IETF Logo Mail Archive

Re: [Anima-signaling] comments on GRASP-07 draft

"Liubing (Leo)" <leo.liubing@huawei.com> Mon, 10 October 2016 08:13 UTC

Return-Path: <leo.liubing@huawei.com>
X-Original-To: anima-signaling@ietfa.amsl.com
Delivered-To: anima-signaling@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7906D1295F3 for <anima-signaling@ietfa.amsl.com>; Mon, 10 Oct 2016 01:13:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.217
X-Spam-Level:
X-Spam-Status: No, score=-7.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxMq83VEn2So for <anima-signaling@ietfa.amsl.com>; Mon, 10 Oct 2016 01:13:13 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E80551295F4 for <anima-signaling@ietf.org>; Mon, 10 Oct 2016 01:13:12 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml706-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CSR48389; Mon, 10 Oct 2016 08:13:09 +0000 (GMT)
Received: from NKGEML411-HUB.china.huawei.com (10.98.56.70) by lhreml706-cah.china.huawei.com (10.201.5.182) with Microsoft SMTP Server (TLS) id 14.3.235.1; Mon, 10 Oct 2016 09:13:06 +0100
Received: from NKGEML514-MBX.china.huawei.com ([fe80::40a8:f0d:c0f3:2ca5]) by nkgeml411-hub.china.huawei.com ([10.98.56.70]) with mapi id 14.03.0235.001; Mon, 10 Oct 2016 16:12:59 +0800
From: "Liubing (Leo)" <leo.liubing@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, anima-signaling <anima-signaling@ietf.org>
Thread-Topic: [Anima-signaling] comments on GRASP-07 draft
Thread-Index: AQHSGz5WGXQjsZLtuUiASom714RZj6ChZX0Q
Date: Mon, 10 Oct 2016 08:12:58 +0000
Message-ID: <8AE0F17B87264D4CAC7DE0AA6C406F45C2E458B3@nkgeml514-mbx.china.huawei.com>
References: <27023.1475255753@obiwan.sandelman.ca>
In-Reply-To: <27023.1475255753@obiwan.sandelman.ca>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.93.133]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.57FB4D96.00A8, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 9438ba9a27ebb159a131fb3593524798
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-signaling/FLPoHwRcdESn6a_ynaPR96bi7ZI>
Subject: Re: [Anima-signaling] comments on GRASP-07 draft
X-BeenThere: anima-signaling@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the signaling design team of the ANIMA WG <anima-signaling.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-signaling>, <mailto:anima-signaling-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-signaling/>
List-Post: <mailto:anima-signaling@ietf.org>
List-Help: <mailto:anima-signaling-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-signaling>, <mailto:anima-signaling-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 08:13:16 -0000

Hi Michael,

Thanks a lot for your detailed review.
Since the GRASP-07 is under WGLC now, would you mind posting your below comment to the Anima mailing list as well?

Many thanks,
Bing

-----Original Message-----
From: Anima-signaling [mailto:anima-signaling-bounces@ietf.org] On Behalf Of Michael Richardson
Sent: Friday, September 30, 2016 7:16 PM
To: anima-signaling
Subject: [Anima-signaling] comments on GRASP-07 draft


I read draft-ietf-anima-grasp-07 from beginning to end.
This is probably my first read through in many months.
I will be happy to turn these into issues in the tracker if told to do so.

I am overall pleased with the document, it read well.

I did feel like there was a section missing between 2 and 3, that gives a detailed architecture use of GRASP, without resorting to bits on the wire.

I think that section 3.3 is trying to do this, but it failing because it gets into security before it has explained anything about how things work.
Maybe if 3.3.1/3.3.2 were moved to a new section 3.3b entitles "Protocol Security"
or some such.

I had to go learn about CDDL from  draft-greevenbosch-appsawg-cbor-cddl-08
(now -09), and then how it maps to bytes on the wire.

Can we please have some worked through examples with bytes on the wire?
I will attempt to contribute some.


Some specific text that I didn't like:

3.3.4,  Discovery Procedures section says:

         An exponential backoff SHOULD be
         used for subsequent repetitions, in order to mitigate possible
         denial of service attacks.

I agree that an exponential backoff SHOULD be used by senders in order to deal with overloads due to unintentional in corrolations of senders.
But, telling well-behaved senders what to do does nothing to mitigate denial of service attacks.  The point is that the malicious attackers are not well-behaved.

If the point is to tell responders that they should backoff in their replies, or rate limit their replies, then that would make sense, but since the reply will be by TCP (as I understand it), then the opportunity to do forged source address attacks is rather low.

Later in that section, it says:
         A GRASP device with multiple link-layer interfaces (typically a
         router) MUST support discovery on all interfaces.  If it
         receives a Discovery message on a given interface for a
         specific objective that it does not support and for which it
         has not previously cached a Discovery Responder, it MUST relay
         the query by re-issuing a Discovery message as a link-local
         multicast on its other interfaces.  The relayed discovery
         message MUST have the same Session ID as the incoming discovery
         message and MUST be tagged with the IP address of its original
         initiator.  Since the relay device is unaware of the timeout
         set by the original initiator it SHOULD set a timeout at least
         equal to GRASP_DEF_TIMEOUT milliseconds.


Could we rewrite this into positive language, and also split it up, and maybe
even number some of these things.   I suggest:

3.3.4.1     GRASP discovery relaying by routers

         A GRASP device with multiple link-layer interfaces (typically a
         router) MUST support discovery on all interfaces.

         Different interfaces may be at different security levels: each group
         of interfaces with the same security level SHOULD be serviced by the
         same GRASP process, except for Limited Security Instances which are
         always single-interface instances.

         When a router receives a Discovery message on any interface,
         for an objective that it supports, then acting like any other
         GRASP device, it replies to it.

         When a router receives a Discovery message for an objective that
         it does not support, but which for which it has previously cached
         a response, then it replies to that request with the cached
         information.

         When a router receives a Discovery message for an objective that
         it does not support, and for which it has no cached response, then
         it MUST relay the query by re-issuing a Discovery message as a link-local
         multicast on ALL of its other interfaces which are at the same
         security level as the incoming interface.

         The relayed discovery message formed MUST have the same Session ID
         as the incoming discovery message and MUST be tagged (XXX HOW?)
         with the IP address of its original initiator.  Since the relay
         device is unaware of the timeout set by the original initiator it
         SHOULD set a timeout at least equal to GRASP_DEF_TIMEOUT milliseconds.


section 3.7.3 says:
   The discovery initiator sends the Discovery messages via UDP to port
   GRASP_LISTEN_PORT at the link-local ALL_GRASP_NEIGHBOR multicast
   address.  It then listens for unicast TCP responses on the same port,
   and stores the discovery results (including responding discovery
   objectives and corresponding unicast locators).


I have a problem with the mixing of UDP and TCP port numbers in this way.
First of all, this is text is ambiguous because the binding of "same" is unclear to me.  Let me number things so that the ambiguity is clear:
          sender:       UDP from: X  -> to: GRASP_LISTEN_PORT
          responder:    TCP from: Z  -> to: Y

  "then listens for unicast TCP responses on the same port"

could mean that         Y = GRASP_LISTEN_PORT,
or it could mean that   Y = X

Could we just *say* in the UDP which port the initiator is going to listen on?

Assuming Y=GRASP_LISTEN_PORT, may I suggest that if we say port '0' that it means grasp_listen_port, which is often GRASP_LISTEN_PORT, except if one
might be debugging,etc. when one might set it to another port.   That is, we
normally say, "0" to mean GRASP_LISTEN_PORT whatever it might be at that moment.  When we to reach at a port!="0", then we mean that port.

Y=X can be made to work if one picks X well, but may be unworkable on some platforms.

(I'm saying this mostly from experience with IKE, which originally said to ignore the source port of the UDP, and always use 500, which was a problem when it came to NAT traversal, but more to the point, it made it sometimes painful to test in-vitro).

I'm understanding that ONLY Discovery requests go out via UDP, but that all Discovery responses occur via TCP.  I'm a bit concerned about this process during bootstrap.  The Discovery initiator will have to be prepared for many TCP connections...  I guess we had assumed that the reply would be UDP as well.



--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email