Re: [Gen-art] [OSPF] Genart last call review of draft-ietf-ospf-segment-routing-extensions-19
"Acee Lindem (acee)" <acee@cisco.com> Sun, 08 October 2017 17:15 UTC
Return-Path: <acee@cisco.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9788E1346F8; Sun, 8 Oct 2017 10:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1BqC-kF23_P; Sun, 8 Oct 2017 10:15:24 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1685E13484E; Sun, 8 Oct 2017 10:15:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15981; q=dns/txt; s=iport; t=1507482923; x=1508692523; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=s3Y+HhiLB4SWNeWvtaRItJiUR7NDgaqIMmbTuZ47TFw=; b=VY2Yd+no/pLv7TfVEdGBAfMGH749pePoMA94cctYBdIhi1VKtGkWNIU+ RUMQXye77wq+JXUGZ6s69rHEHw2cCyCg+lkspl8NRWkxTreTXIdofacvs OULJedSK09waJym2sLKS8k+Nsmei6J7czAFWNiv/ev/WDqEv1WLUHyAIm 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ClAAAhXNpZ/4sNJK1cGQEBAQEBAQEBAQEBBwEBAQEBgm9uZG4nB4Nzih+Pa4F2iEWIK4U/ghIKGAEKgV6DOgIahAc/GAECAQEBAQEBAWsohRgBAQEBAwEBFgtLBgUQAgEIDgMDAQIoAwICAh8GCxQJCAIEDgWJTEwDFRCmIYInhzENg2gBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYMpBIEnW4M7gymCXoJGgnOCYQWgdzwCh1yIDoR5ghSFb4sHjHOIOQIRGQGBOAEfOIEOeBVJhGFugU52iC2BEAEBAQ
X-IronPort-AV: E=Sophos;i="5.42,496,1500940800"; d="scan'208,217";a="308120277"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Oct 2017 17:15:20 +0000
Received: from XCH-RTP-015.cisco.com (xch-rtp-015.cisco.com [64.101.220.155]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v98HFKZk029958 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 8 Oct 2017 17:15:20 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-015.cisco.com (64.101.220.155) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Sun, 8 Oct 2017 13:15:19 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Sun, 8 Oct 2017 13:15:19 -0400
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Dan Romascanu <dromasca@gmail.com>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-ospf-segment-routing-extensions.all@ietf.org" <draft-ietf-ospf-segment-routing-extensions.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "ospf@ietf.org" <ospf@ietf.org>
Thread-Topic: [OSPF] Genart last call review of draft-ietf-ospf-segment-routing-extensions-19
Thread-Index: AQHTPcn1wlE7EWN+70O+s2iOU8SMBaLXOxIAgADuuYCAAgydgA==
Date: Sun, 08 Oct 2017 17:15:19 +0000
Message-ID: <D5FFD4B8.CDAF3%acee@cisco.com>
References: <150720153207.1342.7778064227193146950@ietfa.amsl.com> <D5FD52DB.CD7FE%acee@cisco.com> <CAFgnS4WXVUbcrYa4EEfnbECB1a-q4wi38ORwh4M6vXV9g4zSEA@mail.gmail.com>
In-Reply-To: <CAFgnS4WXVUbcrYa4EEfnbECB1a-q4wi38ORwh4M6vXV9g4zSEA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.195]
Content-Type: multipart/alternative; boundary="_000_D5FFD4B8CDAF3aceeciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/JntOno055G7eEVQ--Lu1D_G6jTo>
Subject: Re: [Gen-art] [OSPF] Genart last call review of draft-ietf-ospf-segment-routing-extensions-19
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Oct 2017 17:15:29 -0000
Hi Dan, Can you elaborate on how the OSPFv2 segment routing extensions in the draft make the protocol more susceptible to a DDoS attack? Is this with respect to logging the occurrence of malformed TLVs or Sub-TLVs? If so, that can be added. Thanks, Acee From: Dan Romascanu <dromasca@gmail.com<mailto:dromasca@gmail.com>> Date: Saturday, October 7, 2017 at 1:57 AM To: Acee Lindem <acee@cisco.com<mailto:acee@cisco.com>> Cc: "gen-art@ietf.org<mailto:gen-art@ietf.org>" <gen-art@ietf.org<mailto:gen-art@ietf.org>>, "draft-ietf-ospf-segment-routing-extensions.all@ietf.org<mailto:draft-ietf-ospf-segment-routing-extensions.all@ietf.org>" <draft-ietf-ospf-segment-routing-extensions.all@ietf.org<mailto:draft-ietf-ospf-segment-routing-extensions.all@ietf.org>>, "ietf@ietf.org<mailto:ietf@ietf.org>" <ietf@ietf.org<mailto:ietf@ietf.org>>, OSPF WG List <ospf@ietf.org<mailto:ospf@ietf.org>> Subject: Re: [OSPF] Genart last call review of draft-ietf-ospf-segment-routing-extensions-19 Hi Acee, Thank you for your response and for addressing my comments. I do not disagree that a generic IGP protocol security considerations document may be useful, but I do not believe that this document should be dependent upon it. My observation was related to the last paragraph of the Security Considerations document. It seems to me that non-mandatory counting or logging of malformed TLVs or Sub-TLVs may not be sufficient to protect against a large scale DoS attack. Regards, Dan On Sat, Oct 7, 2017 at 1:54 AM, Acee Lindem (acee) <acee@cisco.com<mailto:acee@cisco.com>> wrote: On 10/5/17, 7:05 AM, "OSPF on behalf of Dan Romascanu" <ospf-bounces@ietf.org<mailto:ospf-bounces@ietf.org> on behalf of dromasca@gmail.com<mailto:dromasca@gmail.com>> wrote: >Reviewer: Dan Romascanu >Review result: Ready with Issues > >I am the assigned Gen-ART reviewer for this draft. The General Area >Review Team (Gen-ART) reviews all IETF documents being processed >by the IESG for the IETF Chair. Please treat these comments just >like any other last call comments. > >For more information, please see the FAQ at > ><https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > >Document: draft-ietf-ospf-segment-routing-extensions-19 >Reviewer: Dan Romascanu >Review Date: 2017-10-05 >IETF LC End Date: 2017-10-13 >IESG Telechat date: Not scheduled for a telechat > >Summary: > >A useful and well-written document. It requires previous reading and >understanding of OSPF, SPRING and other routing work. It is Ready for >publication. I found some unclear minor issues. I recommend to address >them >before approval and publication. > >Major issues: > >Minor issues: > >1. I am wondering why, at this stage of progress of the document, the type >values are still 'TBD, suggested value x'. Is there any other document >defining >this? > >2. Section 3.1 - are there other algorithms planned to be added in the >future? >If yes, do we need a registry? If no, what is this field an octet? > >3. It would be useful to mention that the Length fields are expressed in >Octets. Also please clarify if padding is applied or not. > >4. Section 3.3: > >'The originating router MUST NOT advertise overlapping ranges.' > >How are conflicts resolved at receiver? > >5. I like Section 9 - Implementation Status - which I found rather >useful. Is >there any chance to keep a trimmed down version of it, with synthetic >information on the lines of 'at the time the document was discussed a >survey >was run, it showed that there were x implementation, y were implementing >the >full specification, z were included in released production software ....' > >6. Section 10 - beyond recommending the counting and logging of the >mal-formed >TLVs and sub-TLVs, should not supplementary security recommendations be >made? >for example - throttling mechanisms to preempt DoS attacks. The generic OSPFv2 security considerations are referenced as well. Can you be specific as to why you think there additional considerations specific to these extensions? Perhaps, we should start work on a generic IGP protocol security considerations document that is more comprehensive than what we have done before. Thanks, Acee > >Nits/editorial comments: > > >_______________________________________________ >OSPF mailing list >OSPF@ietf.org<mailto:OSPF@ietf.org> >https://www.ietf.org/mailman/listinfo/ospf
- [Gen-art] Genart last call review of draft-ietf-o… Dan Romascanu
- Re: [Gen-art] [OSPF] Genart last call review of d… Acee Lindem (acee)
- Re: [Gen-art] [OSPF] Genart last call review of d… Dan Romascanu
- Re: [Gen-art] [OSPF] Genart last call review of d… Acee Lindem (acee)
- Re: [Gen-art] [OSPF] Genart last call review of d… Dan Romascanu
- Re: [Gen-art] [OSPF] Genart last call review of d… Acee Lindem (acee)
- Re: [Gen-art] [OSPF] Genart last call review of d… Peter Psenak
- Re: [Gen-art] [OSPF] Genart last call review of d… Les Ginsberg (ginsberg)