Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-iptfs-14: (with DISCUSS and COMMENT)

Tue, 23 Aug 2022 17:09:42 -0700 


Warren Kumari via Datatracker <nore...@ietf.org> writes:


Warren Kumari has entered the following ballot position for
draft-ietf-ipsecme-iptfs-14: Discuss

----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------


How about we add the text "This MUST NOT be used when full admin control over the 
network cannot be assured."?

Thanks,
Chris.




I supporting Lars' DISCUSS points, especially that around Section 2.4.1,
paragraph 3:
   The packet send
   rate is constant and is not automatically adjusted regardless of any
   network congestion (e.g., packet loss).

   For similar reasons as given in [RFC7510] the non-congestion-
   controlled mode should only be used where the user has full
   administrative control over the path the tunnel will take.  This is
   required so the user can guarantee the bandwidth and also be sure as
   to not be negatively affecting network congestion [RFC2914].  In this
   case, packet loss should be reported to the administrator (e.g., via
   syslog, YANG notification, SNMP traps, etc.) so that any failures due
   to a lack of bandwidth can be corrected.

This is a largely unrealistic requirement -- unless you are specifically
meaning "a bump-in-the-wire deployment over a point to point link" users fairly
much never have control over the path that the tunnel will take. At some point
the primary path **will** go down, and the tunnel will route over some backup
path, most likely at 3AM on the Sunday that the CEO's daughter is getting
married...

It what you are describing really is "only ever use this as a bump-in-the-wire
over a PtP interface" or "make sure that the configured bandwidth is many many
magnitudes smaller than the smallest link in the network, even when congested",
then please state that instead. As written, this text seems dangerous: you are
basically handing an enterprise network admin a DoS cannon and washing your
hands of the consequences.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Much thanks to Bo Wu for the OpsDir review, and to the authors for addressing /
incorporating the comments.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to