IETF Logo Mail Archive

Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC

Fred Baker <fred@cisco.com> Fri, 24 April 2009 18:24 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 852D63A6BAE for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 24 Apr 2009 11:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.132
X-Spam-Level:
X-Spam-Status: No, score=-105.132 tagged_above=-999 required=5 tests=[AWL=-1.237, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-DToSUA2QnU for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 24 Apr 2009 11:24:49 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 284823A6A24 for <v6ops-archive@lists.ietf.org>; Fri, 24 Apr 2009 11:24:49 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1LxQ4w-000AZF-Cv for v6ops-data0@psg.com; Fri, 24 Apr 2009 18:24:50 +0000
Received: from [171.71.176.117] (helo=sj-iport-6.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <fred@cisco.com>) id 1LxQ4g-000AXz-Sc for v6ops@ops.ietf.org; Fri, 24 Apr 2009 18:24:42 +0000
X-IronPort-AV: E=Sophos;i="4.40,243,1238976000"; d="scan'208";a="292425449"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 24 Apr 2009 18:24:34 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n3OIOY6Z011000; Fri, 24 Apr 2009 11:24:34 -0700
Received: from stealth-10-32-244-219.cisco.com (stealth-10-32-244-219.cisco.com [10.32.244.219]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n3OIOXWX013991; Fri, 24 Apr 2009 18:24:34 GMT
Cc: teemu.savolainen@nokia.com, v6ops@ops.ietf.org, kurtis@kurtis.pp.se, rbonica@juniper.net, Basavaraj.Patil@nokia.com, jouni.korhonen@nsn.com
Message-Id: <38E6CF9B-D53E-46E0-B422-4A0DB07F25FA@cisco.com>
From: Fred Baker <fred@cisco.com>
To: Dan Wing <dwing@cisco.com>
In-Reply-To: <016701c9c506$97ff5ae0$c5f0200a@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Subject: Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC
Date: Fri, 24 Apr 2009 11:24:31 -0700
References: <32129337-7BED-4D7A-AF06-BC5ABB37D994@cisco.com> <18034D4D7FE9AE48BF19AB1B0EF2729F27F2C05DC3@NOK-EUMSG-01.mgdnok.nokia.com> <016701c9c506$97ff5ae0$c5f0200a@cisco.com>
X-Mailer: Apple Mail (2.930.3)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4617; t=1240597474; x=1241461474; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fred@cisco.com; z=From:=20Fred=20Baker=20<fred@cisco.com> |Subject:=20Re=3A=20draft-ietf-v6ops-cpe-simple-security-04 =20WGLC |Sender:=20; bh=CeZODKBQxPwmSp2HMe9TEx6f1ncdFOugOAI2L4ul/F4=; b=nCPgEq54uZxuuATKxuM1EQ33B2vWv4pLbQD/pSdVTDNoAutMWRa7YQu4ZY iKc8juhMO9YC3i2Au5smktMTDEyWqhMTK17Af2M71p+JWKOfMbR/nkX4nNWh yT2uUFOuO0EPBN/ClRd3T9TN8eHITXb+G7VjRZlezko+HV/hU8yMU=;
Authentication-Results: sj-dkim-1; header.From=fred@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

While the exact timing is open to opinions, I would suspect the  
original mention derives from a combination of two things.

(1) When TCP was originally under development, in the 1970's, there  
was a sense that a datagram could float around for several minutes,  
which is why the TCP sequence space is as large as it is and why  
timers are what they are.

(2) KC Claffy's dissertation, published in part in SIGCOMM 1993, found  
that TCP sessions could stop sending for several seconds and then  
restart, such as due to an application running off to a back-end  
database or launching a process. She defined a microflow as having  
ended when no datagram in the microflow had been seen for 300 seconds.  
I pushed her to try a number of intervals, including 1, 2, 4, 8  
seconds, 15, 30, 60, and 300. She in fact tested something akin to  
that (in her perl scripts, it was a matter of changing a variable and  
re-running the test on the same data), and she found that 8 seconds  
was a big change - the same session could originate a new datagram as  
late as 300 seconds later, but the probability was that if a session  
had not spoken for 8 seconds it was unlikely to speak again. Today,  
iPhoto uploading to Picasa (I have observed) can stall a pipelined TCP  
session for 15 seconds, so the interval is probably longer - for  
safety I would talk about 30-60 seconds.

Why two minutes? Probably safety, coupled with the fact that UDP has  
no counterpart to "RST" that can be interpreted to short-circuit a  
session being ended.

On Apr 24, 2009, at 11:00 AM, Dan Wing wrote:

>
>
>> -----Original Message-----
>> From: owner-v6ops@ops.ietf.org
>> [mailto:owner-v6ops@ops.ietf.org] On Behalf Of
>> teemu.savolainen@nokia.com
>> Sent: Friday, April 24, 2009 4:46 AM
>> To: fred@cisco.com; v6ops@ops.ietf.org
>> Cc: kurtis@kurtis.pp.se; rbonica@juniper.net;
>> Basavaraj.Patil@nokia.com; jouni.korhonen@nsn.com
>> Subject: RE: draft-ietf-v6ops-cpe-simple-security-04 WGLC
>>
>> Hi,
>>
>> I believe this document is of operational utility.
>>
>> Few comments/questions:
>> - 3.2.2. describes, as per RFC4787, that UDP mappings MUST
>> NOT expire in less than two minutes. As I don't know the
>> backgrounds of this decision,
>
> It is probably from REQ-5 of
> http://tools.ietf.org/html/rfc4787#section-4.3.
>
>> I wonder why the minimum time
>> could not be longer for IPv6? The longer the time the less
>> need to activate radio for keep-alive sending (on either side
>> of the firewall btw - consider a case where CPE has wireless
>> WAN). In CGN case short timeout is understandable due need to
>> save public ports, but that probably is not an issue in
>> simple IPv6 firewall. So why e.g. not two hours as for TCP?
>
> Two hours seems a long time to leave your door open.
>
> A longer timeout could be negotiated between the the host and its  
> CPE router
> using whatever protocol exists and becomes a defacto standard on  
> IPv6 networks
> (e.g., draft-woodyatt-ald, UPnP IGD version 2).
>
> -d
>
>> - 3.2.5. Just to check that DSMIP6 is considered as one of
>> these other tunneling protocols mentioned in R22? How about
>> MIP6 route optimization, will that work through a device
>> implementing this specification?
>> - 3.4 says it remains to be seen if UPnP:IGD is to be
>> extended for IPv6. I would rather say that IPv6 is being
>> added to UPnP:IDG2. See:
>> "http://www.upnp.org/resources/documents/UPnPIGD2vsIGD1d100320
>> 09.pdf  "UPnP Gateway committee: IGD:2 improvements over IGD:1"
>>
>> Best regards,
>>
>> 	Teemu
>>
>>
>>> -----Original Message-----
>>> From: owner-v6ops@ops.ietf.org
>>> [mailto:owner-v6ops@ops.ietf.org] On Behalf Of ext Fred Baker
>>> Sent: 15 April, 2009 18:27
>>> To: IPv6 Operations
>>> Cc: kurtis@kurtis.pp.se; rbonica@juniper.net
>>> Subject: draft-ietf-v6ops-cpe-simple-security-04 WGLC
>>>
>>> This is to initiate a two week working group last call of
>>> draft-ietf- v6ops-cpe-simple-security-04. Please read it now.
>>> If you find nits (spelling errors, minor suggested wording
>>> changes, etc), comment to the authors; if you find greater
>>> issues, such as disagreeing with a statement or finding
>>> additional issues that need to be addressed, please post your
>>> comments to the list.
>>>
>>> We are looking specifically for comments on the importance of
>>> the document as well as its content. If you have read the
>>> document and believe it to be of operational utility, that is
>>> also an important comment to make.
>>>
>>>
>

v2.23.0 | Report a Bug | By Email