IETF Logo Mail Archive

Re: [v6tc] Re: Tunneling and Transition Drafts

Jeroen Massar <jeroen@unfix.org> Tue, 12 April 2005 20:26 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA06513; Tue, 12 Apr 2005 16:26:15 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DLS7K-0005xL-NL; Tue, 12 Apr 2005 16:36:15 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DLRx3-0002o2-3T; Tue, 12 Apr 2005 16:25:37 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DLRx1-0002eN-Ef for v6tc@megatron.ietf.org; Tue, 12 Apr 2005 16:25:35 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA06197 for <v6tc@ietf.org>; Tue, 12 Apr 2005 16:25:25 -0400 (EDT)
Received: from 213-136-24-43.adsl.bit.nl ([213.136.24.43] helo=purgatory.unfix.org ident=postfix) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DLS6U-0005qR-7f for v6tc@ietf.org; Tue, 12 Apr 2005 16:35:25 -0400
Received: from firenze.zurich.ibm.com (pat.zurich.ibm.com [195.176.20.45]) (using SSLv3 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by purgatory.unfix.org (Postfix) with ESMTP id 1B6CC8687; Tue, 12 Apr 2005 22:25:08 +0200 (CEST)
Subject: Re: [v6tc] Re: Tunneling and Transition Drafts
From: Jeroen Massar <jeroen@unfix.org>
To: Fred Baker <fred@cisco.com>
In-Reply-To: <23ec6165fdb2ab7b2f3946e45caef796@cisco.com>
References: <BE78FA5D.F1CA3%jordi.palet@consulintel.es> <425395F8.50501@renater.fr> <Pine.LNX.4.61.0504061057570.11494@netcore.fi> <4253EBCF.8030800@renater.fr> <20050412143053.GQ22380@login.ecs.soton.ac.uk> <23ec6165fdb2ab7b2f3946e45caef796@cisco.com>
Organization: Unfix
Date: Tue, 12 Apr 2005 22:25:03 +0200
Message-Id: <1113337503.25395.80.camel@firenze.zurich.ibm.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.1.1
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7fa173a723009a6ca8ce575a65a5d813
Cc: "'v6ops@ops.ietf.org '" <v6ops@ops.ietf.org>, v6tc@ietf.org
X-BeenThere: v6tc@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: v6tc.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/v6tc>, <mailto:v6tc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/v6tc>
List-Post: <mailto:v6tc@ietf.org>
List-Help: <mailto:v6tc-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/v6tc>, <mailto:v6tc-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0404484946=="
Sender: v6tc-bounces@ietf.org
Errors-To: v6tc-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a1852b4f554b02e7e4548cc7928acc1f

On Wed, 2005-04-13 at 02:44 +0800, Fred Baker wrote:

> I'm perfectly happy to standardize on existing types of tunnels - 
> IPsec, GRE, IPv4/IPv6, IPv4/IPv4, IPv6/IPv4, IPv6/IPv6, L2TP, or 
> whatever. If we don't solve the rendezvous problem (and btw communicate 
> to the peer what kind of tunnel a given gateway is willing to support) 
> we have not *touched* the transition problem.

L2TP seems to cover the hole quite well. Except for the fact that there
is no discovery and the datastream of L2TPv2, as LTPv3 has some magic
stuff to fix it, can easily be spoofed, just like proto-41. IPSec can
solve this, but requires authentication and external setup again.

L2TP covers imho 90% of the cases. But... if you don't have a PPP infra
it will be (harder) to setup. And it doesn't allow for quick mobility
like in AYIYA or proto41+heartbeat. Thus when switching IP addresses
(walking to another floor with your wireless) the tunnel needs to notice
(L2TP StopCCN) that it is failing and renegotiate, which takes a few
secs, not more, but might give a different IP etc as it will do RA's
again or DHCPv6, which might take a bit longer and most likely will
break your SSH session if you like this. But we are not standardizing
Mobile IP here ;)

It might be, according to some that L2TP+PPP is heavy code, including
definitions about 2k lines of code for a minimal implementation that
works. Overhead of a L2TP tunnel including PPP is minimal. At least it
won't be noticed much when you are streaming video's over your neato
G3's or whatever cellphone.

Btw, anonymous tunnels in L2TP can be solved by not letting the server
request authentication and letting it reject auth attempts from the
client. Though I have not been able to verify how many servers support
this.

TSP or a similar protocol is IMHO a must, because L2TP simply can't be
deployed everywhere and better, not everybody wants it: Market::Decide()
TSP is handy in all cases, it can also have a template pointing to a
L2TP server etc. Next to that there is a client available for all
platforms.

As for the point made in the minutes that there is only one
implementation, AICCU will support TSP too as an option in the near
future.

> And what I would like to see happen is for someone, somewhere - and 
> note that I am very willing to do this in v6ops if people want and also 
> willing to send it to v6tc or wherever else - to solve that rendezvous 
> problem. As a result, I would like to see the various competing 
> transition strategies all rendered OBE and get everyone to converge on 
> a single transition approach.

I've finally submitted my "_service" draft to the secretariat, it should
appear shortly in dnsop. I'll forward it to v6ops + v6tc when it is
there.

In "short":

Anycast prefix 1.2.3.0/24, on which on 1.2.3.53 there is a DNS server
listening. This is a (caching) recursive server which can be used for
looking up anything (www.google.com www.ietf.org etc). It is also
authoritive for the "_service." domain, in which we stick SRV records.
Usually _service is a DNAME to _service.example.net. Which fulfills the
searchpath, if the user does not have this special DNS server
configured, but does have it's ISP's domain in the searchpath, then the
resolver will come to _service.example.net because of the searchpath.

Thus, client gets turned on, it gets connectivity, it needs to lookup
something, resolver is default configured to 1.2.3.53, resolving thus
works. The prefix is anycasted by it's or another ISP, who can filter on
wish etc. If user needs a service, eg SMTP, it resolves the SMTP SRV
records, which can specify load balancing and other stuff. Same for
POP3, IMAP, or lookup eg help.www._service which returns a TXT record to
the URL of the servicedesk of the ISP you are using.

For the v6ops/v6tc case a client can first try l2tp.ipv6._service if
that exists, use it, then try tsp.ipv6._service, if that exists, use
that one. Discovery solved in the most generic way. It does indeed take
a couple of resolves, but hey people want it automatically. As for the
ones screaming "but I don't want a default thing" then configure the
client you are using for doing this.

Of course a similar prefix for IPv6 so that this also solves dns
configuration. Another good thing is that, assuming you have
connectivity you will always have the closest dns server, also ISP's can
then nicely block all the RFC1918 registrations in those, but that is
most likely just a good hope from me, most don't even filter...

Greets,
 Jeroen


_______________________________________________
v6tc mailing list
v6tc@ietf.org
https://www1.ietf.org/mailman/listinfo/v6tc

v2.23.0 | Report a Bug | By Email