Re: [CCAMP] Alvaro Retana's No Objection on draft-ietf-ccamp-ospf-availability-extension-10: (with COMMENT)

Daniele Ceccarelli <daniele.ceccarelli@ericsson.com> Thu, 19 October 2017 09:28 UTC

Return-Path: <daniele.ceccarelli@ericsson.com>
X-Original-To: ccamp@ietfa.amsl.com
Delivered-To: ccamp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ABAB134878; Thu, 19 Oct 2017 02:28:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AaNcdLP6wkPW; Thu, 19 Oct 2017 02:28:33 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7D54134884; Thu, 19 Oct 2017 02:28:31 -0700 (PDT)
X-AuditID: c1b4fb2d-bf5ff7000000268d-8b-59e8703d2be8
Received: from ESESSHC017.ericsson.se (Unknown_Domain [153.88.183.69]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 98.40.09869.D3078E95; Thu, 19 Oct 2017 11:28:29 +0200 (CEST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.69) with Microsoft SMTP Server (TLS) id 14.3.352.0; Thu, 19 Oct 2017 11:28:29 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xpYp5ypl/0UlFg+PIsj55L2X1wV3gtIKzaQG66C2zkI=; b=GS8brjbbh3o166LKESNOqCistUMmk4Ojdv7GCrSf2A0QsBsZQD2zomizbiKB+NzLSK4CRz3WlRmExP2uNztC0h5O1AklsVY1CGGyw71PdSw3rbNCaPbbjVAOUVltSCPjWeSe6NhekFs87sSn3yqjByzwzt84dfwt8BKow9FWylQ=
Received: from HE1PR0701MB2714.eurprd07.prod.outlook.com (10.168.188.21) by HE1PR0701MB2715.eurprd07.prod.outlook.com (10.168.188.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.5; Thu, 19 Oct 2017 09:28:16 +0000
Received: from HE1PR0701MB2714.eurprd07.prod.outlook.com ([fe80::f83a:6afe:f24b:8376]) by HE1PR0701MB2714.eurprd07.prod.outlook.com ([fe80::f83a:6afe:f24b:8376%13]) with mapi id 15.20.0178.002; Thu, 19 Oct 2017 09:28:16 +0000
From: Daniele Ceccarelli <daniele.ceccarelli@ericsson.com>
To: Alvaro Retana <aretana.ietf@gmail.com>, "Yemin (Amy)" <amy.yemin@huawei.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-ccamp-ospf-availability-extension@ietf.org" <draft-ietf-ccamp-ospf-availability-extension@ietf.org>, Fatai Zhang <zhangfatai@huawei.com>, "ccamp-chairs@ietf.org" <ccamp-chairs@ietf.org>, "ccamp@ietf.org" <ccamp@ietf.org>
Thread-Topic: Alvaro Retana's No Objection on draft-ietf-ccamp-ospf-availability-extension-10: (with COMMENT)
Thread-Index: AQHTQwS+U7AFg0HZaEqt5YkaxMooSKLga42AgAFDm/CACUGc4A==
Date: Thu, 19 Oct 2017 09:28:16 +0000
Message-ID: <HE1PR0701MB271409C64E71AA0E09F0ABAEF0420@HE1PR0701MB2714.eurprd07.prod.outlook.com>
References: <150766267307.13579.9907623355727477623.idtracker@ietfa.amsl.com> <9C5FD3EFA72E1740A3D41BADDE0B461FC7591FFA@DGGEMA501-MBX.china.huawei.com> <CAMMESszqT+Tj6iVg8SBdAsmC3hkX9N7WDsMqZLo98H4H50uwPQ@mail.gmail.com> <HE1PR0701MB2714C95C04A08482402C103FF0480@HE1PR0701MB2714.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB2714C95C04A08482402C103FF0480@HE1PR0701MB2714.eurprd07.prod.outlook.com>
Accept-Language: it-IT, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=daniele.ceccarelli@ericsson.com;
x-originating-ip: [192.176.1.84]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0701MB2715; 6:boNCtPy6W0sAGpxbPbwhsopbdaR/MKxVKXsOSBgca0LvFDcMdHmoHhX4wmP8FixPjgSHYOGehif3M/CL3gPERlKXdSPMokuXISShpBx+hHvfQKcnbl6JEI+6goHt3dnlR8XcdLnEZ7kKJ6gVwoZqwxXQmZ10JYCdy3Qxa1SEU2v+Lo3XP0tU/sZypP1jsQyGOM3Hfe5uoDWW5v6BHo/a3YLqpONlDeFXAoBKWORx/SEHBYEYuh8kDOzuJctJGh84mWT6pR8OprFuJIebh8vUQ6FE9TZqAToVLqkPKqjIigKJDMeua0EOx+2a//6S1VS3SUgtm0NxsP98V382XGeuGg==; 5:Ab6HK46wwDLT/cTsNHiAb2muah2YNsDUk1xHPFa0zGFiv4Vtz4EIG25VjzAb/getzWPdHe21onEjMBAN0jSqheXlbSrqpSbxFUOkMmrAdXGjFWHlBsKFCwj6AHmHMirU4j7MaxwViGPPqYCmfgPwLQ==; 24:GlN+wR+nB9Lg8xa+zJ4X5Bq1q/zVulzr07A42JUEJxULR/cxosjwKtMpblP69rHtg5Lpt2YRUOzWsCiNZvoFip5FV6f4IbarTVA9HCUCUOw=; 7:f+oV8vjlA0IG9PNJBzitmg8ujBM+VFNPdKbDuC8SWXJYLGV0bGyYcAj15X9b7Mhv0FD+Yrc/CXSSO3Gg5DVrBu8Du2+4kZNAvdmFNWh0+BdG3g1ONn8K23+vBsPobDmKEcAJFVKSgA070LfkfU54b5MDxJ7EUSKLPZlni3O1NMsRKWRTw0KddA+wTcaLh7Z/wMTNHBWiruhCHV8zVjcIueD+4V/DSBRhJEVrExbHVPQ=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 409ae2dc-2d9b-4e6d-f045-08d516d3babf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:HE1PR0701MB2715;
x-ms-traffictypediagnostic: HE1PR0701MB2715:
x-exchange-antispam-report-test: UriScan:(72170088055959)(192374486261705)(50582790962513)(21748063052155)(211171220733660)(17755550239193);
x-microsoft-antispam-prvs: <HE1PR0701MB2715EE3E6321EBADA558A95EF0420@HE1PR0701MB2715.eurprd07.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6041248)(20161123555025)(20161123558100)(20161123564025)(20161123560025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:HE1PR0701MB2715; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:HE1PR0701MB2715;
x-forefront-prvs: 0465429B7F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(39860400002)(377454003)(189002)(199003)(51694002)(24454002)(51444003)(189998001)(5660300001)(53546010)(2950100002)(6506006)(6436002)(606006)(74316002)(229853002)(3660700001)(86362001)(2906002)(7696004)(68736007)(25786009)(3280700002)(33656002)(316002)(236005)(106356001)(105586002)(97736004)(8676002)(9686003)(2900100001)(8936002)(66066001)(81156014)(81166006)(53936002)(54896002)(790700001)(230783001)(110136005)(4326008)(6306002)(55016002)(99286003)(93886005)(14454004)(5250100002)(54356999)(7736002)(102836003)(6116002)(76176999)(6246003)(54906003)(3846002)(561944003)(39060400002)(50986999)(101416001)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2715; H:HE1PR0701MB2714.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB271409C64E71AA0E09F0ABAEF0420HE1PR0701MB2714_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2017 09:28:16.8126 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2715
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTcRTH+93H7lUa/lyKJ02ygVHmq4e0LMukaFCBFYQPMJde1NJNdk3U IDQbmVNzFdWGoqlJlOQ75yNzw6hQMs3SLJHVwkeIGoGIZc3dBf73PefzPY/f4ceSkj7ak01R ZnBqpSJVKnKm9FFtRwPC0qeig8v69suaCxpEslFzAyF7aGwiZNayUUqmLymnZPd/60hZSf4A Hc7I2w3jjPxa7ywtr6lZIiLJGOcDiVxqSianDjoY75xcOKFh0o3jKKu+SJWL+kdQIXJiAe+B 1r4lqhA5sxLci6D5TiUjBK8R/K2y2AmFi0kYGbtKC0RPwFx7BxKCSQTGR59tNSwrwqFgNZ9Y 7euGT8Mnw4K9msQlBDSah0SrYANWwnL+e1owqWCw5Bcl6AiY+ZDHrGoK+8KsqdueF+N4+F5n dQxrszW6WWTf3Akr4Gv7c7sJYW8o7ayy50nsAWPWCkJ4HYaargFS0O4w/W2FFvznoV5jdHh8 YEabKxK0NwxVaO3DABcwMPF02FEcCK26WcfJTkLLuNlhqkQwd6PO0ckf6sc6aQEUIeha6KUF oIKPi5OMAAZoGLZWO8AmmH5RLSpF/oY1qwtaBX+0fchgv4ErvNFbKYPtxiTeDvUdQYJlC9zR WhhBbwNNWTmzNl+JmMfIned4Pi1p1+5ATp2SwPMqZaCSy2hCti9malkOMKInPw6bEWaRdL24 89RUtIRWZPLZaWYELCl1E6sibSlxoiI7h1OrzqkvpXK8GXmxlNRDHN79LkqCkxQZ3EWOS+fU /ynBOnnmoiNEaURtjntu1lmdZinOwly4NzXqhaTFW7taSNM+4llHbbif76sHd8emPSxnelZ8 8iw/F3NuX0+cX5jPMPmum+4aSGnbIZGH9fvHZoY2Boewt7TVb0NjvsgGLbrYjXOb6UNpe90v F4eMu+XVuJb3vDx+LGoqwMXlymCCyTXHFLcspfhkxU4/Us0r/gEPYKi0XgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ccamp/pOce26GvHQNfZXefoNPzhE7Kotw>
Subject: Re: [CCAMP] Alvaro Retana's No Objection on draft-ietf-ccamp-ospf-availability-extension-10: (with COMMENT)
X-BeenThere: ccamp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion list for the CCAMP working group <ccamp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ccamp>, <mailto:ccamp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ccamp/>
List-Post: <mailto:ccamp@ietf.org>
List-Help: <mailto:ccamp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ccamp>, <mailto:ccamp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2017 09:28:37 -0000

Hi Alvaro,

just wondering if you had the chance to have a look at my proposal. Would this solve your issue?

Thanks,
Daniele

From: Daniele Ceccarelli
Sent: venerdì 13 ottobre 2017 14:53
To: 'Alvaro Retana' <aretana.ietf@gmail.com>; Yemin (Amy) <amy.yemin@huawei.com>
Cc: The IESG <iesg@ietf.org>; draft-ietf-ccamp-ospf-availability-extension@ietf.org; Fatai Zhang <zhangfatai@huawei.com>; ccamp-chairs@ietf.org; ccamp@ietf.org
Subject: RE: Alvaro Retana's No Objection on draft-ietf-ccamp-ospf-availability-extension-10: (with COMMENT)

Hi Alvaro,

thanks a lot for your review, the text is being improved significantly.
I just wanted to add a comment to the discussion on the security section. The text Amy is proposing is exactly the one you can find in RFC4203:

   This document specifies the contents of Opaque LSAs in OSPFv2.  As
   Opaque LSAs are not used for SPF computation or normal routing, the
   extensions specified here have no direct effect on IP routing.
   Tampering with GMPLS TE LSAs may have an effect on the underlying
   transport (optical and/or SONET-SDH) network.  [OSPF-TE<https://tools.ietf.org/html/rfc4203#ref-OSPF-TE>] suggests
   mechanisms such as [OSPF-SIG<https://tools.ietf.org/html/rfc4203#ref-OSPF-SIG>] to protect the transmission of this
   information, and those or other mechanisms should be used to secure
   and/or authenticate the information carried in the Opaque LSAs.

I might agree or disagree with your concern (actually tend to agree), but this is not an issue we can solve in this draft, since it is inherited by a previous RFC.
This draft is only defining a new sub-TLV inside the ISCD tlv, like many other existing RFCs. We have the same reference in many existing RFC, like for example RFC7138.

What RFC 7138 adds is a reference to RFC5920 that could work also in our case:


   Please refer to [RFC5920<https://tools.ietf.org/html/rfc5920>] for details on security threats; defensive

   techniques; monitoring, detection, and reporting of security attacks;

   and requirements.

Would this solve the issue?

Thanks
Daniele



From: Alvaro Retana [mailto:aretana.ietf@gmail.com]
Sent: giovedì 12 ottobre 2017 18:40
To: Yemin (Amy) <amy.yemin@huawei.com<mailto:amy.yemin@huawei.com>>
Cc: The IESG <iesg@ietf.org<mailto:iesg@ietf.org>>; draft-ietf-ccamp-ospf-availability-extension@ietf.org<mailto:draft-ietf-ccamp-ospf-availability-extension@ietf.org>; Fatai Zhang <zhangfatai@huawei.com<mailto:zhangfatai@huawei.com>>; ccamp-chairs@ietf.org<mailto:ccamp-chairs@ietf.org>; ccamp@ietf.org<mailto:ccamp@ietf.org>
Subject: Re: Alvaro Retana's No Objection on draft-ietf-ccamp-ospf-availability-extension-10: (with COMMENT)

On Wed, Oct 11, 2017 at 10:48 PM, Yemin (Amy) <amy.yemin@huawei.com<mailto:amy.yemin@huawei.com>> wrote:
Amy:
Hi!

3) Where is this signaling defined?  How does a node know that others support the Availability ISCD/LSA?



The Interface Switching Capability Descriptor (ISCD) allows routing protocols such as OSPF and ISIS to carry technology specific information in the Switching Capability-specific information (SCSI) field.

If a node received the Availability in the ISCD, it knows that the sender support Availability.
Please add something like that, or point to the appropriate document.


 4) Security Considerations, how about change the text as following:



This document extends [RFC4203].  As with [RFC4203], it specifies the content of an Opaque LSAs in OSPFv2. As Opaque LSAs are not used for Shortest Path First (SPF) computation or normal routing, the extensions specified here have no direct effect on IP routing. Tampering with GMPLS TE LSAs may have an impact on the ability to set up connections in the underlying data plane network. Mechanisms such as [RFC2154] and [RFC5304] to protect the transmission of this information are suggested. As the additional availability information may represent information that an operator may wish to keep private, consideration should be given to securing this information. [RFC3630] notes that the security mechanisms described in [RFC2328] apply to Opaque LSAs carried in OSPFv2. An analysis of the security of OSPF is provided in [RFC6863] and applies to the extensions to OSPF as described in this document. Any new mechanisms developed to protect the transmission of information carried in Opaque LSAs will also automatically protect the extensions defined in this document.

The text above (1) still says that the extensions have no direct effect on IP routing, and (2) don't address that threat.  I think that the threat with tampering may not just impact the ability to set up a connection, but it may cause routing not to be correct: use a congested path or follow a path with not enough bw, etc..  It shouldn't result in 100% lost traffic, but the routing could definitely be suboptimal.

Thanks!

Alvaro.