Re: [Softwires] I-D Action:draft-ietf-softwire-hs-framework-l2tpv2-05.txt
Bruno STEVANT <bruno.stevant@enst-bretagne.fr> Wed, 08 August 2007 08:50 UTC
Return-path: <softwires-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IIhFh-00015k-9n; Wed, 08 Aug 2007 04:50:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IIhFg-00015A-H4 for softwires@ietf.org; Wed, 08 Aug 2007 04:50:48 -0400
Received: from [2001:660:7301:3192:211:43ff:fea3:7e4b] (helo=laposte.rennes.enst-bretagne.fr) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IIhFe-0002FA-E8 for softwires@ietf.org; Wed, 08 Aug 2007 04:50:48 -0400
Received: from localhost (localhost.localdomain [127.0.0.1]) by laposte.rennes.enst-bretagne.fr (8.13.7/8.13.7/2006.08.14) with ESMTP id l788odxH025699 for <softwires@ietf.org>; Wed, 8 Aug 2007 10:50:39 +0200
Received: from l2.rennes.enst-bretagne.fr (l2.rennes.enst-bretagne.fr [192.44.77.4]) by laposte.rennes.enst-bretagne.fr (8.13.7/8.13.7/2007.03.20) with ESMTP id l788obi7025691 for <softwires@ietf.org>; Wed, 8 Aug 2007 10:50:37 +0200
Received: from [192.44.77.169] (dhcpe169.rennes.enst-bretagne.fr [192.44.77.169]) (authenticated bits=0) by l2.rennes.enst-bretagne.fr (8.13.1/8.13.1) with ESMTP id l788obCY012197 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <softwires@ietf.org>; Wed, 8 Aug 2007 10:50:37 +0200
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <654C08BF24F3246E8DAE7E5B@marbles.local>
References: <E1I47o2-0006Hs-Em@stiedprstage1.ietf.org> <4B041CD7E6110773160C80B9@blues.local> <24F73DB4-C9CB-42C9-82D7-A617821E8DD2@enst-bretagne.fr> <654C08BF24F3246E8DAE7E5B@marbles.local>
Content-Type: text/plain; charset="ISO-8859-1"; delsp="yes"; format="flowed"
Message-Id: <09CE3965-2161-4BBC-B758-F4C70583237C@enst-bretagne.fr>
Content-Transfer-Encoding: quoted-printable
From: Bruno STEVANT <bruno.stevant@enst-bretagne.fr>
Subject: Re: [Softwires] I-D Action:draft-ietf-softwire-hs-framework-l2tpv2-05.txt
Date: Wed, 08 Aug 2007 10:50:10 +0200
To: softwires@ietf.org
X-Mailer: Apple Mail (2.752.3)
X-Virus-Scanned: amavisd-new at enst-bretagne.fr
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 36c793b20164cfe75332aa66ddb21196
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
Errors-To: softwires-bounces@ietf.org
OK, I will modify the draft to make requirements on encapsulation only in the case where no security solution (IPsec) is involved. As requirements for IPsec are described in the security documents, pointers will be added when necessary. Some points I think are still unclear between H&S ans Security draft : * In H&S we state that NAT-traversal is mandatory. In Security, NAT- traversal is mentioned in 3.5 but not documented in the encapsulation table (3.5.4.1) and IPsec without UDP encap (port 500) is still documented. Does the requirements of H&S forbid IPsec port 500 ? * Should the security document mention the MTU to be used when using IPsec ? * FD encap (IP/UDP/ESP/L2TPv2/PPP) is not documented anywhere. Since this may be possible, should we document it in the security document and make the requirement of UDP encap for L2TPv2 a SHOULD instead of a MUST ? Le 7 août 07 à 21:22, Florent Parent a écrit : > > > --On 6 août 2007 15:46:10 +0200 Bruno STEVANT <bruno.stevant@enst- > bretagne.fr> wrote: >>> >>> FP> In the case where UDP encapsulation of IPsec ESP packets >>> [RFC3948] >>> FP> is used to protect L2TPv2, this 'MUST' becomes too strong: NAT >>> FP> traversal is achieved by IPSec. One idea proposed a while ago >>> FP> Francis D. was to allow optimization by carrying L2TPv2 over IP >>> FP> (proto 115), thus removing an extra UDP header. >>> >>> FP> Proposed change: "In the Softwire model, an L2TPv2 packet not >>> FP> protected by IPsec MUST be carried over UDP." ? >>> >> >> Many solutions are available to put L2TPv2 over IPsec: IKE or >> IKEv2 with >> tunnel or transport mode. >> The security framework allow to pick any solution, the only >> requirement >> is to have NAT-traversal (Section 3.5) > > I don't see how we can have interoperable implementations if the > document allows an implementor to pick any solution. Look back at > the thread <http://www1.ietf.org/mail-archive/web/softwires/current/ > msg00524.html>. I was working under the assumption that IKEv2 was > the consensus moving forward (?). > > As for tunnel vs. transport, why would IPsec tunnel mode be used to > protect L2TPv2, which already established a p2p tunnel? > >> I agree that UDP may not be required when using IPsec. >> But should we document somewhere how IPsec will encap the L2TPv2 >> softwire >> ? Or is current RFCs sufficient ? > > If you are referring to RFC3193, it does not cover the new IPsec > architecture/IKEv2. That is covered in draft-ietf-softwire-security- > requirements. > >> >> BTW, FD proposal was : IP/UDP/ESP/L2TPv2/PPP/IP ? > > Yes, but Francis can correct me :) > >> >> >>> 5.2. PPP Connection >>> >>> 5.2.1. MTU >>> >>> The MTU of the PPP link SHOULD be the link MTU minus the size >>> of the >>> IP, UDP, L2TPv2, and PPP headers together. On an IPv4 link >>> with an >>> MTU equal to 1500 bytes, this could tipically mean a PPP MTU of >>> 1460 >>> bytes. This may vary according to the size of the L2TP header, as >>> defined by the leading bits of the L2TP message header (see >>> [RFC2661]). Additionally, see [RFC4623] for a detailed >>> discussion of >>> fragmentation issues. >>> >>> FP> When IPsec is used, the PPP MTU will need to be smaller to avoid >>> FP> fragmentation at the outer IP layer. >>> >>> FP> "... this could typically mean a PPP MTU of 1460 bytes when >>> IPsec >>> FP> is not used." ? >> >> Same as above: should we document MTU with the different IPsec >> solution >> or is there a pointer with sufficient explanation for that ? > > My take is that 1460 is fine as is (using my suggested change). A > reference to draft-ietf-softwire-security-requirements can be added > for information on considerations when IPsec is used. > > Florent > > > > -- Bruno STEVANT - ENST Bretagne _______________________________________________ Softwires mailing list Softwires@ietf.org https://www1.ietf.org/mailman/listinfo/softwires
- [Softwires] I-D Action:draft-ietf-softwire-hs-fra… Internet-Drafts
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Florent Parent
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Bruno STEVANT
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Florent Parent
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Bruno STEVANT
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Florent Parent
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Bruno STEVANT
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Bruno STEVANT
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Carlos Pignataro