Re: [Softwires] Ops-dir review of draft-ietf-softwire-mesh-framework-05
Eric Rosen <erosen@cisco.com> Tue, 06 January 2009 18:42 UTC
Return-Path: <softwires-bounces@ietf.org>
X-Original-To: softwires-archive@megatron.ietf.org
Delivered-To: ietfarch-softwires-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C672E3A6893; Tue, 6 Jan 2009 10:42:45 -0800 (PST)
X-Original-To: softwires@core3.amsl.com
Delivered-To: softwires@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45D7B3A6893; Tue, 6 Jan 2009 10:42:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.415
X-Spam-Level:
X-Spam-Status: No, score=-6.415 tagged_above=-999 required=5 tests=[AWL=0.184, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Jw77AuD34-p; Tue, 6 Jan 2009 10:42:43 -0800 (PST)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id D80183A679F; Tue, 6 Jan 2009 10:42:42 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,340,1228089600"; d="scan'208";a="32837977"
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-2.cisco.com with ESMTP; 06 Jan 2009 18:42:29 +0000
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n06IgTN3018945; Tue, 6 Jan 2009 13:42:29 -0500
Received: from erosen-linux.cisco.com (erosen-linux.cisco.com [161.44.70.34]) by rtp-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n06IgTfY019486; Tue, 6 Jan 2009 18:42:29 GMT
Received: from erosen-linux (localhost.localdomain [127.0.0.1]) by erosen-linux.cisco.com (8.13.1/8.13.1) with ESMTP id n06IgNiS018525; Tue, 6 Jan 2009 13:42:28 -0500
To: Pekka Savola <pekkas@netcore.fi>
In-reply-to: Your message of Sat, 20 Dec 2008 16:25:40 +0200. <alpine.LRH.2.00.0812201456210.2044@netcore.fi>
Date: Tue, 06 Jan 2009 13:42:23 -0500
Message-ID: <18524.1231267343@erosen-linux>
From: Eric Rosen <erosen@cisco.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5001; t=1231267349; x=1232131349; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=erosen@cisco.com; z=From:=20Eric=20Rosen=20<erosen@cisco.com> |Subject:=20Re=3A=20Ops-dir=20review=20of=20draft-ietf-soft wire-mesh-framework-05=20 |Sender:=20 |To:=20Pekka=20Savola=20<pekkas@netcore.fi>; bh=qUCOQZcAk9w6DZERsmf4fVK3DP/j4O9jUp1n49sJ2Hc=; b=TbYYmyBxvIZ8BtZS6Y7cqeE75eDxS34bsMImuJJVJ75k65StsRhPNqsSvV PKpSkQyCL+QqgP4wrU0QfS9HnbqOsb6smKE/GFqXxrLhohQ7JkUy4jNF9xqQ /F6sk9fYwM;
Authentication-Results: rtp-dkim-1; header.From=erosen@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: ops-dir@ietf.org, softwires@ietf.org, softwire-chairs@tools.ietf.org, softwire-ads@tools.ietf.org, draft-ietf-softwire-mesh-framework@tools.ietf.org
Subject: Re: [Softwires] Ops-dir review of draft-ietf-softwire-mesh-framework-05
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: erosen@cisco.com
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: softwires-bounces@ietf.org
Errors-To: softwires-bounces@ietf.org
Pekka> My main concern here is with the O&M implication of dynamically Pekka> created and used softwires, which do not run any routing protocol and Pekka> there is no IETF protocol or management framework which could be used Pekka> to verify the correct operation of these tunnels. Pekka> We're creating a solution that is more fragile than Pekka> status quo (a network which has not deployed MPLS and/or L2TPv3 for Pekka> similar purpose) and IETF is doing disservice to the community if it Pekka> doesn't clearly describe these problems (not done currently) and Pekka> provide solutions to them. The notion of "disservice to the community" is highly subjective, and hence is not a meaningful criticism. It seems to me that the mesh framework doc falls within the charter of the WG, and a comprehensive discussion of the OAM issues is not a prerequisite for either the framework or the protocol documents. Pekka> the document might say that the BGP Capability MUST NOT be advertised Pekka> unless manually configured to do so (so that if an implementation Pekka> would support this but the operator does not want to use it, it Pekka> wouldn't be used) I don't see the point of this, as the document makes it very clear that the decision to forward through a softwire is always a matter of policy, and determined by the ingress AFBR. Thus the presence or absence of the BGP capability does not force the operator to do anything. Pekka> If a client upgrades from v4-only to dual-stack, does it need to Pekka> switch provider to be able to use v6, or would v6 traffic be dropped Pekka> on the floor? That is a business issue between the client and the provider. Pekka> Obviously this should not be the case, but the framework does not say Pekka> so. I believe it should, even if it is trivial. The framework should not tell providers how to do business with their clients. Pekka> For example, enabling this method for v4 E-IP must not prevent the Pekka> ISP from also providing v6 E-IP (without tunneling) to the user. I don't think anything in the framework could be interpreted as preventing a provider from doing anything. Pekka> If you'd implement this with longest-prefix matching, but with Pekka> modifications to BGP, what I guess could happen is that for a BGP Pekka> message for an E-IP prefix, the system where this is configured would Pekka> need to install the E-IP prefix to RIB, change the next-hop to to be a Pekka> dynamically created point-to-point tunnel interface. This next-hop Pekka> would only be changed for "softwire-enabled" BGP sessions. Each BGP Pekka> I-IP nexthop would be associated with its own unnumbered tunnel Pekka> interface. Or it could point to a pseudo-tunnel interface, which Pekka> would have a separate routing table where it looked up where to tunnel Pekka> packets. I don't think there is any need to discuss the various implementation techniques that might be used to support the framework. Eric> In the unicast area, most of the technology needed is already Eric> standardized or in LC, hence the framework document makes normative Eric> references. In the multicast area, the situation is different, and Eric> the framework document lays out options without making normative Eric> references to specified technology. Pekka> I'd say this is a problem; the problem statement calls rather Pekka> strongly for the solution to support multicast, and it currently does Pekka> not do so. The framework indicates multiple ways in which multicast can be supported. That's about as good as it ever gets in multicast. It makes no sense to hold up the unicast solutions until all the multicast issues are understood and agreed upon. Eric> The problem referred to is that if unauthorized nodes masquerade as Eric> authorized transmitting endpoints, there may be a way to side-step the Eric> authorized policies. I'm not quite sure what you are objecting to Eric> here. Pekka> It seems to be emphasizing the wrong thing -- that different kinds of Pekka> packets may or may not be encapsulated by authorized endpoints, and Pekka> that unauthorized endpoints are not bound to these policies. The Pekka> problem is the unauthorized endpoints, the policy (or lack thereof) of Pekka> authorized endpoints doesn't really matter, because even if it didn't Pekka> exist, we could think of various kinds of packets sent by unauthorized Pekka> endpoints that would need to be blocked. The key point here is Pekka> analyzing how to prevent unauthorized endpoints and what kind of Pekka> impact failing to do so would cause. The impact of failing to prevent unauthorized endpoints is exactly as stated, that the authorized policies may be bypassed. It seems to me that the security considerations section adequately discusses the issues of blocking traffic from unauthorized endpoints. _______________________________________________ Softwires mailing list Softwires@ietf.org https://www.ietf.org/mailman/listinfo/softwires
- [Softwires] Ops-dir review of draft-ietf-softwire… Pekka Savola
- Re: [Softwires] Ops-dir review of draft-ietf-soft… Eric Rosen
- Re: [Softwires] Ops-dir review of draft-ietf-soft… Pekka Savola
- Re: [Softwires] Ops-dir review of draft-ietf-soft… Eric Rosen
- Re: [Softwires] Ops-dir review of draft-ietf-soft… Pekka Savola