Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-idr-rfc5575bis-22: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Fri, 24 April 2020 02:12 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 254E03A0D91; Thu, 23 Apr 2020 19:12:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DDJpALtYdhp9; Thu, 23 Apr 2020 19:12:15 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDAFD3A0D90; Thu, 23 Apr 2020 19:12:14 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03O2C9KC001042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Apr 2020 22:12:12 -0400
Date: Thu, 23 Apr 2020 19:12:09 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Susan Hares <shares@ndzh.com>
Cc: 'The IESG' <iesg@ietf.org>, draft-ietf-idr-rfc5575bis@ietf.org, idr-chairs@ietf.org, idr@ietf.org
Message-ID: <20200424021209.GR27494@kduck.mit.edu>
References: <158760254746.26942.2049621502527864651@ietfa.amsl.com> <020d01d619a4$26f91f80$74eb5e80$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <020d01d619a4$26f91f80$74eb5e80$@ndzh.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/FaGdpylvjyfWIFyQ67pJ1_NvCjE>
Subject: Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-idr-rfc5575bis-22: (with DISCUSS and COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 02:12:19 -0000
Hi Sue, On Thu, Apr 23, 2020 at 03:19:45PM -0400, Susan Hares wrote: > Ben: > > First of all thank you for your detailed review. > > We really appreciate this detailed review during a revision of a deployed > protocol. I'm regularly surprised by what sorts of things can become stale in -bis documents -- the usual culprit is IANA considerations, but sometimes there are stale references or section numbers in references, so I try to read through the whole thing if I have time. > Christoph has added each of your comments to the github repository for this > draft. > > > Two clarifying questions that need pulling out besides your DISCUSS. > (see Robert's comment on the RR implication on the DISCUSS). > I'm pulling these to the front for ease of responding to the > > Section 12: > Your comment: > I'd consider mentioning again that some of the NRLI components won't work > properly on fragmented traffic and that unexpected fragmentation can cause > DoS. (This is particularly relevant for IPv4, as opposed to IPv6, where > fragmentation can occur anywhere on the path.) > -------- > Clarifying questions: > The RFC5575bis (and RFC5575) is simply providing filters for a firewall > function. > Is there an RFC that suggestions the appropriate cautions for firewall > filters.? > If so, could we mention that people implementing RFC5575bis should > simply be aware of BCPs regarding firewalls regarding DoS? I don't know offhand of a good reference for this point (but maybe one of my fellow ADs does!) -- my sense is that it's mostly just general institutional knowledge. For example, RFC 7597 mentions the need to reassemble before tunneling fragmented packets, and RFC 4301 has extensive discussion about fragment handling in IPsec and the design rational. So I was mostly just envisioning a single sentence along the lines of "Note that selectors that match on port number will match only the first fragment of fragmented packets, which may not be the desired behavior when fragmentation occurs". > Your comment: > Is it worth saying anything about how the RT-redirect actions can direct > traffic to an entity not expecting it (and, as such, potentially DoS them)? > > Clarifying question > Redirect also occurs with the firewalls? > RFC5575bis is simply enabling that function with multicast of the > Filter prefixes. Is there a BCP regarding firewalls that use redirect? Similarly to the above, I don't know of one offhand. (I'm also not sure that it's even worth mentioning this topic in the document -- it's getting a bit far afield.) > I have been trying to monitor the new threats discussion. > > Your comment: > :It also struck me as noteworthy that we're letting DSCP values creep out of > a single administrative scope -- the filtering of inbound DSCP markings > should probably be consistent with the traffic markings advertised to that > peer." > > The DSCP markings seem to cross boundaries with MPLS. > If there is a BCP regarding DSCP marking, should we reference this as well? Interestingly, I don't see such a BCP, and the best references here might be the original protocol spec/architecture (2474/2475) that discuss ingress and classifier behavior to enforce policy. RFC 4594 has something pretty close, though, for many of the service classes: o Packet flow marking (DSCP setting) from untrusted sources (end user devices) SHOULD be verified at ingress to DiffServ network using Multifield (MF) Classification methods, defined in [RFC2475]. So perhaps this document would say something like "when advertising extended communities for traffic-marking with DSCP, an AS should ensure that the advertised values will be accepted by its DSCP ingress policy and classifiers, per [RFC 2475]". Sorry that I don't have great answers for most of these, Ben
- [Idr] Benjamin Kaduk's Discuss on draft-ietf-idr-… Benjamin Kaduk via Datatracker
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Christoph Loibl
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Susan Hares
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Robert Raszuk
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Robert Raszuk
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Susan Hares
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Susan Hares
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Susan Hares
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk