IETF Logo Mail Archive

Re: [Softwires] Ops-dir review of draft-ietf-softwire-mesh-framework-05

Eric Rosen <erosen@cisco.com> Tue, 06 January 2009 18:42 UTC

Return-Path: <softwires-bounces@ietf.org>
X-Original-To: softwires-archive@megatron.ietf.org
Delivered-To: ietfarch-softwires-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C672E3A6893; Tue, 6 Jan 2009 10:42:45 -0800 (PST)
X-Original-To: softwires@core3.amsl.com
Delivered-To: softwires@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45D7B3A6893; Tue, 6 Jan 2009 10:42:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.415
X-Spam-Level:
X-Spam-Status: No, score=-6.415 tagged_above=-999 required=5 tests=[AWL=0.184, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Jw77AuD34-p; Tue, 6 Jan 2009 10:42:43 -0800 (PST)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id D80183A679F; Tue, 6 Jan 2009 10:42:42 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,340,1228089600"; d="scan'208";a="32837977"
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-2.cisco.com with ESMTP; 06 Jan 2009 18:42:29 +0000
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n06IgTN3018945; Tue, 6 Jan 2009 13:42:29 -0500
Received: from erosen-linux.cisco.com (erosen-linux.cisco.com [161.44.70.34]) by rtp-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n06IgTfY019486; Tue, 6 Jan 2009 18:42:29 GMT
Received: from erosen-linux (localhost.localdomain [127.0.0.1]) by erosen-linux.cisco.com (8.13.1/8.13.1) with ESMTP id n06IgNiS018525; Tue, 6 Jan 2009 13:42:28 -0500
To: Pekka Savola <pekkas@netcore.fi>
In-reply-to: Your message of Sat, 20 Dec 2008 16:25:40 +0200. <alpine.LRH.2.00.0812201456210.2044@netcore.fi>
Date: Tue, 06 Jan 2009 13:42:23 -0500
Message-ID: <18524.1231267343@erosen-linux>
From: Eric Rosen <erosen@cisco.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5001; t=1231267349; x=1232131349; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=erosen@cisco.com; z=From:=20Eric=20Rosen=20<erosen@cisco.com> |Subject:=20Re=3A=20Ops-dir=20review=20of=20draft-ietf-soft wire-mesh-framework-05=20 |Sender:=20 |To:=20Pekka=20Savola=20<pekkas@netcore.fi>; bh=qUCOQZcAk9w6DZERsmf4fVK3DP/j4O9jUp1n49sJ2Hc=; b=TbYYmyBxvIZ8BtZS6Y7cqeE75eDxS34bsMImuJJVJ75k65StsRhPNqsSvV PKpSkQyCL+QqgP4wrU0QfS9HnbqOsb6smKE/GFqXxrLhohQ7JkUy4jNF9xqQ /F6sk9fYwM;
Authentication-Results: rtp-dkim-1; header.From=erosen@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: ops-dir@ietf.org, softwires@ietf.org, softwire-chairs@tools.ietf.org, softwire-ads@tools.ietf.org, draft-ietf-softwire-mesh-framework@tools.ietf.org
Subject: Re: [Softwires] Ops-dir review of draft-ietf-softwire-mesh-framework-05
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: erosen@cisco.com
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: softwires-bounces@ietf.org
Errors-To: softwires-bounces@ietf.org

Pekka> My main concern here is with the O&M implication of dynamically
Pekka> created and used softwires, which do not run any routing protocol and
Pekka> there is no IETF protocol or management framework which could be used
Pekka> to verify the correct operation of these tunnels.

Pekka> We're creating a solution that is more fragile than 
Pekka> status quo (a network which has not deployed MPLS and/or L2TPv3 for 
Pekka> similar purpose) and IETF is doing disservice to the community if it 
Pekka> doesn't clearly describe these problems (not done currently) and 
Pekka> provide solutions to them.

The notion of "disservice to  the community" is highly subjective, and hence
is not a  meaningful criticism.  It seems to me that  the mesh framework doc
falls within  the charter of the  WG, and a comprehensive  discussion of the
OAM issues  is not a prerequisite  for either the framework  or the protocol
documents. 

Pekka> the document might say that the BGP Capability MUST NOT be advertised 
Pekka> unless manually configured to do so (so that if an implementation 
Pekka> would support this but the operator does not want to use it, it 
Pekka> wouldn't be used)

I don't see the point of this,  as the document makes it very clear that the
decision to  forward through a  softwire is always  a matter of  policy, and
determined by  the ingress AFBR.   Thus the presence  or absence of  the BGP
capability does not force the operator to do anything.

Pekka> If a client  upgrades from v4-only to dual-stack, does it need to
Pekka> switch provider  to be able to use v6, or would v6 traffic be dropped
Pekka> on the floor?

That is a business issue between the client and the provider.

Pekka> Obviously this should not be the case, but the framework does not say
Pekka> so.  I believe it should, even if it is trivial. 

The framework should not tell providers how to do business with their clients.

Pekka> For example, enabling this method for v4 E-IP must not prevent the
Pekka> ISP from also providing v6 E-IP (without tunneling) to the user.

I don't think anything in the framework could be interpreted as preventing a
provider from doing anything.  

Pekka> If you'd implement this with longest-prefix matching, but with 
Pekka> modifications to BGP, what I guess could happen is that for a BGP 
Pekka> message for an E-IP prefix, the system where this is configured would 
Pekka> need to install the E-IP prefix to RIB, change the next-hop to to be a 
Pekka> dynamically created point-to-point tunnel interface.  This next-hop 
Pekka> would only be changed for "softwire-enabled" BGP sessions.  Each BGP 
Pekka> I-IP nexthop would be associated with its own unnumbered tunnel 
Pekka> interface.  Or it could point to a pseudo-tunnel interface, which 
Pekka> would have a separate routing table where it looked up where to tunnel 
Pekka> packets.

I don't think there is any need to discuss the various implementation
techniques that might be used to support the framework.  

Eric> In the unicast area, most of the technology needed is already
Eric> standardized or in LC, hence the framework document makes normative
Eric> references.  In the multicast area, the situation is different, and
Eric> the framework document lays out options without making normative
Eric> references to specified technology.

Pekka> I'd say this is a problem; the problem statement calls rather
Pekka> strongly for the solution to support multicast, and it currently does
Pekka> not do so.

The framework indicates multiple ways in which multicast can be supported.
That's about as good as it ever gets in multicast.  It makes no sense to
hold up the unicast solutions until all the multicast issues are understood
and agreed upon.

Eric> The problem referred to is that if unauthorized nodes masquerade as
Eric> authorized transmitting endpoints, there may be a way to side-step the
Eric> authorized policies.  I'm not quite sure what you are objecting to
Eric> here.

Pekka> It seems to be emphasizing the wrong thing -- that different kinds of 
Pekka> packets may or may not be encapsulated by authorized endpoints, and 
Pekka> that unauthorized endpoints are not bound to these policies.  The 
Pekka> problem is the unauthorized endpoints, the policy (or lack thereof) of 
Pekka> authorized endpoints doesn't really matter, because even if it didn't 
Pekka> exist, we could think of various kinds of packets sent by unauthorized 
Pekka> endpoints that would need to be blocked.  The key point here is 
Pekka> analyzing how to prevent unauthorized endpoints and what kind of 
Pekka> impact failing to do so would cause.

The  impact of  failing  to  prevent unauthorized  endpoints  is exactly  as
stated, that the  authorized policies may be bypassed.  It  seems to me that
the  security  considerations section  adequately  discusses  the issues  of
blocking traffic from unauthorized endpoints.


 


_______________________________________________
Softwires mailing list
Softwires@ietf.org
https://www.ietf.org/mailman/listinfo/softwires

v2.23.0 | Report a Bug | By Email