[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [RRG] Initial comments on the LISP proposal
> -----Original Message-----
> From: Dino Farinacci [mailto:dino@cisco.com]
> Sent: Tuesday, March 20, 2007 3:45 AM
> To: Templin, Fred L
> Cc: ram@iab.org; rrg
> Subject: Re: [RRG] Initial comments on the LISP proposal
>
> > Some initial comments on the LISP proposal:
>
> Thanks for the comments.
>
> > 1) The ICMP reply that is triggered by the first packet(s) from the
> > ITR to the ETR do not seem to contain any information that could
>
> The Reply goes from the ETR to the ITR.
Correct; I had a dyslexic moment.
> > help the ITR know that the reply is in fact coming from a
> > legitimate on-path ETR. Perhaps add a message digest
> (MD5 or other)
> > to the ICMP reply so that off-path attacker risks can be
> mitigated?
>
> Security is going to be addressed in the -01 draft. By using nonces
> and not accepting unsolicited replies solves most of this.
I defer to the threat analysis document and the -01 draft.
> > 2) The mechanism is really an open-ended automatic tunneling
> > mechanism.
> > This means that it will send encapsulated packets
> without having
> > any
> > way of knowing whether a suitably-configured
> decapsulator exists on
>
> This depends on how you do the mapping. If the mapping is pushed and
> the ETR registers Locators, then you do know. When you don't know,
> the host sends packet a ICMP protocol unreachable message.
But if you don't get the ICMPs, it appears as a black hole.
> For TE tunnels, you do know because most likely shared-keys will be
> used so there will be a bilateral setup of the tunnel. That means, a
> technical contract between two ISPs.
No problem for configured tunnels, obviously.
> > the path. Some systems may refuse to accept encapsulated
> packets if
> > they do not have at least a tunnel interface configured a priori,
>
> This depends on the implementation. I plan to not support it this
> way. LISP does not require the implementation to configure static
> tunnel interfaces in the ITRs and ETRs but strongly
> recommends it for
> TE-ITRs and TE-ETRs.
I'm not concerned about the LISP-enlightened nodes; I'm concerned
for the legacy nodes that don't yet implement the scheme and I
believe you may be in for some backward-compatibility issues.
> > 3) Sending encapsulated packets when there is no way of knowing
> > whether there is a suitably-configured decapsulator on the path
> > could fail to reach some services, e.g., services that reside
> > behind NAT boxes and have "holes" punched in the NAT that only
> > recognize unencapsulated packets.
>
> Same issue when you don't inject your site based route into BGP.
I don't understand your response; I was saying that the encapsulated
packets are delivered to the NAT box in front of the server, but the
NAT has a hole punched through it that only recognizes unencapsulated
packets. The service will therefore be unreachable.
> > 4) The spec doesn't say for how long the ITR will continue to send
> > encapsulated packets when it gets no replies back from an ETR.
>
> I will fix that, but intentionally left it out so I can get some
> implementation experience first before choosing a number.
OK, I'll watch for it.
> > Will it continue to send the encapsulated packets for the entire
> > duration of the flow? If so, this may not work in some cases (see
> > above) and will add unnecessary encapsulation overhead in other
> > cases. Either way, it seems that legacy systems may suffer before
> > the scheme becomes widely deployed.
>
> We will be using routable-IDs globally only for the first phase. We
> plan to have a LISP 3.0 solution soon so we never have routable IDs.
> That is the best direction to pursue.
I'll watch for that too.
> The ultimate goal should be to address all sites with PI blocks and
> not have those blocks injected into BGP. We really need to get to
> this goal as soon as possible (for both IPv4 and IPv6).
I'll agree with that.
> > 5) There is also the issue of unnessary IP fragmentation on the path
> > when the ITR is not careful about the size of the
> tunneled packets
> > it sends.
>
> Yep, a problem with any tunneling design.
Fixable with a suitable tunnel path MTU assurance mechanism.
> Thanks again. I will get numbers in the spec in about a month or so.
OK - Fred
fred.l.templin@boeing.com
> Dino
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg