[rrg] Fwd: comments on draft-templin-iron-12.txt

[Tony Li]

FYI: These are the comments from the IRSG review of IRON. Regards, Tony Begin forwarded message: From: "Buford, John F (John)" <buf...@avaya.com> Date: October 6, 2010 1:21:56 PM PDT To: <tony...@tony.li>, <fred.l.temp...@boeing.com>, <f...@bbn.com> Cc: "Buford, John F (John)" <buf...@avaya.com>, "John Buford" <buf...@samrg.org> Subject: comments on draft-templin-iron-12.txt The following are recommended suggestions for improving the ID before it is sent forward.     * Section 2 Terminology   Organize the terminology alphabetically and add entries for: FIB, IR[CE], IR[VC], IR[VE], IR[VP], IR (IRON Router), VET, and SEAL   The definition for VPC seems incomplete in that it focuses on the management of VPs, and doesn’t include the aspect of running an IRON overlay and the various IRs.   * Section 3 IRON   “The IRON is manifested through a business model…” Suggest re-wording this to: “The IRON is manifested through a business model in which each Virtual Prefix Company (VPC) owns and manages one or more virtual overlay networks comprising … “.  This makes it clearer that a VPC individually runs/owns the overlay and not collectively.   I am not sure why “ … is manifested through a business model …” is relevant. Their could be a myriad of business models by which an IRON overlay is operated.  Would it be more precise to say here that IRON consists of an arbitrary number of IRON overlays each of which may be separately operated by different VPCs?   “customer must have two business relationsships …”  _must_ doesn’t seem correct here.  for example, the customer could buy all its network services through a broker.   Somewhere between Fig. 4 and  Fig. 5 it would help to have one figure which shows all the IRON elements (IR[CE], IR[VC], IR[VE], IR[VP]) in a single topology.  In addition, a version of the complete figure for a single VPC and at least 2 VPCs would be helpful. Currently the first integrated diagram is not until p. 19 of the document.   p. 9 “Each IR[VE] serves as a customer-facing tunnel endpoint router that IR[CE]s form bidirectional tunnels with over the IRON”.  The readability of this sentence could be improved, for example, Each IR[VE] is customer facing and acts as both a tunnel-endpoint and a router for each IR[CE] that is associated with it.   * Section 4 IRON Organizational Principles   “The IRON consists of the union all VPC overlay networks worldwide”. This seems to preclude the possibility of multiple autonomous IRONs that don’t interoperate for various reasons (isolated topology, security).   Is there a minimial VPC configuration? Is there a specific portion of IPv4/v6 address space prefixes that would be available to an IRON?   * Section 5 IRON Initialization   “Upon startup, the IR[VC] engages in BGP routing exchanges with its peers in the IPv4 and IPv6 Internets the same as for any BGP router”.   Would the existence of many VPCs greatly increase the size of BGP routing tables?  Is this a concern in terms of scalability of IRON?   sec. 5.3 “key infrastructure” => “public key infrastructure”   It is not clear in sec 5.3 whether there are any customer roaming scenarios in which the customer needs to connect to IRON through a foreign but closer IR[CE] which would require authentication between two VPCs.   The mobility section later seems to focus on IR[CE] mobility versus customer mobility.   * Section 7 Additional Considerations   Suggest cross-reference to Appendix B Scaling Considerations could go here.   * Section 10 Security Considerations   This section should be expanded to elaborate on IRON-specific vulnerabilities, which seem to include: 1) VPC impersonation to EUN and to other VPCs 2) corrupted advertisement of IPv4/6 prefixes into BGP routers of peers 3) impersonation of IR[CE], IR[VC], IR[VE] by rogue attacker 4) pollution of a VPCs internal BGP routing tables 5) DOS attacks     Minor editorial p. 4 deaggregation => disaggregation                 John F. Buford, Ph.D. Research Scientist, Avaya Labs Research 233 Mount Airy Rd  Room 2A11 Basking Ridge, NJ 07920-2311   Office: 908-848-5675 or 908-696-5296 Mobile: 908-432-1595

_______________________________________________
rrg mailing list
rrg@irtf.org
http://www.irtf.org/mailman/listinfo/rrg