[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
From: Alex Conta <aconta@txc.com>
Date: Tue, 17 Aug 2004 23:56:46 -0400
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, v6ops@ops.ietf.org, gilligan@intransa.com, david.kessens@nokia.com, jonne.Soininen@nokia.com
In-reply-to: <Pine.LNX.4.44.0408171408310.23350-100000@netcore.fi>
References: <Pine.LNX.4.44.0408171408310.23350-100000@netcore.fi>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707


As a clarifications:

I have no interest or benefit in blocking or delaying the publishing of this document as an RFC.

I have a definite interest in having a good quality document.

Quality is more of an issue than time.

I am not happy at all that I found these problems, I would have been a lot happier to find none.

I do not have a lot of time to spend on this, or debate this - I already spent a lot more time than I initially planned or hoped.

Pekka Savola wrote:

On Mon, 16 Aug 2004, Alex Conta wrote:

(I'll respond with only the document editor hat on.)

I'll try to summarize your issues in a different way (please clarify
if something is missing):

I have ordered the problem descriptions and suggestions in the order of the sections in the document to make them flow with the reading of the document.

I am not sure I understand the use of this new exercise, but with the hope it will help resolving the problems, here it is:

NOTE: A majority of the technical problems were described to you already by me or by Erik N. in the private Email exchange we had, in quite a bit of detail, so they should not be new to you.

A) you want to explicitly spell out that the encapsulator address is configured on the node,


NO. I want a tunneling rule, and/or the previous specs rule, followed.

The tunneling rule is that the source address in a tunnel packet MUST be one of the encapsulator's addresses - see Problem 3 and 4.

This is captured in two rules: Rule 1. If the tunnel source address is selected automatically by the encapsulator, it MUST be one of the encapsulator's addresses, preferable the tunnel packets outgoing interfaces.

Rule 2. If the tunnel source address is configured on the encapsulator, which is OK, it MUST follow the same rule as 1, that is, MUST be one of the encapsulator's addresses, preferable the tunnel packets outgoing interface.

and sprinkle that information throughout the document. (Problem 1, part of problem 2, problem 3, problem 4, problem 6, problem 11).


Please read carefully my message; it is not only sprinkling that info.

Problem 1, 2 are independent. Section 1.1 and Section 3 are incomplete, as they seem to be left as they were before the changes, and have not followed the changes that this document has undergone.

Problem 6 and 11 are both independent from each other, and from the rest. They're inadequate wording, and thus editorial. They're completely independent of anything else.

Response: there are arguments against doing so, because it is not
necessary for protocol interoperability.  I want to see more support
from the WG if this would go in.  Erik Nordmark voiced support for the
initial versions offlist, but has been quiet since -- it is not clear
whether this is due to agreement (with either party) or not.


Erik N. pointed out also a number of problems.

I will also note that none of the protocol problems you state seem convincing: breaking IP frag, breaking ICMP, breaking dynamic MTU, breaking point-to-point link appearance.


You had both me and Erik N. point to and explain these problems.
Here it is once more, this time for the list:

The spec suggests configuring the encapsulator with a source address which is not one of its addresses. This is a departure from the IP architecture, one of the basic functions of the IP, and has the following immediate consequences:

- broken virtual point-to-point link:

The tunnel is a virtual point-to-point link between the encapsulator and decapsulator. Tunnel packets originate on the encapsulator, and thus must have as source the outgoing interface address or one of its other addresses.

When the encapsulator sends packets with a source address which is not one of its interfaces, it breaks the vptop mechanism.

Also, if a node can be configured accidentally, or intentionally, with a tunnel source address different than its own addresses, it is possible to configure multiple encapsulators with the same source, but same decapsulator. This is a non-traditional multi-point to point link, and thus different from the vptop, specified in this document.

To repeat Erik N.'s comment, if the source address is an anycast address, that MUST be said so, and dealt with it appropriately, and not just pushed under the rug.

- breaking ICMP.

If an intermediate router on the tunnel path detects an error in a tunnel packet that has a source address which is not one of the encapsulator's addresses, the ICMP message cannot reach the encapsulator, and the forwarding of the packet may have unpredictable results.

This may have unpredictable results.

- breaking dynamic MTU (problem pointed out by Erik N.)

If a tunnel packet has a source address different than one of the encapsulator's addresses, Path MTU ICMP messages cannot reach the encapsulator. This breaks the dynamic MTU mechanism.

- breaking IP fragmentation (problem pointed out by Erik N.)

If multiple encapsulators have the same source address, and there is fragmentation on each of them, the spec does not specify how to coordinate the IP fragment IDs, so the packet reassembly will not get confused on the decapsulator. This breaks IP fragmentation.

- other consequences may exist.

The first three are just basic properties of IPv4 routing: if you insert wrong source address, you don't get the return packets.


This is missing the point.

The expectation is that when one follows correctly this protocol specification the result is a working IPv6inIPv4 tunnel.

In this case, one configuring an address that is not one of the encapsulator's addresses is following correctly the specification. However the result is a non-working IPv6inIPv4 tunnel.

The last still holds but between

addresses, not the nodes (it might be possible to make this more explicit with an editorial correction to the definition of a tunnel, to set the right expectations).

A node has interfaces, which are the node's attachments to adjacent links. Addresses identify interfaces in the network. Point to point links are between ptop interfaces.

I am afraid, a new, technically different definition of a tunnel cannot be an editorial change.

The security problem is not a real

issue, because the attackers have easier time just sending the packets
using raw sockets or whatever,
 not by configuring a tunnel interface

The way you allow the configuring of the encapsulator is breaking the very mechanism that you created or existed in the decapsulator, which is checking the encapsulator's source address.

This creates exactly the very problem that it is mentioned in the Security section as a problem.

-- this would create a false sense of security at best because you
just can't trust the encapsulators to behave well in any case.

I agree with that (false sense of security), but then why not remove the decapsulator source address check all together?

 B) you want to spell out that the source address is used as a filter
for inbound packets (i.e., which tunnel they belong to), and that the
addresses MUST be the same on entry & exit points, (the rest of
problem 2)


Problem 2 is simply insufficient text.

The changes done on this document on some text resulted in that text being removed, or moved in the wrong place. Consequently the specification has holes when compared to its predecessor, RFC 2893, and for a draft standard it MUST be corrected.

The suggestion is supposed to plug the holes.

Response: this is a clarification which is not required for protocol interoperability.


This does not seem an accurate characterization.

Currently two IP implementations that are configured according to the spec, may not work, that is, they may not interoperate.

The suggestion spells out the configuration requirements, and helps the configuring, with the result of a working IPv6inIPv4 tunnel, which is to have two implementations interoperate.

In conclusion is that the suggestion resolves interoperability problems, and thus is required for interoperability.

Further, it may restrict the implementators of the protocol.

Rewording "restrict", with "driving in the right direction" would be more accurate.

It also adds a MUST for which an implementor has no way of

ensuring it's fulfilled (there is no way to check what the other end
has configured -- either it works or it doesn't) -- so this is an
unnecessary specification.

The MUST is related to the configuring of addresses, not to implementation. This is also an operational spec isn't it?

C) you want to add a MUST to generate protocol-41 unreachables when you receive a packet with incorrect source address. (problem 7, problem 12)

Response: this has already been discussed. Please check the archives
at http://ops.ietf.org/lists/v6ops/v6ops.2003/ (scroll down to "RFC
2893 Question - Ingress Filtering of IPv6-in-IPv4").  There are good
reasons why no ICMP feedback is *required* (however, it's still
compliant to send one if you want, it's SHOULD NOT in the spec.).


I do not have the time to check the archives.

I simply pointed out, that currently there is a black hole effect.

That means, it is possible to have a legitimate configuring of a tunnel between two nodes, according to the spec, but a tunnel failure, with packets seemingly going nowhere, and have no indication of the reason the tunnel packets sent from one node do not get to the other.

Furthermore, having it both ways, /w and w/ ICMP messages seems  confusing.

D) you'd like to see a couple of editorial changes (problem 5, problem 9, problem 10)

Response: 5 & 9 can be easily fixed at AUTH48. I don't understand the problem 10 at all as by definition all the tunnels are now bidirectional. If egress is towards X, ingress is coming from X. Wording suggestions are welcome if really necessary.

The text is confusing to the extent that I can have several correct but opposite interpretations.

I could work on this with you, but for that I need you qualify the nouns, and verbs in those sentences, so I can see what the spec (or you) really wanted to say.

Summary:

Keeping in mind the current state of the document (past WG last call,
past IETF last call, past IESG evaluation), there is very strong
reason to make no changes unless there is a strong reason to do so.
I'll take editorial issues to the account (issue D), but unless there
is WG consensus, I will not incorporate other changes as they do not
seem to be sufficiently do not seem to fulfill the "very strong
reason" criterium.

You had one person (me) and a previous co-author (Erik N.) pointing you these problems.

(editor hat off)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: RE: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Next by Date: Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Previous by thread: Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Next by thread: Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Index(es):
- Date
- Thread