draft-ietf-ccamp-path-key-ero-02.txt   draft-ietf-ccamp-path-key-ero-03.txt 
Networking Working Group A. Farrel (Ed.) Networking Working Group A. Farrel (Ed.)
Internet-Draft Old Dog Consulting Internet-Draft Old Dog Consulting
Intended Status: Standards Track R. Bradford Intended Status: Standards Track R. Bradford
Created: October 31, 2008 JP. Vasseur Created: January 8, 2009 JP. Vasseur
Expires: April 30, 2009 Cisco Systems, Inc. Expires: July 8, 2009 Cisco Systems, Inc.
RSVP Extensions for Path Key Support RSVP Extensions for Path Key Support
draft-ietf-ccamp-path-key-ero-02.txt draft-ietf-ccamp-path-key-ero-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that This Internet-Draft is submitted to IETF in full conformance with
any applicable patent or other IPR claims of which he or she is the provisions of BCP 78 and BCP 79.
aware have been or will be disclosed, and any of which he or she
becomes aware will be disclosed, in accordance with Section 6 of
BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
skipping to change at page 7, line 21 skipping to change at page 7, line 21
- The PCE is unable to decode the PKS, perhaps because the Path Key - The PCE is unable to decode the PKS, perhaps because the Path Key
has expired. has expired.
The LSR sends a PathErr message with the error code "Routing The LSR sends a PathErr message with the error code "Routing
Problem" and a new error value "Unknown Path Key for PKS Problem" and a new error value "Unknown Path Key for PKS
expansion" (see Section 6.3). expansion" (see Section 6.3).
- PKS cannot be decoded for policy reasons. - PKS cannot be decoded for policy reasons.
The LSR sends a PathErr message with the error code "Policy The LSR sends a PathErr message with the error code "Policy
Control Failure" and a the error value "Inter-domain policy Control Failure" and the error value "Inter-domain policy
failure". failure".
- Addition of CPS to ERO causes Path message to become too large. - Addition of CPS to ERO causes Path message to become too large.
The LSR MAY replace part of the ERO with loose hops [RFC3209] or The LSR MAY replace part of the ERO with loose hops [RFC3209] or
with a further PKS according to local policy if the loss in with a further PKS according to local policy if the loss in
specifics within the explicit path is acceptable. If the LSR is specifics within the explicit path is acceptable. If the LSR is
unable to take steps to reduce the size of the ERO it MUST send a unable to take steps to reduce the size of the ERO it MUST send a
PathErr message with the error code "Routing Problem" and a new PathErr message with the error code "Routing Problem" and a new
error value "ERO too large for MTU" (see Section 6.3). error value "ERO too large for MTU" (see Section 6.3).
skipping to change at page 8, line 35 skipping to change at page 8, line 35
Further protection can be provided by using a PCE ID to identify Further protection can be provided by using a PCE ID to identify
the decoding PCE that is only meaningful within the domain that the decoding PCE that is only meaningful within the domain that
contains the LSR at the head of the CPS. This may be an IP address contains the LSR at the head of the CPS. This may be an IP address
that is only reachable from within the domain, or some non-address that is only reachable from within the domain, or some non-address
value. The former requires configuration of policy on the PCEs, value. The former requires configuration of policy on the PCEs,
the latter requires domain-wide policy. the latter requires domain-wide policy.
The following specific security issues need to be considered. The following specific security issues need to be considered.
- Confidentiality of the CPS. The question to be answered is whether - Confidentiality of the CPS. The question to be answered is whether
other network elements can probe for a PCE for the expansion of other network elements can probe a PCE for the expansion of PKSs,
PKSs, possibly generating path keys at random. This can be possibly generating path keys at random. This can be protected
protected against by only allowing PKS expansion to be successfully against by only allowing PKS expansion to be successfully completed
completed if requested by the LSR that is at the head end of the if requested by the LSR that is at the head end of the resulting
resulting CPS. Under specific circumstances, PKS expansion might CPS. Under specific circumstances, PKS expansion might also be
also be allowed by configured management stations. allowed by configured management stations.
The CPS itself may be kept confidential as it is exchanged in the The CPS itself may be kept confidential as it is exchanged in the
PCEP and RSVP-TE protocols using standard security mechanisms PCEP and RSVP-TE protocols using standard security mechanisms
defined for those protocols. defined for those protocols.
- Determination of information by probing. In addition to the probing - Determination of information by probing. In addition to the probing
described above, a node might deduce information from the error described above, a node might deduce information from the error
responses generated when PKS expansion fails as described in responses generated when PKS expansion fails as described in
Section 3.1. Any LSR that considers that supplying one of the Section 3.1. Any LSR that considers that supplying one of the
detailed error codes described in Section 3.1 might provide too detailed error codes described in Section 3.1 might provide too
skipping to change at page 9, line 38 skipping to change at page 9, line 38
Policy forms an important part of the use of PKSs in EROs and RROs. Policy forms an important part of the use of PKSs in EROs and RROs.
There are local and domain-wide policies that SHOULD be available for There are local and domain-wide policies that SHOULD be available for
configuration in an implementation. configuration in an implementation.
- Handling of an ERO containing a PKS. As described in Section 3.1 an - Handling of an ERO containing a PKS. As described in Section 3.1 an
LSR that receives a Path message containing a PKS can be configured LSR that receives a Path message containing a PKS can be configured
to reject the Path message according to policy. to reject the Path message according to policy.
- Handling of PKS requests at a PCE. As described in Section 3.1, in - Handling of PKS requests at a PCE. As described in Section 3.1, in
[PCE-PKS], and in [PCE-POLICY] a PCE can be configured with policy [PCE-PKS], and in [RFC5394] a PCE can be configured with policy
about how it should handle requests for PKS expansion. about how it should handle requests for PKS expansion.
- PKS expansion. Section 3.1 explains that the PKS can be expanded by - PKS expansion. Section 3.1 explains that the PKS can be expanded by
the local LSR, the specific PCE identified in the PKS, any PCE the local LSR, the specific PCE identified in the PKS, any PCE
acting as a proxy, or by some other method. The behavior of the LSR acting as a proxy, or by some other method. The behavior of the LSR
needs to be locally configurable, but is subject the domain-wide needs to be locally configurable, but is subject the domain-wide
policy. policy.
- Interpretation of PCE-ID. The interpretation of the PCE-ID - Interpretation of PCE-ID. The interpretation of the PCE-ID
component of PKSs is subject to domain-local policy and needs to be component of PKSs is subject to domain-local policy and needs to be
configurable as such. See Section 3 and Section 4 for the options. configurable as such. See Section 3 and Section 4 for the options.
- ERO too large. The behavior of an LSR when it finds that adding a - ERO too large. The behavior of an LSR when it finds that adding a
CS to the ERO causes the Path message to be too large, is an CPS to the ERO causes the Path message to be too large, is an
implementation choice. However, implementations may choose to implementation choice. However, implementations may choose to
provide configuration of behavior as described in Section 3.1. provide configuration of behavior as described in Section 3.1.
- Masking of RRO. As described in Section 3.2, a border router can - Masking of RRO. As described in Section 3.2, a border router can
choose to mask segments of the path by replacing them with PKSs. choose to mask segments of the path by replacing them with PKSs.
This behavior needs to be configurable with the default being to This behavior needs to be configurable with the default being to
not hide any part of the RRO. not hide any part of the RRO.
- Inspection / decode of PKS by diagnostic tools. A PCE can allow - Inspection / decode of PKS by diagnostic tools. A PCE can allow
access from management or diagnostic tools to request the expansion access from management or diagnostic tools to request the expansion
of a PKS. Note that this must be regulated with the security and of a PKS. Note that this must be regulated with the security and
confidentiality behavior described in Section 4. confidentiality behavior described in Section 4.
- Hiding of reason codes. An LSR can support the configuration of - Hiding of reason codes. An LSR can support the configuration of
local policy to hide reason codes associated with the failure to local policy to hide reason codes associated with the failure to
expand a PKS, and as described in Section 4, report all errors as expand a PKS, and as described in Section 4, report all errors as
policy failures. policy failures.
The treatment of a path segment as a CPS, and its substitution in The treatment of a path segment as a CPS, and its substitution in
a PCReq ERO with a PKS, is a PCE function and is described in a PCRep ERO with a PKS, is a PCE function and is described in
[PCE-PKS]. [PCE-PKS].
6. IANA considerations 6. IANA considerations
6.1. Explicit Route Object Subobjects 6.1. Explicit Route Object Subobjects
IANA maintains a registry called "Resource Reservation Protocol IANA maintains a registry called "Resource Reservation Protocol
(RSVP) Parameters" with a subregistry called "Class Names, Class (RSVP) Parameters" with a subregistry called "Class Names, Class
Numbers, and Class Types". Numbers, and Class Types".
skipping to change at page 12, line 46 skipping to change at page 12, line 46
[PCEP] J.P. Vasseur, et al., "Path Computation Element (PCE) [PCEP] J.P. Vasseur, et al., "Path Computation Element (PCE)
Communication Protocol (PCEP)", draft-ietf-pce-pcep, work Communication Protocol (PCEP)", draft-ietf-pce-pcep, work
in progress. in progress.
[PCE-PKS] Bradford, R., Vasseur, J.P., and Farrel, A., "Preserving [PCE-PKS] Bradford, R., Vasseur, J.P., and Farrel, A., "Preserving
Topology Confidentiality in Inter-Domain Path Computation Topology Confidentiality in Inter-Domain Path Computation
Using a Key-Based Mechanism", draft-ietf-pce-path-key, Using a Key-Based Mechanism", draft-ietf-pce-path-key,
work in progress. work in progress.
[PCE-POLICY] Bryskin, I., Papadimitriou, D., Berger, L. and Ash, G.,
"Policy-Enabled Path Computation Framework", draft-ietf-
pce-policy-enabled-path-comp, work in progress.
[RFC4655] Farrel, A., Vasseur, J.P., and Ash, J., "Path Computation [RFC4655] Farrel, A., Vasseur, J.P., and Ash, J., "Path Computation
Element (PCE) Architecture", RFC 4655, August 2006. Element (PCE) Architecture", RFC 4655, August 2006.
[RFC4726] Farrel, A., Vasseur, J.P., and Ayyangar, A., "A Framework [RFC4726] Farrel, A., Vasseur, J.P., and Ayyangar, A., "A Framework
for Inter-Domain Multiprotocol Label Switching Traffic for Inter-Domain Multiprotocol Label Switching Traffic
Engineering", RFC 4726, November 2006. Engineering", RFC 4726, November 2006.
[RFC5394] Bryskin, I., Papadimitriou, D., Berger, L. and Ash, J.,
"Policy-Enabled Path Computation Framework", RFC 5394,
December 2008.
8. Authors' Addresses: 8. Authors' Addresses:
Adrian Farrel Adrian Farrel
Old Dog Consulting Old Dog Consulting
EMail: adrian@olddog.co.uk EMail: adrian@olddog.co.uk
Rich Bradford Rich Bradford
Cisco Systems, Inc. Cisco Systems, Inc.
1414 Massachusetts Avenue 1414 Massachusetts Avenue
Boxborough, MA - 01719 Boxborough, MA - 01719
skipping to change at page 13, line 31 skipping to change at page 13, line 31
J.-P Vasseur J.-P Vasseur
Cisco Systems, Inc. Cisco Systems, Inc.
1414 Massachusetts Avenue 1414 Massachusetts Avenue
Boxborough, MA - 01719 Boxborough, MA - 01719
USA USA
Email: jpv@cisco.com Email: jpv@cisco.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2008). Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to the rights, licenses and restrictions This document is subject to BCP 78 and the IETF Trust's Legal
contained in BCP 78, and except as set forth therein, the authors Provisions Relating to IETF Documents
retain all their rights. (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
This document and the information contained herein are provided on an All IETF Documents and the information contained therein are provided
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Intellectual Property Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF Trust takes no position regarding the validity or scope of
Intellectual Property Rights or other rights that might be claimed to any Intellectual Property Rights or other rights that might be
pertain to the implementation or use of the technology described in claimed to pertain to the implementation or use of the technology
this document or the extent to which any license under such rights described in any IETF Document or the extent to which any license
might or might not be available; nor does it represent that it has under such rights might or might not be available; nor does it
made any independent effort to identify any such rights. Information represent that it has made any independent effort to identify any
on the procedures with respect to rights in RFC documents can be such rights.
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any Copies of Intellectual Property disclosures made to the IETF
assurances of licenses to be made available, or the result of an Secretariat and any assurances of licenses to be made available, or
attempt made to obtain a general license or permission for the use of the result of an attempt made to obtain a general license or
such proprietary rights by implementers or users of this permission for the use of such proprietary rights by implementers or
specification can be obtained from the IETF on-line IPR repository at users of this specification can be obtained from the IETF on-line IPR
http://www.ietf.org/ipr. repository at http://www.ietf.org/ipr
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at any standard or specification contained in an IETF Document. Please
ietf-ipr@ietf.org. address the information to the IETF at ietf-ipr@ietf.org.
The definitive version of an IETF Document is that published by, or
under the auspices of, the IETF. Versions of IETF Documents that are
published by third parties, including those that are translated into
other languages, should not be considered to be definitive versions
of IETF Documents. The definitive version of these Legal Provisions
is that published by, or under the auspices of, the IETF. Versions of
these Legal Provisions that are published by third parties, including
those that are translated into other languages, should not be
considered to be definitive versions of these Legal Provisions.
For the avoidance of doubt, each Contributor to the IETF Standards
Process licenses each Contribution that he or she makes as part of
the IETF Standards Process to the IETF Trust pursuant to the
provisions of RFC 5378. No language to the contrary, or terms,
conditions or rights that differ from or are inconsistent with the
rights and licenses granted under RFC 5378, shall have any effect and
shall be null and void, whether published or posted by such
Contributor, or included with or in such Contribution.
 End of changes. 16 change blocks. 
47 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/