Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-iptfs-14: (with DISCUSS and COMMENT)

Wed, 24 Aug 2022 17:41:40 -0700 


Warren Kumari <war...@kumari.net> writes:


On Wed, Aug 24, 2022 at 5:33 AM, Lars Eggert <l...@eggert.org> wrote:


    Hi,

    On 2022-8-24, at 2:08, Christian Hopps <cho...@chopps.org> wrote:

        How about we add the text "This MUST NOT be used when full
        admin control over the network cannot be assured."?



I don't really understand what "full admin control over the network"
really means… well, I do know what that means, but I don't really
know as an operator what the implication are. If I have a site with a
10GE primary link, and a 1GE for the backup, I have "full admin
control", but I still presumably shouldn't configure this to use
2Gbps, or I need to ensure that I have firewall filters to block this
traffic if the primary link goes down… 


It means you own, have rights to, and/or control the entire network the tunnel 
will operate over.


I guess that I don't really understand how this would be expected to
be deployed in practice and what sort of expected CBR is expected.
Any solution which generates a constant rate of traffic and doesn't
understand congestion certainly seems like it is likely to cause
issues unless is can be constrained to a single path and / or be
known to be the only traffic source on that path (like a
bump-in-the-wire solution).


If you own/control/have the rights to the entire network, then you have the 
same over all the paths through the network. There are organizations that wish 
to deploy IPTFS protected tunnels at their fixed rate w/o congestion control, 
over said networks. And they should be able to.

Thanks,
Chris.








    "full admin control" is a necessary prerequisite to mitigate/
    manage issues, but not a solution in itself.

    This CBR ESP tunnel is basically identical to a CBR pseudowire.
    There was quite a bit of work/discussion between PWE3 and various
    transport groups in the past that resulted in a set of guidance
    on how such pseudowires are safe to deploy. This guidance needs
    to be adopted here as well (or we'll need a much longer
    discussion on what alternative guidance could look like and why.)





I'll happily admit that I haven't read that / those discussions, but
I'm glad that it sounds like there is existing work that can be
cribbed from…

W



    Thanks,
    Lars

Attachment: signature.asc
Description: PGP signature

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to