Re: Hidden AVPs and NAT

Avinash,

my comments inline..

>   On other hand if you are not the originator, then
>   implementing NAT for incoming calls from outside is
>   little confusing. NAT, typically makes sense, when
>   connections/sessions (whether TCP, UDP, L2TP, etc.)
>   are initiated from within.
> 
>   Or did I not understand your point?
> 
>   ---Yes, i am always the originator, everything is initiated from inside the
> NAT.
>   But the prob is, the NAT i am talking about does a comparison for the
> entire session information
>   for any incoming packet. So comparison is made at nat for src ip,dstn
> ip,src port and 
>   dstn port. Now the source port of the SCCRP could be different from the
> 1701(since recepient
>   can use any free port as source port while responding to a SCCRQ). This wud
> cause
>   a failure in the NAT lookup. i've deviced a workaround for the same with
> the port table 
>   kindof thing i had sent earlier in the group as the basis...
True; The response to SCCRQ could have a different port (source port) not the
destination port, which would was indicated in SCCRQ. It invites keeping extra
information of mapped ports to be mapped to when doing NAT, i.e. it would have
to be stateful as opposed to stateless NAT. As indicated in section 8.1 the
solution is not very NAT friendly.

Re: Questions about draft-ietf-l2tpext-failover-02.txt

Paul,

You have some good points and feedback.
I am responding to your original email while
keeping in mind the discussion you and Keyur have
had so far and bringing them to the list.
my comments inline..

> I've got some questions about the failover draft.
> 
> sec 2.3 - "Endpoints MUST avoid sending any control packets over the old 
> tunnel that is being recovered".   What is the behavior for in-transit 
> control packets?   I presume the receiver should silently discard any 
> control packets on the old tunnel (no acknowledgement, no action based 
> on received control packet).   I presume such behavior should start once 
> recovery is detected (either by failed endpoint sending new SCCRQ or by 
> failed endpoint's peer receiving new SCCRQ)?
True. Probably we we should clarify that the packets received on receiving end
MUST be sliently discarded.

> 
> sec 2.3.1, last bullet - "...it SHOULD clear the tunnel and sessions 
> within that tunnel on its end".   I presume this is a silent clearing 
> (no transmit of StopCCN or CDN)?
True. Probably we should clarify that too explicitly.

> sec 2.3.3, last bullet - Would it not be potentially premature to start 
> establishing new sessions prior to re-synchornization of the session 
> state?  
As Keyur pointed out, the session re-synchronization is not mandatory

Re: Questions about draft-ietf-l2tpext-failover-02.txt

Re: Re: Questions about draft-ietf-l2tpext-failover-02.txt

Paul,

I am snipping out plenty of text that you didn't comment
on in this email..

> <pwh> sec 2.3.4 - "Data Plane Behavior" - "...the non-failed endpoint
> MUST set the next expected Ns based on the incoming Ns value..." - I
> presume the next expected Ns is set based on the incoming Ns value of
> the first data received on the new TID?   Why is this only required at
> the non-failed endpoint?    
>   
> <vipin> The data plane getting affected on the failed node is likely.
> I don't know why you say on non failed node data plane getting affected
> is a possibility at all?  
>
> [pwh2] In the case of a data plane failover, one side (the failed side)
> haslost it's next Ns and it's next expected Ns.   Thus the failed endpoint 
> mustreset it's next expected Ns based on the Ns from the next incoming data
> framefrom the non-failed endpoint.   On the non-failed endpoint, neither the 
> nextNs or the next expected Ns have been lost.   However, the next incoming 
> dataframe from the failed endpoint will not have an Ns matching the next 
> expectedNs.   Thus the non-failed endpoint must also reset it's next expected

> Nsbased on the incoming Ns.   Thus the sentence should really 
> read "....eachendpoint MUST set the next expected Ns based on the incoming Ns

> value..."
I see your point; The clause to omit 'failed node' resulted from the assumption
we made that upon detecting failure the non-failed endpoint would also reset
its Ns to 'zero' as if the session was started afresh and so the expected Ns on
the failed node would be 'zero'.
However, to keep smoother transition, it may not be desired particularly when
data plane is not failing over. And as you point out, mandating both ends reset
their 'expected Ns' is safer approach in all situations.

thanks,
-- vipin

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: Questions about draft-ietf-l2tpext-failover-02.txt

Paul,

My comments on the other set of issues..

> Thanx for your responses.   My primary concern in all of this is to havea
> mechanism that allows for control plane only failover (with hitless 
> dataplane) while also allowing for a full failover (control and data plane) 
> aswell.   I'm not sure how to achieve the hitless data plane with a tunnelid 
> change.   It also seems that for the full failover, we basically haveto 
> change the tunnel id's to establish unique before and after data 
> sequencenumber spaces (or else carry an additional field in every data plane 
> packetto indicate the instance of the sequence number space).
Your point is very valid and the suggestions you make do have merit. My
response/concerns to that is inline..

> The construct provides a mechanism to authenticate (withtunnel password
> mechanism) that most of the implementationsalready have. IMO, the problem is 
> not with using SCCRQ/SCCRP/SCCN,rather using that as a mechanism to switch 
> over to a newtunnel.
> [pwh2] I agree that the problem is switching to a new tunnel.   Since 
> thefirst packet of the handshake arrives with an unexpected Ns doing the 
> normalacknowledgment process would foul things up if it was a spoof.   Thus 
> thefirst packet, at least, probably needs to be special cased in terms of 
> acknowledgement...itreally needs to be acknowledged by the 2nd packet (which 
> is sent only ifthe credentials in the 1st packet are valid).   The existing 
> messages alsocarry AVPs that aren't really necessary to the task of 
> recovering the sequencenumbers.   Having said that, it doesn't really matter 
> what we call these3 packets....I think the key here is that they be sent over

> the already establishedtunnel.
Usually the implementations, at least the ones I have seen, have the protocol
layer riding on top of a reliable layer. The reliable layer does litmus test
for an incoming packet based on the sequence numbers, if it matches then the
expected sequence numbers are updated and packet is delivered to the protocol
layer to parse the packet. Similarly, while sending Ns is updated and packet is
queued for transmission.
Therefore in order to ensure that transport layer notices the sequence number
miss, it should be able to quickly check (instead of going through all AVPs) to
know if it needs to hand over the message to protocol layer.
Fields that we could play around with are Ns and Nr fields. We can't possibly
fiddle around with other fields. However, if we choose known Ns, Nr (i.e. both
zero) then we are making it too predictable to know the sequence numbers during
failover. This is the same concern I had mentioned earlier, to solve that we
agreed to choose sequence numbers that were diametrically opposite.

>  Why not a ResetReq withNs(0), Nr(0) to signal the reset of the control plane
> (and optionally the data plane). This could be receivedon the extant tunnel 
> without, I think, any confusion withother control packets on the tunnel -
> receiver takes ResetReqas a command to flush transmit and receive control 
> queuesfor tunnel and reset sequence numbers.   Comes back withResetReply to 
> confirm.    The ResetReply could be ackedwith the normal ack mechanism.  Now 
> we have a boundarypacket in the control plane in both directions to resetthe 
> control plane sequence numbers.   Could you expand onwhy something along 
> these lines could not be structured toaddress your concerns?    

> Using one 'extant' tunnel to reset control planesfor various old tunnels 
> might void the idea of having differentsecrets for different tunnels. 

> [pwh2]  I don't think this is what I was proposing.   Rather I'm proposingthe

> handshake packets are sent on the existing tunnel's control plane usingthe 
> existing tunnel's ids.
I mentioned my concerns for reusing the existing tunnel to transmit new control
packets above. Given that, I'd be inclined to do something close to what Keyur
and Leo proposed to achieve hitless dataplane failover mechanism:
- Establish a new tunnel (let's call it Failover Tunnel) to reset Ns values
(and optionally the authentication information) on two endpoints for a given
tunnel. Please note that authentication carried for a tunnel is different from
the authentication used for 'Failover tunnel' itself. Once Ns, Nr values are
set, two endpoints can start exchanging the control packets on the old tunnel.
Sessions are recovered as mentioned in the mechanism today.

> Because UDP packets could take different paths (IP routes)to reach the failed

> node, even after reset you can not besure the traffic will not interfere the 
> new tunnel duringthe beginning. I don't think it either is a strong 
> argument,but still a possibility.Resetting Ns=0 and Nr=0 would be opening up 
> security holes.If someone blasts either of the endpoints with StopCCNswith 
> predictable (Nr would be in the initial range) sequencenumbers would result 
> in tunnel termination.
> [pwh2] I agree, but I think this is more a basic problem with StopCCN 
> thanwith the failover mechanism.
There is a little difference: I think in regular case chances of getting the
retransmitted packet with same sequence number is much higher. During failover
we would get a totally different packet acknowledging (or preceived as by the
receiving end) as one of the post failover packet. Only way to avoid is to use
distant Ns values when the old tunnel is revived. I think we agree on this.

>   It's not too hard to send a flood of S
> opCCNsto take down a tunnel even not knowing the sequence numbers.   Yes, a 
> resetto 0 makes it more easier.   Your suggestion below would help with this 
> (andwith the UDP re-ordering problem above).   Posit that each side choses 
> it'snew Ns in the 2nd and 3rd packets of the handshake.   Each side choses 
> anNs that is away from recent prior traffic.   This restores 
> upredictabilityfor the StopCCN scenario and addresses the UDP re-ordering.

> Well, to avoid that we'd have to mandate both endspick their own Ns values 
> and let the other end set their Nrbased on that.thanks,-- 

let me know what you think.

thanks,
-- vipin

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

I-D ACTION:draft-townsley-l2tpv3-mpls-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title		: MPLS over Layer 2 Tunneling Protocol (Version 3)
	Author(s)	: M. Townsley
	Filename	: draft-townsley-l2tpv3-mpls-00.txt
	Pages		: 9
	Date		: 2003-10-20
	
The Layer 2 Tunneling Protocol, Version 3, (L2TPv3) defines a
protocol for tunneling a variety of payload types over IP networks.
This document defines how to carry an MPLS label or label stack and
its payload over L2TPv3. This enables an application which
traditionally requires an MPLS-enabled core network to utilize an
L2TPv3 encapsulation over an IP network instead.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-townsley-l2tpv3-mpls-00.txt

To remove yourself from the IETF Announcement list, send a message to 
ietf-announce-request with the word unsubscribe in the body of the message.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
	"get draft-townsley-l2tpv3-mpls-00.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html 
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv <at> ietf.org.
In the body type:
	"FILE /internet-drafts/draft-townsley-l2tpv3-mpls-00.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
		
		
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

L2TP Active Discovery Relay for PPPoE to Informational

To date, draft-dasilva-l2tp-relaysvc-07.txt has been a Standards Track document. 
The document passed WG and IETF last call, and IESG review for Proposed Standard 
with one exception. The exception is that this document contains a normative 
reference to an Informational document (PPPoE).

Thomas Narten and Randy Bush have been addressing this procedural issue within 
the IETF, recently producing draft-ymbk-downref-00.txt for discussion on the 
matter.

I spoke with Thomas the other day. His recommendation is to go ahead and advance 
PPPoE Relay to Informational RFC status now since it has been lingering on his 
plate for so long. Then, after the above mentioned process has been hammered 
out, we can respin the document to Standards Track if necessary and according to 
whatever new methods are defined.

Please let us know if anyone has a problem with this.

Thanks,

- Mark

I-D ACTION:draft-dasilva-l2tp-relaysvc-07.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Layer Two Tunneling Protocol Extensions Working Group of the IETF.

	Title		: L2TP Active Discovery Relay for PPPoE
	Author(s)	: M. Townsley, R. da Silva
	Filename	: draft-dasilva-l2tp-relaysvc-07.txt
	Pages		: 16
	Date		: 2003-10-24
	
The Point-to-Point Protocol (PPP) [1] provides a standard method for
transporting multi-protocol datagrams over point-to-point links.
Layer Two Tunneling Protocol (L2TP) [2], facilitates the tunneling of
PPP packets across an intervening packet-switched network.  And yet a
third protocol, PPP over Ethernet (PPPoE) [3] describes how to build
PPP sessions and to encapsulate PPP packets over Ethernet.
L2TP Active Discovery Relay for PPPoE describes a method to relay
Active Discovery and Service Selection functionality from PPPoE over
the reliable control channel within L2TP.  Two new L2TP control
message types and associated PPPoE-specific Attribute Value Pairs
(AVPs) for L2TP are defined.  This relay mechanism provides enhanced
integration of a specific feature in the PPPoE tunneling protocol
with L2TP.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-dasilva-l2tp-relaysvc-07.txt

To remove yourself from the IETF Announcement list, send a message to 
ietf-announce-request with the word unsubscribe in the body of the message.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
	"get draft-dasilva-l2tp-relaysvc-07.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html 
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv <at> ietf.org.
In the body type:
	"FILE /internet-drafts/draft-dasilva-l2tp-relaysvc-07.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
		
		
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

I-D ACTION:draft-dasilva-l2tp-relaysvc-07.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Layer Two Tunneling Protocol Extensions Working Group of the IETF.

	Title		: L2TP Active Discovery Relay for PPPoE
	Author(s)	: M. Townsley, R. da Silva
	Filename	: draft-dasilva-l2tp-relaysvc-07.txt
	Pages		: 16
	Date		: 2003-10-24
	
The Point-to-Point Protocol (PPP) [1] provides a standard method for
transporting multi-protocol datagrams over point-to-point links.
Layer Two Tunneling Protocol (L2TP) [2], facilitates the tunneling of
PPP packets across an intervening packet-switched network.  And yet a
third protocol, PPP over Ethernet (PPPoE) [3] describes how to build
PPP sessions and to encapsulate PPP packets over Ethernet.
L2TP Active Discovery Relay for PPPoE describes a method to relay
Active Discovery and Service Selection functionality from PPPoE over
the reliable control channel within L2TP.  Two new L2TP control
message types and associated PPPoE-specific Attribute Value Pairs
(AVPs) for L2TP are defined.  This relay mechanism provides enhanced
integration of a specific feature in the PPPoE tunneling protocol
with L2TP.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-dasilva-l2tp-relaysvc-07.txt

To remove yourself from the IETF Announcement list, send a message to 
ietf-announce-request with the word unsubscribe in the body of the message.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
	"get draft-dasilva-l2tp-relaysvc-07.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html 
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv <at> ietf.org.
In the body type:
	"FILE /internet-drafts/draft-dasilva-l2tp-relaysvc-07.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
		
		
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

Re: Questions about draft-ietf-l2tpext-failover-02.txt

Paul,

my comments inline..

> My comments inline [pwh3]

> Usually the implementations, at least the ones I have seen, have the 
> protocollayer riding on top of a reliable layer. The reliable layer does 
> litmus testfor an incoming packet based on the sequence numbers, if it 
> matches then theexpected sequence numbers are updated and packet is delivered

> to the protocollayer to parse the packet. Similarly, while sending Ns is 
> updated and packet isqueued for transmission.Therefore in order to ensure 
> that transport layer notices the sequence numbermiss, it should be able to 
> quickly check (instead of going through all AVPs) toknow if it needs to hand
> over the message to protocol layer.Fields that we could play around with are 
> Ns and Nr fields. We can't possiblyfiddle around with other fields. However, 
> if we choose known Ns, Nr (i.e. bothzero) then we are making it too 
> predictable to know the sequence numbers duringfailover. This is the same 
> concern I had mentioned earlier, to solve that weagreed to choose sequence 
> numbers that were diametrically opposite.
> [pwh3] I agree with the issues about separation of the reliable layer andthe 
> protocol layer.   You mention we can only play with Ns and Nr.   Whynot take 
> one of the reserved bits in the header to signal a UI frame (Ns= 0, Nr = 
> 0)?   The reliable layer would handle all UI frames - thus avoidingthe issue 
> of to pass up to the protocol layer or not.   The handshaking todo the 
> failover could thus be done with a sequence of UI frames.   The 
> authenticatedhandshaking with UI frames would include the new sequence 
> numbers to be usedthus avoiding predictability of the new Ns
Reserved Bits: I am in for that. Based on the discussions earlier Mark and
we agreed that if we can get it done by using a control plane message exchange
there is no need to make a L2TP-header change for this.
Using Ns=0, Nr=0 Scheme: This is flawed because it might naturally coincide
with the sequence numbers of a tunnel thereby confusing this as an
acknowledgement for a packet sent earlier.

> I mentioned my concerns for reusing the existing tunnel to transmit new 
> controlpackets above. Given that, I'd be inclined to do something close to 
> what Keyurand Leo proposed to achieve hitless dataplane failover mechanism:- 
> Establish a new tunnel (let's call it Failover Tunnel) to reset Ns values(and

> optionally the authentication information) on two endpoints for a 
> giventunnel. Please note that authentication carried for a tunnel is 
> different fromthe authentication used for 'Failover tunnel' itself. Once Ns, 
> Nr values areset, two endpoints can start exchanging the control packets on 
> the old tunnel.Sessions are recovered as mentioned in the mechanism today.
> [pwh3] What would be the packet exchange here?   I presume we would havethe 3

> way handshake to establish the failover tunnel and then packets todo the 
> reset?   Or would they be carried on the 3 way handshake.
packet exchange:
- establish a new tunnel (called 'Failover Tunnel')
- exchange the new sequence numbers of the old tunnels for control plane
- Both ends would reset their sequence numbers based on the values exchanged on
'Failover Tunnel'.
- The 'Failover Tunnel' is torn down after al tunenls are considered recovered
(i.e. when they have been exchanged and agreed upon by both peers. Remaining
tunnels are torn down assuming they do not need recovery by at least one of the
endpoints.

> One negativeto this approach is that it would require the systems to have the

> resourcesavailable to at least temporarily manage the additional tunnels - 
> this mightimply being able to temporarily peak at double the normally 
> supported numberof tunnels.   If the non-failed endpoint was at it's maximum 
> number of tunnels,how would it know to make an exception for the failover 
> tunnel setup?
And therefore we would RECOMMEND keeping space for at least tunnel for recovery
purposes. If it can't establish the tunnel, then it could retry 'x' times
before concluding the tunnel recovery mechanism failed. This is much better
than current proposal where we'd establish one new tunnel for every old tunnel.

> Howdoes the transition to the new sequence number occur? 
> I  presume we handoff the new sequence numbers to the reliable layer and
> it then purges it'sre-ordering rx queue, renumbers any outstanding,
> transmits and immediatelyre-transmits them?  Any stale receives get 
> automatically discarded as outof window.
- Renumbering outstanding transmits might create more unpredictability for no
benefit. Because control plane on the failed node would have lost the context
related to previous messages, it is better to flush everything off and start
with new sequence numbers.
The old tunnel becomes active only upon getting confirmation from its peer that
it has reset control plane sequence numbers. So this would have to be a three
way handshake as described below. For example, for an old tunnel:
- Failed node sends: "Reset Nr to 5665 for Old Local Tid = 9, Old Tid = 6".
- Non Failed node responds: "Nr for Old Tid = 9 reset to 5665, Reset Nr to 4435
for the same tunnel (i.e. Old Local Tid = 6, Old Tid = 9 from this node's
perspective)". Failed endpoint upon getting this message must first enqueue the
response of this message and then start sending control messages on the Old
tunnel.
- Failed node sends: "Nr for Old Tid = 9 reset to 4435". Non failed node upon
getting this can start sending control messages.

>  It's not too hard to send a flood of SopCCNsto take down a tunnel even not 
> knowing the sequence numbers.   Yes, a resetto 0 makes it more easier.   Your

> suggestion below would help with this (andwith the UDP re-ordering problem 
> above).   Posit that each side choses it'snew Ns in the 2nd and 3rd packets 
> of the handshake.   Each side choses anNs that is away from recent prior 
> traffic.   This restores upredictabilityfor the StopCCN scenario and 
> addresses the UDP re-ordering.    

> [pwh3] We might want the non-failed endpoint to provide a hint in the 
> 2ndpacket of the exchange to help the failed endpoint pick an Ns that is 
> farenough away.   Might be useful if the failed endpoint's mirroring of 
> it'sNs is relatively infrequent and there had been a lot of control traffic 
> onthe tunnel.
Sure, picking our own Ns and scheme described above would take care of this
security hole.  

thanks,
-- vipin

__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/