Re: [icnrg] Review of draft-irtf-icnrg-icntraceroute
Colin Perkins <csp@csperkins.org> Fri, 26 August 2022 09:10 UTC
Return-Path: <csp@csperkins.org>
X-Original-To: icnrg@ietfa.amsl.com
Delivered-To: icnrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FDCAC1522B9 for <icnrg@ietfa.amsl.com>; Fri, 26 Aug 2022 02:10:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.406
X-Spam-Level:
X-Spam-Status: No, score=-4.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=csperkins.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JimmoxyNR1el for <icnrg@ietfa.amsl.com>; Fri, 26 Aug 2022 02:10:16 -0700 (PDT)
Received: from mx2.mythic-beasts.com (mx2.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3FF7C1522BF for <icnrg@irtf.org>; Fri, 26 Aug 2022 02:10:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=csperkins.org; s=mythic-beasts-k1; h=Date:Subject:To:From; bh=cmRkSJigJYQgW5MUPEFYFo9SHthbdS6GTw1a8r0zRuQ=; b=w5nFOYkJf2juyDS6/L9b24J4AZ knLuyuc9dUWgM4qztAQfOCpv428x68dLWMRq7BeD8u/p4J0VcxD24+XO6K5z6WAUC9KyXtFN0Ix/a /p7t08HqM9D1gmuRGKoVZQxvt+Lv1zZ4w4xkxo0bptXPdM/dVijYrRBeWQpFKvOLBq1tctnzWS5JH tbP1XLDsID9i8ZoKVkMfgvgsUxwgo6m+OEtV2VcGM4xRh+clij4pFp2Qg/CdSHlJa/YPtYb/k5BXk PmsLwThWdQqZ0Po7O7cczKMRp17/3Gj3n80NeOq1LWDbBADmE+MPjkctways9EIyH+6BrijhJHlCL +YffaTlQ==;
Received: from 149.2.187.81.in-addr.arpa ([81.187.2.149]:37005 helo=[192.168.0.72]) by mailhub-hex-d.mythic-beasts.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <csp@csperkins.org>) id 1oRVLv-005UeZ-PE; Fri, 26 Aug 2022 10:10:11 +0100
From: Colin Perkins <csp@csperkins.org>
To: Spyridon Mastorakis <smastorakis@unomaha.edu>
Cc: Christopher Wood <caw@heapingbits.net>, icnrg@irtf.org
Date: Fri, 26 Aug 2022 10:10:10 +0100
X-Mailer: MailMate (1.14r5913)
Message-ID: <A20A4AB2-3467-4DD9-9DB2-C59A1D1F7F8F@csperkins.org>
In-Reply-To: <C4F43533-32FC-4E18-9BD7-8CA3D2886A59@unomaha.edu>
References: <DC888366-23E6-4FD0-9FD0-24AACB98BCF9@heapingbits.net> <E838CC2F-4BB2-4E9A-8946-60D913FE7306@unomaha.edu> <57C45821-5AAE-4648-B6D0-A2A6C08E537A@csperkins.org> <47CD5CAC-6ED8-4C8D-8ABD-3FA99BFB4960@csperkins.org> <C4F43533-32FC-4E18-9BD7-8CA3D2886A59@unomaha.edu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_3CDB70AF-E83F-46F7-93C8-C02BFC6646BB_="
Embedded-HTML: [{"plain":[69, 4592], "uuid":"F567F2C1-A3F2-4D03-B2EF-4A73EE1DD734"}]
X-BlackCat-Spam-Score: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/icnrg/j93Q3fT-IwK-AGh0htzaw7Aehfw>
Subject: Re: [icnrg] Review of draft-irtf-icnrg-icntraceroute
X-BeenThere: icnrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Information-Centric Networking research group discussion list <icnrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/icnrg>, <mailto:icnrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/icnrg/>
List-Post: <mailto:icnrg@irtf.org>
List-Help: <mailto:icnrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/icnrg>, <mailto:icnrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2022 09:10:20 -0000
Thanks. Colin On 26 Aug 2022, at 3:43, Spyridon Mastorakis wrote: > Hi Colin, > > Thank you for checking in. I think I can revise the draft. Once Dave > pushes out the updated version of the path steering draft, we will > also update the trace route draft. > > Thanks, > Spyros > > On Aug 25, 2022, at 4:39 PM, Colin Perkins > <csp@csperkins.org<mailto:csp@csperkins.org>> wrote: > > Non-NU Email > > Hi, > > Can I check if you have what you need to progress with the updates to > this draft, or if you still need input/confirmation from Chris? > > Colin > > > > On 9 Aug 2022, at 16:25, Colin Perkins wrote: > > Spyros – thank you! > > Chris – could you please check if the following would address your > concerns? > > Thanks, > Colin > > > > > On 1 Jul 2022, at 12:22, Spyridon Mastorakis wrote: > > Hi Chris, > > Thank you very much for your feedback! Please see my response to each > of your comments inline. If you agree with my responses, I can go > ahead and update the draft. > > Please let me know. > > Thank you again! > Spyros > > On Jun 15, 2022, at 9:48 AM, Christopher Wood > <caw@heapingbits.net<mailto:caw@heapingbits.net>> wrote: > > Non-NU Email > > Like the ping document, I found this to be very well structured and > written. The use case for the protocol is clear, the protocol itself > -- including the forwarder behavior -- is simple, and the security and > privacy considerations are thorough. > > Section 1. > > To this end, the problem of > ascertaining the characteristics (i.e., transit forwarders and > delays) of at least one of the available routes to a name prefix is a > fundamendal requirement for instumentation and network management. > > nit: s/instumentation/instrumentation > > Thanks for pointing out this typo! > > > Section 6. > > The TrReply Code TLV value of the reply is set to indicate the > specific condition that was met. If none of those conditions was > met, the TrReply Code is set to 4 to indicate that the hop limit > value reached 0. > > Perhaps I overlooked it, but why does the TrReply Code need to be 4? > Is it because there are three prior conditions for the final reply in > the session? > > This value is based on the protocol specification. We have mentioned > it at the end of Section 4.2. > > > Section 8. > > This approach does not protect against on-path attacks, where a > compromised forwarder that receives a traceroute reply replaces the > forwarder's name and the signature in the message with its own name > and signature to make the client believe that the reply was generated > by the compromised forwarder. To foil such attack scenarios, a > forwarder can sign the reply message itself. In such cases, the > forwarder does not have to sign its own name in reply message, since > the message signature protects the message as a whole and will be > invalidated in the case of an on-path attack. > > Could a compromised forwarder swap out the name of a traceroute > request with the name of its choosing? If so, perhaps this should also > be listed in the paragraph above? To be honest, I forget the semantics > for how content object response signatures are verified, so this might > not be an issue. > > > My understanding is both in CCNx and NDN, changing the name of a > request would invalidate the state in PIT, therefore, a response will > not reach the client. To this end, it is unclear to me how much damage > swapping out the name of a request could cause in our case. Indeed, > unless requests are signed and the signature is verified, a forwarder > could swap out the names of requests, but the corresponding response > will not reach the client. I suppose a malicious forwarder could still > see the response before the response is dropped. I am happy to mention > that in Section 8. > > Hope this helps. > > Best, > Chris > _______________________________________________ > icnrg mailing list > icnrg@irtf.org<mailto:icnrg@irtf.org> > https://urldefense.com/v3/__https://www.irtf.org/mailman/listinfo/icnrg__;!!PvXuogZ4sRB2p-tU!Ck_l3JqxhS1GBV4FC0GZ9yNSHQAmGDDxHwyH_qxYPljEt7_FZEOymbblf1Re5Ilt9oDVo4a6Ux6ZCuQE_ZM$ > > _______________________________________________ > icnrg mailing list > icnrg@irtf.org<mailto:icnrg@irtf.org> > https://urldefense.com/v3/__https://www.irtf.org/mailman/listinfo/icnrg__;!!PvXuogZ4sRB2p-tU!GpmPMnfIPnKFCUWW0LqABDRfGdJT6cw0VXLZeheaWxlALjc2DaRzcK4cg6BNoQkzaFNqghFWUkTQa4oXBA$ > > _______________________________________________ > icnrg mailing list > icnrg@irtf.org<mailto:icnrg@irtf.org> > https://urldefense.com/v3/__https://www.irtf.org/mailman/listinfo/icnrg__;!!PvXuogZ4sRB2p-tU!GpmPMnfIPnKFCUWW0LqABDRfGdJT6cw0VXLZeheaWxlALjc2DaRzcK4cg6BNoQkzaFNqghFWUkTQa4oXBA$
- [icnrg] Review of draft-irtf-icnrg-icntraceroute Christopher Wood
- Re: [icnrg] Review of draft-irtf-icnrg-icntracero… Dirk Kutscher
- Re: [icnrg] Review of draft-irtf-icnrg-icntracero… Spyridon Mastorakis
- Re: [icnrg] Review of draft-irtf-icnrg-icntracero… Colin Perkins
- Re: [icnrg] Review of draft-irtf-icnrg-icntracero… Colin Perkins
- Re: [icnrg] Review of draft-irtf-icnrg-icntracero… Spyridon Mastorakis
- Re: [icnrg] Review of draft-irtf-icnrg-icntracero… Colin Perkins