Re: [Softwires] I-D Action:draft-ietf-softwire-hs-framework-l2tpv2-05.txt
Florent Parent <Florent.Parent@beon.ca> Wed, 25 July 2007 19:11 UTC
Return-path: <softwires-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IDmGY-0006Z8-LI; Wed, 25 Jul 2007 15:11:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IDmGX-0006Yw-8j for softwires@ietf.org; Wed, 25 Jul 2007 15:11:21 -0400
Received: from [2001:5c0:8001:0:216:3eff:fe52:42c1] (helo=mail.beon.ca) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IDmGW-00028Y-HF for softwires@ietf.org; Wed, 25 Jul 2007 15:11:21 -0400
Received: from [192.168.31.239] (dhcp-25fb.ietf69.org [130.129.37.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Florent.Parent@beon.ca", Issuer "Beon Solutions CA" (verified OK)) by mail.beon.ca (Postfix) with ESMTP id 587DEAD6D1 for <softwires@ietf.org>; Wed, 25 Jul 2007 15:11:16 -0400 (EDT)
Date: Wed, 25 Jul 2007 14:11:18 -0500
From: Florent Parent <Florent.Parent@beon.ca>
To: softwires@ietf.org
Subject: Re: [Softwires] I-D Action:draft-ietf-softwire-hs-framework-l2tpv2-05.txt
Message-ID: <4B041CD7E6110773160C80B9@blues.local>
In-Reply-To: <E1I47o2-0006Hs-Em@stiedprstage1.ietf.org>
References: <E1I47o2-0006Hs-Em@stiedprstage1.ietf.org>
X-Mailer: Mulberry/4.0.9b1 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
Errors-To: softwires-bounces@ietf.org
Here's some initial comment on this draft.
Florent
4.1. Softwire Transport Related
FP> Should be title "L2TPv2 Security Related"? Also would probably
FP> make sense to put 4.2 "L2TPv2" before this section.
RFC 3193 "Securing L2TP using IPsec" [RFC3193].
RFC 3948 "UDP Encapsulation of IPsec ESP Packets" [RFC3948].
* IPSec supports both IPv4 and IPv6 transports.
5.1. L2TPv2 Tunnel Setup
...
In the Softwire model, an L2TPv2 packet MUST be carried over UDP.
The underlying version of the IP protocol may be IPv4 or IPv6,
depending on the Softwires scenario.
FP> In the case where UDP encapsulation of IPsec ESP packets [RFC3948]
FP> is used to protect L2TPv2, this 'MUST' becomes too strong: NAT
FP> traversal is achieved by IPSec. One idea proposed a while ago
FP> Francis D. was to allow optimization by carrying L2TPv2 over IP
FP> (proto 115), thus removing an extra UDP header.
FP> Proposed change: "In the Softwire model, an L2TPv2 packet not
FP> protected by IPsec MUST be carried over UDP." ?
5.2. PPP Connection
5.2.1. MTU
The MTU of the PPP link SHOULD be the link MTU minus the size of the
IP, UDP, L2TPv2, and PPP headers together. On an IPv4 link with an
MTU equal to 1500 bytes, this could tipically mean a PPP MTU of 1460
bytes. This may vary according to the size of the L2TP header, as
defined by the leading bits of the L2TP message header (see
[RFC2661]). Additionally, see [RFC4623] for a detailed discussion of
fragmentation issues.
FP> When IPsec is used, the PPP MTU will need to be smaller to avoid
FP> fragmentation at the outer IP layer.
FP> "... this could typically mean a PPP MTU of 1460 bytes when IPsec
FP> is not used." ?
10. Security Considerations
A detailed discussion of Softwires security is contained in
[I-D.ietf-softwire-security-requirements].
The L2TPv2 Softwires solution provides the following tools for
security:
o IPsec [RFC3193] provides the highest level of security.
FP> Since it was decided to use the new IPsec architecture and IKEv2,
FP> we should reference RFC4301 and 4306. RFC3193 is still relevant
FP> w.r.t. interaction of L2TPv2 and IPsec.
o PPP CHAP [RFC1994] provides basic user authentication.
o L2TP Tunnel Authentication [RFC2661] provides authentication at
tunnel setup. It may be used to limit DoS attacks by
authenticating the tunnel before L2TP session and PPP resources
are allocated.
_______________________________________________
Softwires mailing list
Softwires@ietf.org
https://www1.ietf.org/mailman/listinfo/softwires
- [Softwires] I-D Action:draft-ietf-softwire-hs-fra… Internet-Drafts
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Florent Parent
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Bruno STEVANT
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Florent Parent
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Bruno STEVANT
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Florent Parent
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Bruno STEVANT
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Bruno STEVANT
- Re: [Softwires] I-D Action:draft-ietf-softwire-hs… Carlos Pignataro