Re: [Hipsec] proposed changes to RFC5206-bis
Miika and Rene, Thanks for the comments; I'll plan to revise both drafts (mobility and multihoming) along the lines suggested by next week. - Tom ___ Hipsec mailing list Hipsec@ietf.org https://www.ietf.org/mailman/listinfo/hipsec
Re: [Hipsec] proposed changes to RFC5206-bis
Hi Tom and Rene, On 12/16/2014 05:18 PM, Tom Henderson wrote: Thanks Rene for your comments; responses inline below. On 12/15/2014 02:19 AM, Rene Hummen wrote: Hi Tom, hi all, please find my feedback in-line. On 12 Dec 2014, at 02:09, Tom Henderson t...@tomh.org wrote: Hi all, I recently published the version -07 draft of RFC5206-bis (mobility support in HIP). This was merely a refresh of -06; I'd like to now start moving through and closing the remaining open issues so we can get the document into shape for WGLC. I made a pass through the document and plan to publish the following (IMO) minor changes in version -08 next week, if there are no objections. Separately, I will start threads on remaining open issues that require some discussion on the list. Section 3.2 Protocol Overview -- The draft states: However, some implementations may want to experiment with sending LOCATOR_SET parameters also on other packets, such as R1, I2, and NOTIFY. I propose to delete this sentence since we are no longer experimental; +1 I would actually propose to completely remove all mentioning of the LOCATOR_SET parameter from any message type but UPDATE within the context of this document in order to simplify host mobility to a single procedure (UPDATE with LOCATOR_SET). If, e.g., multi-homing, prefers the LOCATOR_SET parameter in other messages, a separate document can specify this message flow. I hadn't considered this, but it would be in keeping with the mobility/multihoming scope split that we have already agreed to do. I'll look into migrating the use of additional messages from this draft to the multihoming draft if there are no other comments. I would suggest to move complexity to the multihoming draft in order to keep the mobility extensions simple enough to be implemented e.g. for sensors. later in the document (section 5.3), it states that: A host SHOULD be prepared to receive a LOCATOR_SET parameter in the following HIP packets: R1, I2, UPDATE, and NOTIFY. and it leaves open to the implementation (Section 5.2) when to send such a packet. More on this later. See comment above. (also) Section 3.2: -- The draft states: The scenarios below at times describe addresses as being in either an ACTIVE, VERIFIED, or DEPRECATED state. 'VERIFIED' is a typo; it should be ‘UNVERIFIED' +1 +1 3.2.1 Mobility with a Single SA Pair (No Rekeying) --- The draft states: This first example considers the case in which the mobile host has only one interface, IP address, a single pair of SAs (one inbound, one outbound), and no rekeying I propose to clarify 'IP address' as rather 'one IP address in use within the HIP session', since it is seldom the case now that hosts have one IP address system-wide, and what is really intended here is to talk about the case for which there is only one IP address in use. +1 +1 3.2.3. Using LOCATOR_SETs across Addressing Realms -- I propose to delete this section for now; we have an open issue (http://trac.tools.ietf.org/wg/hip/trac/ticket/5) to better define cross-family handovers, and I'd like to later propose different text based on the work published in Secure and Efficient IPv4/IPv6 Handovers Using Host-based Identifier-Locator Split by Varjonen et al. Why don’t you simply replace this section with your text in an upcoming revision? I don’t see the benefit in removing this section right now without a proper replacement. Partly because I hadn't come up with that replacement text yet, or concluded that we should keep it in this draft. I think the use case in the current draft is not very well defined (one host has only a IPv6 locator, while the other host has only an IPv4 locator, and some middlebox manages the translation), so I would propose to delete this case. If so, the question is whether to try to add something back about mobility across addressing realms in this draft. Another possibility would be to move this topic over to the multihoming draft, since it involves coordination across locator sets. Any objection if we descope it from this draft and make an cross-family handover a use case in the multihoming draft? I suggest to move to the multihoming draft (as I reasoned earlier). 4.3 UPDATE Packet with Included LOCATOR_SET There is a sentence that says: The sending of multiple LOCATOR_SET and/or ESP_INFO parameters is for further study; receivers may wish to experiment with supporting such a possibility. I propose to delete this since supporting it is more complicated and I am not sure of the use case. +1 What about mandating a _single_ LOCATOR_SET parameter per HIP packet? I'd agree with that proposal. +1 5.1. Locator Data Structure and Status -- The draft states: In a typical implementation, each
Re: [Hipsec] proposed changes to RFC5206-bis
Hi Tom, hi all, please find my feedback in-line. On 12 Dec 2014, at 02:09, Tom Henderson t...@tomh.org wrote: Hi all, I recently published the version -07 draft of RFC5206-bis (mobility support in HIP). This was merely a refresh of -06; I'd like to now start moving through and closing the remaining open issues so we can get the document into shape for WGLC. I made a pass through the document and plan to publish the following (IMO) minor changes in version -08 next week, if there are no objections. Separately, I will start threads on remaining open issues that require some discussion on the list. Section 3.2 Protocol Overview -- The draft states: However, some implementations may want to experiment with sending LOCATOR_SET parameters also on other packets, such as R1, I2, and NOTIFY. I propose to delete this sentence since we are no longer experimental; +1 I would actually propose to completely remove all mentioning of the LOCATOR_SET parameter from any message type but UPDATE within the context of this document in order to simplify host mobility to a single procedure (UPDATE with LOCATOR_SET). If, e.g., multi-homing, prefers the LOCATOR_SET parameter in other messages, a separate document can specify this message flow. later in the document (section 5.3), it states that: A host SHOULD be prepared to receive a LOCATOR_SET parameter in the following HIP packets: R1, I2, UPDATE, and NOTIFY. and it leaves open to the implementation (Section 5.2) when to send such a packet. More on this later. See comment above. (also) Section 3.2: -- The draft states: The scenarios below at times describe addresses as being in either an ACTIVE, VERIFIED, or DEPRECATED state. 'VERIFIED' is a typo; it should be ‘UNVERIFIED' +1 3.2.1 Mobility with a Single SA Pair (No Rekeying) --- The draft states: This first example considers the case in which the mobile host has only one interface, IP address, a single pair of SAs (one inbound, one outbound), and no rekeying I propose to clarify 'IP address' as rather 'one IP address in use within the HIP session', since it is seldom the case now that hosts have one IP address system-wide, and what is really intended here is to talk about the case for which there is only one IP address in use. +1 3.2.3. Using LOCATOR_SETs across Addressing Realms -- I propose to delete this section for now; we have an open issue (http://trac.tools.ietf.org/wg/hip/trac/ticket/5) to better define cross-family handovers, and I'd like to later propose different text based on the work published in Secure and Efficient IPv4/IPv6 Handovers Using Host-based Identifier-Locator Split by Varjonen et al. Why don’t you simply replace this section with your text in an upcoming revision? I don’t see the benefit in removing this section right now without a proper replacement. 4.3 UPDATE Packet with Included LOCATOR_SET There is a sentence that says: The sending of multiple LOCATOR_SET and/or ESP_INFO parameters is for further study; receivers may wish to experiment with supporting such a possibility. I propose to delete this since supporting it is more complicated and I am not sure of the use case. +1 What about mandating a _single_ LOCATOR_SET parameter per HIP packet? 5.1. Locator Data Structure and Status -- The draft states: In a typical implementation, each outgoing locator is represented by a piece of state that contains the following data: I propose to clarify this by deleting 'outgoing locator' and replacing with 'locator known about the peer' since outgoing might be interpreted instead as the source address. What about saying ‘each locator announced in a LOCATOR_SET parameter’? I would also like to add these two sentences to the end of this subsection: In addition, an implementation would typically maintain similar state about its own locators offered to the peer. I wouldn’t mind about adding this text. Finally, the locators used to establish the HIP association are by default assumed to be the initial preferred locators in ACTIVE state, with an unbounded lifetime. +1 5.2. Sending LOCATOR_SETs - The lead sentence states: The decision of when to send LOCATOR_SETs is basically a local policy issue. I propose to add: LOCATOR_SET parameters MAY be included in HIP packet types of R1, I2, R2, UPDATE, and NOTIFY. We have previously not included R2 in this list, but the work published in Secure and Efficient IPv4/IPv6 Handovers Using Host-based Identifier-Locator Split by Varjonen et al. discussed some benefits found by allowing the parameter also in R2.
[Hipsec] proposed changes to RFC5206-bis
Hi all, I recently published the version -07 draft of RFC5206-bis (mobility support in HIP). This was merely a refresh of -06; I'd like to now start moving through and closing the remaining open issues so we can get the document into shape for WGLC. I made a pass through the document and plan to publish the following (IMO) minor changes in version -08 next week, if there are no objections. Separately, I will start threads on remaining open issues that require some discussion on the list. Section 3.2 Protocol Overview -- The draft states: However, some implementations may want to experiment with sending LOCATOR_SET parameters also on other packets, such as R1, I2, and NOTIFY. I propose to delete this sentence since we are no longer experimental; later in the document (section 5.3), it states that: A host SHOULD be prepared to receive a LOCATOR_SET parameter in the following HIP packets: R1, I2, UPDATE, and NOTIFY. and it leaves open to the implementation (Section 5.2) when to send such a packet. More on this later. (also) Section 3.2: -- The draft states: The scenarios below at times describe addresses as being in either an ACTIVE, VERIFIED, or DEPRECATED state. 'VERIFIED' is a typo; it should be 'UNVERIFIED' 3.2.1 Mobility with a Single SA Pair (No Rekeying) --- The draft states: This first example considers the case in which the mobile host has only one interface, IP address, a single pair of SAs (one inbound, one outbound), and no rekeying I propose to clarify 'IP address' as rather 'one IP address in use within the HIP session', since it is seldom the case now that hosts have one IP address system-wide, and what is really intended here is to talk about the case for which there is only one IP address in use. 3.2.3. Using LOCATOR_SETs across Addressing Realms -- I propose to delete this section for now; we have an open issue (http://trac.tools.ietf.org/wg/hip/trac/ticket/5) to better define cross-family handovers, and I'd like to later propose different text based on the work published in Secure and Efficient IPv4/IPv6 Handovers Using Host-based Identifier-Locator Split by Varjonen et al. 4.3 UPDATE Packet with Included LOCATOR_SET There is a sentence that says: The sending of multiple LOCATOR_SET and/or ESP_INFO parameters is for further study; receivers may wish to experiment with supporting such a possibility. I propose to delete this since supporting it is more complicated and I am not sure of the use case. 5.1. Locator Data Structure and Status -- The draft states: In a typical implementation, each outgoing locator is represented by a piece of state that contains the following data: I propose to clarify this by deleting 'outgoing locator' and replacing with 'locator known about the peer' since outgoing might be interpreted instead as the source address. I would also like to add these two sentences to the end of this subsection: In addition, an implementation would typically maintain similar state about its own locators offered to the peer. Finally, the locators used to establish the HIP association are by default assumed to be the initial preferred locators in ACTIVE state, with an unbounded lifetime. 5.2. Sending LOCATOR_SETs - The lead sentence states: The decision of when to send LOCATOR_SETs is basically a local policy issue. I propose to add: LOCATOR_SET parameters MAY be included in HIP packet types of R1, I2, R2, UPDATE, and NOTIFY. We have previously not included R2 in this list, but the work published in Secure and Efficient IPv4/IPv6 Handovers Using Host-based Identifier-Locator Split by Varjonen et al. discussed some benefits found by allowing the parameter also in R2. There is also a paragraph that states: Note that the purpose of announcing IP addresses in a LOCATOR_SET is to provide connectivity between the communicating hosts. In most cases, tunnels or virtual interfaces such as IPsec tunnel interfaces or Mobile IP home addresses provide sub-optimal connectivity. Furthermore, it should be possible to replace most tunnels with HIP based non-tunneling, therefore making most virtual interfaces fairly unnecessary in the future. Therefore, virtual interfaces SHOULD NOT be announced in general. On the other hand, there are clearly situations where tunnels are used for diagnostic and/or testing purposes. In such and other similar cases announcing the IP addresses of virtual interfaces may be appropriate. I'd like to reduce this to the following: Locators corresponding to tunnel interfaces (e.g. IPsec tunnel interfaces or Mobile IP home addresses) or other virtual interfaces
