftp://ftp.ietf.org/ietf/1shadow-sites.txt
|  >
|  _______________________________________________
|  shim6 mailing list
|  shim6@ietf.org
|  https://www.ietf.org/mailman/listinfo/shim6