search

bemasc / risav

Github copy of draft-xu-risav
Other
2 stars 2 forks source link

Notepad for IETF 116 #45

Open BasilGuo opened 1 year ago

BasilGuo commented 1 year ago

A backup for the comments collected from the mail lists. (INCOMPLETE)

  1. AH/transport mode. AH is dead now. RISAV is a controversial new usage of AH, but they recommend using ESP-NULL, an no encryption version of ESP.
  2. TE for ESP/Tunnel mode. There is no difference among different packets in source IP and destination IP in the tunnel mode of RISAV, the TE may be failed.
  3. MOAS. Multiple-Origin AS.
  4. DoS defence. A convincing background may be needed. DoS attack is not a good choice. Normal traffic whose source address is not spoofing could also be composed of DoS traffic. I think the classification of harm of lacking SAV in RFC 5210 is more convincing.
  5. New collaborator and maybe new drafts. As Russ Housley wants to be a collaborator, I have no problem with that and quite welcome. And I think we could also let the RISAVAnnouncement be a general one. Because it not only can be used in RISAV but also could be used in other approaches that need one entity representing the whole AS. And for this reason, we may need to write another draft. As Nan Geng said, it can go to sidrops WG.
  6. ISPs' deployment expectation. So far, we have communicated with some major ISPs in China. China Telecom (CT for abbrev.) has shown great interest in RISAV. And for tag-based SAV approaches, CT would deploy a demo based on IPv6 in the recent future. The demo is not RISAV-driven but IPv6-driven, whose tag would be encapsulated in the IPv6 Destination extension header.
BasilGuo commented 1 year ago

In short, I think the first thing we should cover is a trade-off between Transport mode and Tunnel mode. Transport mode is resisted for the header insertion in the AS border router which doesn't have permission to operate such an insertion. And tunnel mode may be resisted for Traffic Engineering.

In my opinion, the tunnel mode seems like an available one for us because the traditional IPsec Tunnel mode would also face such a TE problem. However, such a change would bring the comparison in performance with ESP-NULL. Feel a little nervous.