Re: [Idr] Roman Danyliw's Discuss on draft-ietf-idr-tunnel-encaps-20: (with DISCUSS and COMMENT)

John Scudder <jgs@juniper.net> Thu, 03 December 2020 15:59 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C41263A0EB2; Thu, 3 Dec 2020 07:59:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=Gim0sdVU; dkim=pass (1024-bit key) header.d=juniper.net header.b=NIrksjOZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0tMRy87SqgL; Thu, 3 Dec 2020 07:58:58 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 062FB3A0EF0; Thu, 3 Dec 2020 07:58:57 -0800 (PST)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0B3FratN023728; Thu, 3 Dec 2020 07:58:55 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=9Igv2KA3772AUQKVkfGROmkSLhypN2QggYwLsFY/otY=; b=Gim0sdVUbLyb/4t6Dgqta1p5ZiMfQy473Tzr2EdrjhHIuBZ1oamCy4Er5PR2roOIC4tW 5PspgE2FPO0kc6Bl9gHZ4PpyKXEIwIW2lNxW6FF4YtQ0+F+cBIgK6SASHHao0eZvtvRU 7vG2AgsXmrk6k8xuKfr4JNCXOw42W7u6F6AoxyjtyX8ARgROi/bHZ5RlSAf18pDH0FfZ oLtc8q84dzxba4aHyvxu8RV5aZ+uvgITharmLNeAz0siJkTr8A4jOZE7GNUR50+Ggg9I qQ2CAYZ4TmJsmdYqtH//vC27JrxTCPVHCTx8JSlcuMo1xa1NTP2sCjraqGqw4u9b0mtq YA==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2052.outbound.protection.outlook.com [104.47.37.52]) by mx0b-00273201.pphosted.com with ESMTP id 356t0xgvu8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 03 Dec 2020 07:58:55 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bTaqP7CQuywjD1ekpsocnfCUsji04DUoZYV56vEgMiV0nvb2cpAcQzyleEnieiHNG3RV5aXB2QnVYw5wDtRE2cFATviLqPsSYebeEnZiEihJcMgwritof8KHjEYqQ5ZghgjM+mUwZag0YnlpuU4SuAQE0BBdVR+1bwtz2m7/ZCH4WsJqEMN5N/xcYXbs45Kw55QSPxHMHqf2KLRomyUUC0vJexBCw2OTebTqhXSPs4gC+9xJTidUWTV+7gGy07vmHbxyHjVbS7E8zB6lvwBsZmlwkW3i1aqCakBo0htItYgQl0KNxtRK3jhmH1+6X6AUsoELxDdgaeRzfM6cm7k7Qw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9Igv2KA3772AUQKVkfGROmkSLhypN2QggYwLsFY/otY=; b=Y0zhOS2fvTcEQ/D+Sy8RAlPqcxIjUyDnbMtgrwpeYJB633ilvRRYMcYV+OUykXMl5ZLkqFxPh4paj3TADVDvwssq2YXsLmkEbfwpTkPcnEDuG7d0aqzVb433Y8IalCHzOaxjBHi06lS1q63nxYCHHMd+ihIv9ES/f64av0B1nuVc/n6H8iiqMPL6R+qGbtNQXzh5WGSqHMmDLDrLMxGj04paSiGv+PTpjrnAqiHjALlQqJgENfWLKYg8hTdtXGq0t9SY2xkAa6AlAdBx7Gb2kyMFzTrjB2YA2dCahofo0nVy0WkrQxQFo7Hm/3r5ei0kB7+Ikwh3JifVoExAMlYBzg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9Igv2KA3772AUQKVkfGROmkSLhypN2QggYwLsFY/otY=; b=NIrksjOZtLbylhqYcyR5tapCK9tdKJug62xyZDLtEvt7oSwuU0ymU/dWLwWRAW8wPHaq8wf9Hf8zWdbUDnwNdHHPpjsgypgd9ygc4RmjhaVRtWO1uqc1fpfrMApE81rYmmSpXuLUG6BNzDwECrgCvWeqKxowWpIUNJ0HtOMFzH8=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by MN2PR05MB6222.namprd05.prod.outlook.com (2603:10b6:208:c8::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.6; Thu, 3 Dec 2020 15:58:53 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::f91f:55f3:3130:d318]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::f91f:55f3:3130:d318%5]) with mapi id 15.20.3632.016; Thu, 3 Dec 2020 15:58:53 +0000
From: John Scudder <jgs@juniper.net>
To: Roman Danyliw <rdd@cert.org>
CC: The IESG <iesg@ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, "idr@ietf. org" <idr@ietf.org>, Alvaro Retana <aretana.ietf@gmail.com>, Hares Susan <shares@ndzh.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-idr-tunnel-encaps-20: (with DISCUSS and COMMENT)
Thread-Index: AQHWyYVjhYBydPHmkka2yZJKfSU9w6nlh1eA
Date: Thu, 03 Dec 2020 15:58:52 +0000
Message-ID: <DD341C8B-0702-48E1-8411-F99190C8B07D@juniper.net>
References: <160700777482.26979.18432434254166024114@ietfa.amsl.com>
In-Reply-To: <160700777482.26979.18432434254166024114@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [162.225.191.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: eb22973b-587a-4d26-cd2a-08d897a45515
x-ms-traffictypediagnostic: MN2PR05MB6222:
x-microsoft-antispam-prvs: <MN2PR05MB622229B740970EEAE8F5ED0BAAF20@MN2PR05MB6222.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2QP5rH1VSuV3M6bieWlyVtrW4tvqmYqRCRhK/rdUeZ8MxYvn9WVWgZefBicd6r1m9G9/tEAilM7MS3IhtcsEcV5peeFKhf9jHb4ctTFdqpo+DshxWlwzakln6JiQUG008KSentkVk3AYxu601H4s/QUS1EwxHzlVB/vJ9tMRwZmR5R9iaOipMBgX+fT4naI2wfbb+Aex5sGN2cx2r1LHYTQ7lx5BGqQH5uhnboEdekl7pyFklLx/dbPvSnEx+4tjVhZ9lso6yHEut1j3oxuIMxWXMv8fLeCpQBbCHK7lc03gZetSnKXHUl/bxaMuCMOEuN2sr6uKDg5nhnkGfny4CLhzuzvf8TJyB0MLIPJClxGRvvKca07lxgikstwFy/fIu1wVl4XQCXOvr2TQXRlHVYpR56tqJeGWC58IZ0aM+FxTiOMPcATOU+3yCFVXCFxfh6BN3K5l4eznejQYTzd2Zg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(376002)(136003)(396003)(39860400002)(66946007)(66476007)(91956017)(76116006)(66446008)(83380400001)(2616005)(64756008)(66556008)(6916009)(71200400001)(8676002)(186003)(8936002)(2906002)(6512007)(26005)(478600001)(54906003)(966005)(316002)(36756003)(53546011)(5660300002)(6506007)(66574015)(86362001)(4326008)(6486002)(33656002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: I4rmfRUK649/zhF6AUn12VAOysj0KOeHJ4F0S3QFTIldDjoFUDojpK/HJzBalfZXFGdN4ckij/k+hJWM6U8SLh5pPEB60RbtxMCFUtgFy6bpQtQnSRR4l3eJR0Ntt/n2Hf63oiVjgnTiv1/5A0M/4ZTZ+9REWmINy+zVzYHKZuawZ7Jz3t5ZyWXTVDDxRY0HlKtqG4Cg+bpdystUAsjwsDBoSPmM+sXgVrgB90Y1JsoUALJIryxPsf5bnLaYVY4pyyTBjforhrJEiSBmE3Bq5/aRG17F9ix+F0EYDKd42+2TyqVEwTKM0MpJWZzhYCEi3D4/UnPqM0QKasS8EvLo/yZMHt+2/QHXTERgi+CnOtG+G3jYrhS1HoKNfO3EEzq0EIClBYtY7hZvic21f+8yVPZP5TvAH5CT/9bFxbFCnPXNyM3p5VE79U8rZEPP9YkGgSPE8UhUIRb+RN80KWeDEEjBoHZgZ8bauBWQpJlw9RtROTrVyrxvOCg9XL9ZbHSNQxnl5RmEUKBAcR1P2zjeNJeHKErergyRY+lsAN4zZVfn38jhusT4uPqWxXRuT1mQ1A1aPKTavttdjeneJ4mWQICAz4jekeIPit6B9XyENxadPS+pIjZtHzArGzMnaveOR8Bvio7HWKION0iYYowTQ1HW/j/Q5oY526Vu63CRYXYoTqmPNvF5F3EM0Vo7mMetORIKwIsgv74KjSHICTFaxfOZB/Zy2tXRRTguLm7vI6KZK0JjA/taFKhV9VCjdn7eisFZItqG6G+a6KTJ9T4aZIbFz9HgaFwPdQ/Ee5XBLWXFpXa49C1yLMrp/AD5fNBANR7+hyffI5e2V1HdmENu7m0/9H+u2YjRZS02J2cafXnEi44+ZftEnQHLCTeqCRxsqPp1b/sXjAACtJUvhdKERJ7uHGPHwswgkDS5c2FoiyLjPlPvXtDobLUotsa9/VdLaPEu/x1GMl/NKhQLJ2Z/Fnq3CWFYg4959plHZklSC24FpmDQC+eGRlSDQ6D8gOkp
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <9532224E8563094E9ED597489679B280@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eb22973b-587a-4d26-cd2a-08d897a45515
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2020 15:58:52.9139 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6+ObVHWOOg1G9j7SpO6vV06Eh8U8I3wiCgUK8Uxtu8SD2wXcgjw4J6YNkeFcbS5f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6222
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-03_08:2020-12-03, 2020-12-03 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 lowpriorityscore=0 phishscore=0 adultscore=0 mlxscore=0 mlxlogscore=999 impostorscore=0 bulkscore=0 priorityscore=1501 spamscore=0 suspectscore=0 malwarescore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012030095
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/94EENJSpJEP7TtfGophVOdhM4fQ>
Subject: Re: [Idr] Roman Danyliw's Discuss on draft-ietf-idr-tunnel-encaps-20: (with DISCUSS and COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 15:59:02 -0000

Would dialing the SHOULD up to a MUST be sufficient to address your concern? My previous comment notwithstanding, it occurs to me that if someone does want to perform an Internet-wide experiment such as I was speaking of, they could write a spec that updates ours, that relaxes the MUST and provides the necessary additional security analysis.

—John

> On Dec 3, 2020, at 10:02 AM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
> 
> [External Email. Be cautious of content]
> 
> 
> Roman Danyliw has entered the following ballot position for
> draft-ietf-idr-tunnel-encaps-20: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://urldefense.com/v3/__https://www.ietf.org/iesg/statement/discuss-criteria.html__;!!NEt6yMaO-gk!UgyOh1apt3GeZZrjSh_rt0RuCTnVgC56GutlFG4vPhwJoDDhz3rRloP77frNgw$
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-idr-tunnel-encaps/__;!!NEt6yMaO-gk!UgyOh1apt3GeZZrjSh_rt0RuCTnVgC56GutlFG4vPhwJoDDhz3rRloOT5jjipA$
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Per the conversation on my original COMMENT (thanks for the quick response),
> https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/idr/hV2t6-8mq2dOvmXO-PvLuiON5o4/__;!!NEt6yMaO-gk!UgyOh1apt3GeZZrjSh_rt0RuCTnVgC56GutlFG4vPhwJoDDhz3rRloOmECod2w$ , I'm
> escalating this item to a DISCUSS.
> 
> Section 11
> However, it is intended that the Tunnel Encapsulation
> attribute be used only within a well-defined scope, e.g., within a
> set of Autonomous Systems that belong to a single administrative
> entity.
> 
> As this applicability text should be read as a normative SHOULD, please provide
> a discussion on the risks of open Internet usage in the Security Considerations.
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you to Scott Kelly for performing the SECDIR review.
> 
> ** Section 1.5.  Per “Because RFC 8365 depends on RFC 5640, it is similarly
> obsoleted.”, this seems inconsistent with the meta-data header in the document
> (as RFC8365 isn’t obsoleted).
> 
> ** (original COMMENT, see DISCUSS above) Section 11.  Please use normative
> language on the applicability text restricting use to a single administrative
> domain.
> 
> OLD
> However, it is intended that the Tunnel Encapsulation
>   attribute be used only within a well-defined scope, e.g., within a
>   set of Autonomous Systems that belong to a single administrative
>   entity.
> 
> NEW (or something like this)
> 
> However, the Tunnel Encapsulation attribute MUST only be used within a
> well-defined scope such as a set of Autonomous Systems that belong to a single
> administrative entity.
> 
> ** Section 12.  Typo. s/tunnelling/tunneling/
> 
> ** Section 15.  Clarifying text
> OLD
> "hijacking" of traffic (insertion of
>   an undesired node in the path)
> 
> NEW
> "hijacking" of traffic (insertion of an undesired node in the path allowing for
> inspection or modification of traffic, or avoidance of security controls)
> 
> 
>