IETF Logo Mail Archive

Re: [Idr] BGP autoconfiguration - draft-ymbk-idr-l3nd

Minto Jeyananth <minto@juniper.net> Wed, 23 March 2022 23:57 UTC

Return-Path: <minto@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72D073A118C for <idr@ietfa.amsl.com>; Wed, 23 Mar 2022 16:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=vvy39+0R; dkim=pass (1024-bit key) header.d=juniper.net header.b=fwtplJh4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFttJLLKbmJP for <idr@ietfa.amsl.com>; Wed, 23 Mar 2022 16:57:38 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54CE93A119D for <idr@ietf.org>; Wed, 23 Mar 2022 16:57:37 -0700 (PDT)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22NLw100008820; Wed, 23 Mar 2022 16:57:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=3f9A3zALCKoizak0VxcObTV+SOJGCdgiWa9IQIaw1mo=; b=vvy39+0R1kWnTfT/cnJwu1Cipe7lmypT3xTMl4v5dmuUsFUXs1ZG5TKLiGryt9GrZrkT bexmQosJ9ynPdaQj4nkSjhhQIFv+HlfK3Ey3UgU9GhUeDrQ9rk9/nmv1vT0SRryq00KQ v9tsh4e924QKX9FI+Yx9IKVep3FgRjIWL6Na4p2YxpXxrlmkyH/YHnZxOcRhsG+Zwj1x puWQGioTzGB+2MwN7wewuW50qLSX1h3UfsoyeGBfkHhCOBCfzmnzc6leGOYFBKJSC3z8 vtKm4SimA+WHstk6bXogoSKAt7Vv6w/dV6485mciX8vLsO4dfYTExCSIFkHh2xfOS4mQ wA==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2106.outbound.protection.outlook.com [104.47.58.106]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3f0bx8r6m5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 23 Mar 2022 16:57:36 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WWUUXy5ZDVh5Cg359P2/tRMJoyzgzpu7c1ItibxxT57+FljZJVbXvlpg4JFNs7GoHzwMTUFHmWMQcBgtxqm75PJVQ0u9BV4NDn+SgG9v1FGU8HFgtMVNSzY6SaBWPb+//Fs6Cpal7URhdQkwyn0S3voK63U5spcH0N47Jiz0N9ElKy9ITVhc6NXZTCTe5NN0NXMAPK3Z9BQyB+S7KmEtCJfZGBvyGj0ZlwppPz8Zt+IU6jvd1td3PmUQA2GI9NzeHdt5TLFFDpdQqUsC5o5VX05ktt3V1Gmuxp+Wi31OpV9o7y5fL54OG1YLivE4RjVM7Nu8nMNt2IHmJwK7wPtjYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3f9A3zALCKoizak0VxcObTV+SOJGCdgiWa9IQIaw1mo=; b=TcOmb7Wj6Atsbn8G5XR/DceX5qrB8ghpMyqk6VM8wjtbOX6fJ+UgtU/i0jSMl3eeHeSDa5JhiO44vEUHIFTogqQztAvV5xfd/+FpXU8z98cT5ADOUhTmLbrTS9AxTVQSIh13Vvi13KqB6Fui1NRTqdwLsFHp4FMAmCIKyUL0TtHQsK3ZWcAH/XI3hoHTP8bIOHh5Uzz3KBphbSRXhuqCBpaDY3qSp7teFE26XP2JH8IKyaAf7B8L8mQ/lkO4CHBlY56OKn2nTlRlF31gUhYmaiIaAy0bhtT10crouPz4PldIB8cjquUIpPly+2CvQzv6RjZ3qcqowBiNQPwoQZSsyw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3f9A3zALCKoizak0VxcObTV+SOJGCdgiWa9IQIaw1mo=; b=fwtplJh4thcddeuMonP+ADawUa+tHuZjFmOzO7pIsLIFSAeB4+MohnFxiNIUdJEGpRpbuI9T0aRCOLn9eACjj4o9vIQhqZJZd5YpyeEzgjuScu2DM1PRLFvEnZDe8XYMfgSG0ReVUeSopf9Fjp+fLUEPXciKO3J+XvQGYokEAPw=
Received: from BYAPR05MB4359.namprd05.prod.outlook.com (2603:10b6:a02:f8::25) by BN6PR05MB3282.namprd05.prod.outlook.com (2603:10b6:405:43::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.8; Wed, 23 Mar 2022 23:57:32 +0000
Received: from BYAPR05MB4359.namprd05.prod.outlook.com ([fe80::b121:d015:8205:70a]) by BYAPR05MB4359.namprd05.prod.outlook.com ([fe80::b121:d015:8205:70a%7]) with mapi id 15.20.5123.008; Wed, 23 Mar 2022 23:57:32 +0000
From: Minto Jeyananth <minto@juniper.net>
To: Susan Hares <shares@ndzh.com>, 'Jeffrey Haas' <jhaas@pfrc.org>
CC: "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] BGP autoconfiguration - draft-ymbk-idr-l3nd
Thread-Index: AQHYLbJsA7klS1TUhkifgSZM7QSLlKyxCwSAgAO49gCAEfNegIAHBkwI
Date: Wed, 23 Mar 2022 23:57:32 +0000
Message-ID: <BYAPR05MB4359111006B91C207B691239A5189@BYAPR05MB4359.namprd05.prod.outlook.com>
References: <20220301212151.GA32123@pfrc.org> <02d701d830b3$3ae2c910$b0a85b30$@ndzh.com> <20220308015612.GA17510@pfrc.org> <00b101d83b89$669886e0$33c994a0$@ndzh.com>
In-Reply-To: <00b101d83b89$669886e0$33c994a0$@ndzh.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2022-03-23T23:20:00.8047794Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 007360b4-95e4-4998-c074-08da0d28e58e
x-ms-traffictypediagnostic: BN6PR05MB3282:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <BN6PR05MB3282AAD472AA11980C48111BA5189@BN6PR05MB3282.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XZLxB9SD8KP62cSu8nha/nX3KFAWd7sbKotrvWvmwCHQknANmjBz4RE02NhRZ0yCqqScidiCId7uXa96jnnKhIRK1xxGHKOAYzWIx4tzOAQkoqcIqzFnMnAE4DBzJ4a2Jr0IeDa+CxU8uhGu4cE/0RhrE1LbLAFY776segEUiU0Yvizear5l723CtrsOZy9qU9CQBx3YtGyVLr7l57T47pT4A15o2MJONhXopadaHM0JIdBhuwb+HLhaGz9mXbvuTymZk2ncVyae+lnxtvd6B1qcq7zf0Zb+QOpnoA9k3DWp/uBhxmvQsp/6Cw/b5KnEBWQ74Ml8KGED9q7ak6wDL5sQnw2M2tTPZa8PNAQZZI2gF9C/ES+km3b0QxxaaHBGb+p6pxrV7eYoZAKuVgkamQmepCM0NYTDxMngF1hYWN4gl1JUaIXUeYJpmnYl6mWBLGuEjmwNbNhIOmC4SVLcE79o6loRbFAoncwvrYMkACt7pP6Kx+tth/Fd+iQ7RayT17aWqHvzcYHfO0RFz5E5Mfptsgend9o4HjN+EmgQf9fk1J/GLNjT/43Mkj+fcb0B7XjyBUAHgk1K7RmPAwA8LOp7zh3a4pD5oq+3jma84c8yIYLUz2HE+a7YOIveVcowP1z3mkycwS98MRk6u0AOLdzVTLSBEv2AQTa3ATjRlaGP1Nc9LKyc0LUfArIfevJwNN7aXJ5OYFwgnNa/WYaqdkCVJ8vO2UgrJ59CczkB9Cyinok+J86kWpbiYbmi+tO1HNBX5zixl2Kz/de/+0HKCVVra9jrsx8SUtVsNA9vLljPQ0N2K3nI0Dtya+Fzkw1eK2YRWFS784JzcArJKMP4WA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR05MB4359.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8936002)(2906002)(4326008)(66446008)(66556008)(64756008)(966005)(66476007)(8676002)(91956017)(66946007)(76116006)(86362001)(122000001)(5660300002)(83380400001)(52536014)(30864003)(38070700005)(316002)(166002)(71200400001)(55016003)(66574015)(110136005)(6506007)(7696005)(508600001)(9686003)(186003)(38100700002)(53546011)(26005)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ESgh27ZWxxOweHx5Ps3JjJ737Z7Ugtrv/V7c6eXCiGI5nv3mHnHKuBtZyjRitb6qzRP+tl+dsavMNbDCDGhVH11m4vl7vOVLUh+DxWgzS5mDxCG1PnjHwZxdESGOCWW+Bb42a3DP70YROlAG1SWl67gYCH5cc2xh2kX/9OESDpqJ1ReMhA4Dl021UN0MOPZaCUuiGF/v4NlJ4N8mpSxvu4BZ0ZxThDNRZoMjJcu1fXIrKXU6yJCvq+ZV/o8EazUmpoq30m3dafHsHCd1jcY/WMS7MW6lVduIonQxW7327xuTxa7pFsGsryRzRW1W+fYSkmo2TGXzLxljG5IoMosSqFI6F13Y9N6xTWcdxklr7RtSpdJ+tGEn43GKTmlwIClwzxh7U5mGspTkWhktqFODDOrMqHcg9Cz8OctVFmUklvwnBEoTigSPBaj+C3zD0B+U5CVk6vgUvZhqwNvpsyifQMXeKCoisiTmyt/W8QCuQqeQKts11NtbmCeBn6duSRm+OQpbseE7hLppw6wizNFigRH3TJCiZxtxIkTonIPmTvYhOqxpzkTZK6CFSdGnrZAlHhzuVou31YuitPqYzZVSZ0IToqfS16gLLr9XO8LxCPv2RUEe0eZrrFFJIjKAhNGRgtzfKzA6FxXZys2gXZcftR+oswnp+aqC9jwY52j8q7PA9y/59xE4GJoFSVZ6Wi9Ee+FRILmUyaj3xZnosMowddpbo6RTStl1ydZNOR414VcZPUTAqxBjxW0Kkazv18qagy4cmuEI1Xabg2kzOLkQPCF+XvNgt5yGzX//pifJEDvZT/cTJUftz6rS/hl/SiSHwVPO/GkR7iQkOZsuXcXXHSlrC2INthX4/j39JAvYKo211Bi/hXD0Bfq1B0oqTZfbCUMA15RP0sgmAL+iX75h7+EB85Eiw3Cmu8JwHfy4GNCOq5gkhGhPU98MQY35INJ5/Lc+j7zcoceMdY7+1hWSYbT6sDAWR456u+sEuw/bsMzhwTGV4a/N1CZCZjMb2nS+BGeKcx1FJD1k6xbeEL6RtRWXU+k6Ktngjy/h4NU++XJSvqCDRELUEX8OUc59tlpzPWVKvNnG/x3wWaN4IRXiSIqNAYcFqMB8dGNhQf0VfjgZLU0Cj9mR6DTgqxmCAxJ/JuGvK95qgYQe9Xb7iUyUEarkMHryo1LEb0hjj8D6bhHeo+TfDVe4rau8HHg1Vx/fi0b7b9N6gwYtqQooftiP7nfyPxbGZgw5SSyhiuqgw3LImbZ1jg2/vt+vgq1DOUraqAuADmL9YtlMdAaqTyWg5owYBa4T0uABnYHhwCcrCbAuDUvsPdoCLyXg5WeY2Jt5XaMF/KpEvwehm96lU4cDx6I70ibvO40iOPf5c+7vOAexrIxVJDqKrKKRN9P8FNU+nf19hBMjJLmp7K1CR3GMGA9iEFkG4n7QcirSqq/C4VltxY3iWdu9SKrsDw09JlpRH70oi6Yuhgdmra9WpiERGw==
Content-Type: multipart/alternative; boundary="_000_BYAPR05MB4359111006B91C207B691239A5189BYAPR05MB4359namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR05MB4359.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 007360b4-95e4-4998-c074-08da0d28e58e
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2022 23:57:32.6131 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zOEDr0A5I+pvOlyVY2EY9zUR/4g8FYlC+6WfKfz+6x/DgLZMnd9jUo+nQHohkpGsE5gTfLKypAU4IXnAVgWK0Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR05MB3282
X-Proofpoint-GUID: RbJHrHkG15R8YvMsRx5tmJ4Jw47IpSUk
X-Proofpoint-ORIG-GUID: RbJHrHkG15R8YvMsRx5tmJ4Jw47IpSUk
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-23_08,2022-03-23_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 clxscore=1015 malwarescore=0 impostorscore=0 bulkscore=0 mlxscore=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=999 suspectscore=0 phishscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203230123
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/XDZCV0w0nHBJZvNXTmXddQLIEIY>
Subject: Re: [Idr] BGP autoconfiguration - draft-ymbk-idr-l3nd
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 23:57:46 -0000

Susan,

 Few questions on point 1-b).

  1.  is there any mechanism to avoid UDP hello in multi-access link? The cost of the timer here is not same as draft-minto tighter periodic timer?
  2.  Both BGP and LDP running TCP keepalive apart from TCP keep-alive. Does l3nd add that too?
  3.  l3nd-ulpc exchanges BGP authentication information. does l3nd TCP keychain is configured or exchanged through UPD hello?
  4.  rfc6952 2.4.1.1 describes the attack on UDP multicast. l3nd will add keychain based authentication?
  5.  In multi-access link, l3nd required full mesh of session. Right?

Thanks
-minto

From: Idr <idr-bounces@ietf.org> on behalf of Susan Hares <shares@ndzh.com>
Date: Saturday, March 19, 2022 at 5:04 AM
To: 'Jeffrey Haas' <jhaas@pfrc.org>
Cc: idr@ietf.org <idr@ietf.org>
Subject: Re: [Idr] BGP autoconfiguration - draft-ymbk-idr-l3nd
[External Email. Be cautious of content]


Jeff:

Thank-you for letting me know you prefer the response in one long email.
I'll respond to each of your comments below.

Just to recall the high points:

Point -1:
  two types of protocols
a) unreliable transport
          multicast + Key-chain + timers  for every message

b) reliable transport + optional security
        transport (TCP) + key-chain
     or  TLS + Self-Signed/CA-based

The question is whether the timers cost you more than the
transport.

Point-2:
Open Attributes are flexible hints of who is talking.
Session-id != nonce
Serial-number - tracks a set of attributes + encapsulations


Point-3:
Encapsulations may be important to some
and irrelevant to others.


Sue

-----Original Message-----
From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Jeffrey Haas
Sent: Monday, March 7, 2022 8:56 PM
To: Susan Hares
Cc: idr@ietf.org
Subject: Re: [Idr] BGP autoconfiguration - draft-ymbk-idr-l3nd

[General note: While I'd prefer to have a response for the original single
message in a single response, I'll be responding to the individual replies.
This should help those with threaded mail readers track the responses
better.]

Sue,

On Sat, Mar 05, 2022 at 12:05:25PM -0500, Susan Hares wrote:
[Jeff - Point-1 ]:
> Please see the text in draft-ymbk-idr-l3nd-01:
>Similarly, please note that my original post was vs. -00 of the draft.
Have
>care at trying to move the goal posts mid-conversation. :-)

>>   The server, the sender of the HELLO with the lower IP address,
>>New procedure since -00.
>>    listens on the advertised port for the TLS/TCP session open.
>While it's possible that the receiver only creates its TCP listen socket
after
>hearing a HELLO from another sender, this isn't typical listen socket
>coding.  It's far more typical for a TCP listener to have a socket open and
>ready to receive incoming sessions.

[Sue:  Yes, -01.txt correct errors or things that were missing]
[Sue]: However, when you have the Hello sequence, this can be restricted.

[Jeff - Point 2]
>>If the receiver of a HELLO that is also sending a HELLO determines it is
the
>>lower of the IP addresses and instead chooses to dynamically create the
>>listening socket at that time, it would have the properties of:
>>1. The listening socket is available less of the time, which may be mildly
>>protective of attacks against the TCP stack.
>>2. However, introduces timing considerations before the initiator of the
TCP
>>connection would be able to connect.

>If your intent is to have deferred listen socket creation as normative
>procedure, you will want to have related normative text for the connector
to
>try to reduce connection time.  Otherwise, you're looking at slowing down
>discovery.

[Sue]: The configuration time is  configurable.
Your description is system dependent - so I suspect the people
creating a particular router will tune it.

   Once the TLS/TCP session is established, if the link is configured as
 point to point, the client side SHOULD stop listening on any port for
  which it has sent a HELLO.  The server side SHOULD stop sending
   HELLOs.

[Jeff- Point-3]:
L3DN lacks a state machine with named states similar to BGP, so my comment
here will be somewhat imprecise.

Your text above says HELLO is stopped when TLS or TCP is established.  Those
are slightly different events.  TLS requires TCP, so you could stop HELLO
there.  TLS will go through its Handshake Protocol exchange. (RFC 4346,
§7.3)
Was that where HELLO should stop when TLS is enabled?

If HELLO stops at the first TCP connection accepted, it permits an attacker
to stifle HELLO messages from legitimate parties.

Similarly, if only a single incoming TCP connection is permitted until TLS
session is up (handshake has completed), it permits a similar denial of
service.

[Sue - Point-3]:  A particular implementation will configure TLS or TCP per
port.
At that point, if TLS is configured then it will keep the Hello going until
the TLS is up and running.    Adding a state machine to the L3DN, is
a good idea.

[Jeff - Point-4:]
>Perhaps related, HELLO perhaps should not stop until L3ND mutually
exchanges
>and positively ACKs their OPEN messages.  That might make a better sync
>point to stop HELLO, although it still means addressing the TCP session
>questions.

>In BGP parlance, the mutual exchange of OPEN and positive ACK would be the
>Established state.

[Sue: Point-4]:  The cost in keeping the Hello going until L3ND
mutually exchanges is more messages on the wire.
The trade-off at the TCP/TLS level was my choice.
The WG can make a trade-off later.

[Jeff: Point-5]
A few extra notes:
- L3ND doesn't have any normative references to TLS.
- The Security Considerations section recommends at least TLS 1.1
- RFC 8996 deprecates TLS 1.0 and 1.1.  If there's compelling reason to
  support TLS 1.1, it might be worth mentioning why.  It's not as if BGP
  hasn't been using the deprecated TCP-MD5 for years. :-)

[Sue-Pont-5]
Thank  you for mentioning this.  It should have been 1.2 or higher.
A normative reference to TLS would be useful to add.

[Jeff-Point-6]
> The L3DN - proposes BGP auto configuration that
> supports reliable transport with security.
>
> Open, Encapsulation, Ack - run over TCP (or TLS)
> that provides reliable ordered delivery.
>
> Open PDUs are required PDUs  that have:
> 1) a nonce (like a message ID)
> "Enables detection of a duplicate OPEN PDU" (p. 11, paragraph 2).

I think it's more precise to call the nonce a session ID.  One of its
purposes in the procedure is to permit a pre-existing session to be resumed.

I remain unclear why there would be "duplicate" OPEN PDUs on the same TCP
session.  TCP is a reliable protocol.  Is the expectation that the receiver
is taking a reliable protocol and randomly discarding messages?

[sue-6]
A nonce is not a session-id.  It is a nonce.
A nonce prevents "man-in-the-middle" attacks for the TCP
variant of the protocol or some bug in the system.
It is less likely in the TLS version.

The purpose is: "It is needed to prevent a session closure due to a
Repeated Open caused by a race or a dropped or delayed ACK" (-p. 11).

[Jeff-Point-7]
> 2) serial number - "representing the senders state at the time of
> Sending the last PDU" [p. 11 last paragraph)

> Encapsulation PDUs are optional  PDUs that have:
> 1) serial number - "representing the senders state at the time of
> Sending the last PDU" (p. 15)
> 2) Flag for Announce/Withdraw of encapsulations

> Encapsulation PDUs do not have a nonce.

> Ack PDUS - send by receiver of Open/Encapsulation PDUs
> To indicate status (Ok, Warning, Broken session, Warn operator)
> To acknowledge a specific type of PDU
> (Open, Encapsulation PDUs (4-7
> ACKs PDUs.   Do not have a nonce or a serial number.
>
> The WG could suggest adding nonces to Encapsulation PDUS
> so all PDUs have a message id, and adding the nonce value to
> ACK PDUs.   There are pros/cons of adding this state for debugging
> versus bytes on wire + implementation states.

>> As a mechanism to identify a restarting session, the nonce is a fine
session
>> ID.  Personally, my question is more about whether the necessary state
>> retention and refresh mechanisms are worth the additional complexity in
the
>> protocol.  I'd personally recommend that a session restart simply replay
all
>> necessary state fresh.

[Sue-7]:
The encapsulation allow the L3DN players to exchange data across multiple
subnets.
(e.g. page 16).
I will cover this point in a unique post to the list.

[Jeff-8]
> L3DN is not a "shout in the dark" bgp auto-configuration protocol.
> I define "shout in the dark" protocol as one which
> 1) does not provide reliable transport
> 2) uses authentication/Hash based security

In fairness, I labeled such protocols as shout in the dark but that's a
reasonable summary of it. :-)

[...]
> [snip - to make it easier to respond to.
> My previous message answered the questions
> Regarding scope and transport]
>
> [Point 1 - Protocol state]
> Protocol state and FSM considerations:
>
> > - Similar to BGP, parallel session are a possibility.  I'm unclear how
> >   connection collisions are handled.
> >   + The procedures seem to try to cover this by saying "drop hello when
> >     there is an established session".  However, timing could result in
two
> >     sessions happening in parallel prior to drop.
> >   + There isn't a clear idea of the FSM having an "established" state,
or
> >     the related "OpenSent/OpenConfirm" states similar ot  BGP that could
> >     prevent this?
>
> [Sue] The solution used by IETF LDP or IEEE parallel sessions is
> to pre-define the resolution.  Please see the above text from
> draft-ymbk-idr-l3nd-01 that resolves this issues.
> [End point 1]

[Jeff:  Point-8]
As I briefly noted to the publication notice for -02 of this draft, this
changes a property of the protocol: It requires both sides to run the HELLO
mechanism.  A consequence of this is that it's no longer possible for a
single side to act as a HELLO sender - likely in a "server" role.

For point to point deployments, this isn't a big deal.

For multi-access deployments that are intended to result in some form of
full or partial mesh, this still isn't a big deal.

For multi-access deployments that are intended to have a small number of
devices acting as the end point for a BGP session, this is problematic.
You'll have attempts at full mesh peering when perhaps a tiny number of
devices want to peer with each other.

[Sue-8:]
  I am not clear why you state these three points above.
  The text states:
"The Hello PDU solicits a unicast TLS/TCP session open request
Of the same AFI from other devices on the link." (p. 9, -02)

Only if there are two directions for hello, does the case in the
Next step work.  "When a hello is received from a source
IP address with which there is no establish TLS/TCP L3ND,
If the receiver has the higher of the two IP addresses, it should respond. "

I do not see where you are getting any of the rest of the text.
Please provide examples and text from the -02.txt.



[Jeff-point-9 for this email]
> [Point 3 - size of Attributes]
>   + Also, why so small?  Payload length appears to be 4 octets.  A larger
>     value permits more flexibility for local semantics; e.g. bit vectors.
> [Sue:  Were open to hearing pros/cons of 1 byte vs. 4 bytes
>   from the IDR WG.   If we use fixed lengths (1 or 4) both are useful.]
> [end point 3]

My personal opinion is that fixed length is fine for the application.  The
Working Group will likely have opinions about the size.
 [Sue: agreed that size on attributes is ok]

[Jeff: point 9 this email]
> [Point 4 - Resuming session]
>   + Is there significance to resuming a session using the documented
>     procedures when the Attributes may not be identical to the ones
> previously
>     received in the interrupted session?
> [Sue:  Yes.
> Nonce - provides detection of duplicate Open
> Serial number - indicates a single state of the Database
> which contains a set of optional attributes + encapsulations. ]
>
> Let's look at duplicate Open:
> Nonce is the same, and Serial number is the same.

For clarity, I think there's some confusion in using the term "duplicate" in
this context.  It's not a duplicate on the same established session.
Instead, it's [an] Open that has a nonce that matches a previous transport
session.

If that's the intent, I'd suggest either different verbiage or make sure and
define the context for duplicate.

[Sue- Point 9: ]
Jeff - A nonce is just a "nonce".  It is not a session id.
It is a common term in many protocols to prevent a "man-in-middle"
attack.  It is not a session-id.

[Jeff- Point-10]
(long sequence on my example)

>> Let's look at Attribute change
>> Nonce is different, Serial number is different
>>That's not the scenario under consideration.  If the nonce changes, it's a
>>restart of the session.

[Sue-10a] If that's the intent, I'd suggest either different verbiage or
make sure and
define the context for duplicate.

>OPEN messages in the loosely defined state machine are intended to be sent
>at the start of the transport session once data can be exchanged.
[Sue-10b]
The open is sent with a "hello".
Nonce = identifier for duplicate Ack (man in middle attack)
Serial number = data base.

>Serial numbers are loosely specified as advancing per packet.
>If no additional OPEN message is sent, how would the Serial Number advance
>for a change in Attributes?

[Sue-10c]
It could be that a "policy" in the
L3DN has logic that says - try another set of attributes.

>I think your intent is likely that if the Attributes do not agree for the
>same session (Nonce) that Something Must Happen.  Is it a session bounce?
>I'm not sure what your intent is.

[Sue-10d]
The idea is that if you keep lots of encapsulations.
Or have attributes to catch something plugged in wrong.
Then, the attribute or database is correct.

>> Let's look at restart of system
>>Nonce is different, Serial number is the same.
>If Nonce is different, the text says that it is not a session restart.
> Why care about what is in the DB:
> Example:
> Box1-Box2 (hello, TCP-setup)
> Box 1 Open-1: With Attribute RR1
> (Indicates will accept 6 AFI/SAFIs in BGP)
> Nonce: 3030
> Serial number: 1
> Box2: Ack-Open: Error (1) - Error hint (not RR1 flag, RR2 flag)
> Box2: Open-1: Attribute: RR client
> Nonce: 7070
> Serial number: 50
> Box-1: Ack-Open

> Box-1 Open-2:  RR2 (accepts 5 AFI/SAFIs)
> Nonce: 6060
> Serial number: 2
> Box-2: Ack (0) no error

>Why is Box-1 sending OPEN again?
[Sue-10e]
Different attribute list.  (Just as stated)

>> Box-1 reboots
>> Box1-Box2 (hello, TCP-setup)
>> Box1: Open-3, Attribute RR2
>> Nonce:  100
>> Serial number: 2
>> Box2: Ack-open (ok)
>> [Point 4 end]
>> I think the above example may be a bit off.  Perhaps another try at it?

[Sue-10f]
The example is not off.
No, you are missing the point of the attributes.

The intent from the specification seems to be that when a session comes up,
and the data matches a previously exchanged Nonce, then you can use matching
serial numbers to do selective replay.  That's fine.

[Jeff-point-11]
OPEN messages are not, as best I can tell, exchanged again once the OPEN
messages are mutually exchanged and ACKed.
[Sue: 11a]
The machine running L3DN can go down and come up.

> For clarity, consider labeling Serial Number as "last received serial
>   number".
The serial number is a database-id.

>> Old Text:  The Serial Number is a monotonically increasing 32-bit
>> value representing the sender's state at the time of sending the
>> last PDU. /
> New text:
>> The Serial Number is a monotonically increasing 32-bit
>> value representing the sender's state at the time of sending the
>> this Open PDU. /
[Sue-11b]:
In the context of OPEN, you're informing the other side what the last state
you heard from them was.  However, you are correct, the original text was
correct.

Text -02:  "The Serial Number is a monotonically increasing four octet value
Representing the sender's state at the time of sending the last PDU. "


[Jeff- point-11 (old point-8)
> [Point-8]
> - The Etype conditions are a bit lax for a useful state machine for what
we
>   have documentation for:
>   + If Open can't be acked successfully, should the session be permitted
to
>     continue?
>   + Is "restart is hopeless" a shutdown?  An admin-down?  What should the
>     implementation do with its PDUs?  Should it tear down the session?
>
> [Sue: Some of L3DN authors suggested deleting the ACK.
> The Open-Message contain attributes each side is willing to handle.
> The ACK simply gives remote side error indicates which may allow
> automation of the fixes.

It's your protocol.  I agree that you can live without ACK in many
circumstances.  You will likely need it as a mechanism to make sure you
mutually exchange OPEN and ACK prior to starting to send other PDUs.

It'd also maintain some level of similarity to the BGP FSM.  If so, consider
borrowing the state names.

While the OPEN message lacks any semblance of the BGP Capability mechanism,
it's pretty easy to visualize that some dependency on behavior based on
received Attributes has similar properties.

> My example for point 7 gives a positive example for the "warning" (1).
>
> An example for the restart, is a detection of misconfiguration
>  [You are sending me attributes that I think are broken]
>
> An example for hopeless restart (admin-shut down)
> is if the Open contain multiple broken attributes.

If the intent of restart is hopeless is that things are locked into an
AdminDown type state, there should be normative text as to what that does to
the state machine.  For example, HELLO might not resume once the TCP session
is dropped.

> The minimum Ack PDU requirements are handle ACKed PDUs,
> Etypes, and Error codes.   The rest is extensible for each
implementations.
>
End[New-point-11 /Old Point 8]

Sue: A state-machine is useful in the iteration after adoption.

[Jeff New-Point-11]
> [Point-9]
> - 3 seconds seems a bit low for a response timeout.  While the protocol
>   seems to be structured toward easy restart, why disconnect so
>   aggressively?
> [Sue] The timeout on OPEN receiving an ACK is configurable
> With 30 seconds as a timeout.
> [end-comment]

This was in reference to section 10.1.  The value has been updated to five
seconds... which still seems like a short default. :-)

The retransmit behavior again seems peculiar for a reliable TCP session.
>
> - The message exchange protocol is "one outstanding ack" which means there
>   is no pipelining of the various messages.  Given this, the lack of a
>   serial number being acked in the message is understandable, but seems
like
>   it'd be good debug info.
> [Sue:
> The 4 byte Nonce identifies the open message.
> The 4 byte serial number identifies the DB state.
> Are you looking for the Nonce to be echoed in the ACK for the OPEN?

I'm commenting that the ACK PDU (Section 9) does not contain the Serial
Number that it is acknowledging.

[Sue: (New:11/old: 9) A Serial number could be added to the ACK, but there
Is a trade-off here]

[Jeff-12]
>   + That lack of pipelining means that full exchange of state will be
gated
>     on slowest sender on the session; the transmitter or the
acknowledger..
> [Sue]
> TCP/TLS provides reliable transmission and ordering on the pipeline
> in each directions.
> OPEN has a nonce (message ID),  Encapsulations (ID 4-7) do not.
> Serial number gives the DB state with attributes + encapsulations.
>
> Are you suggesting:
> 1) Augmentation of the Encapsulation header with nonce (message id)
> 2) ACK PDU header contains the nonce of the open/Encapsulation header
> 3) We allow (as some IEEE protocol do) the batching of
> ACKs in one TLV?
>
> All this is possible, but it is a trade-off that the authors would like
> feedback on.
> [sue]

I'm suggesting that the protocol is "call and response".  You send a
message, you want an ACK for it.  This means that in spite of the fact that
this is TCP and there are buffered windows to transmit into in a reliable
fashion, no PDUs are placed into the TCP stream until the prior PDU receives
an ACK PDU.  This is a one-bit flow-control mechanism.

Sue-12:  TCP guarantees the right number of bytes.
TCP does not guarantee the syntax of those bytes to be correct.
The Ack is replying to the syntax of the message.



-- Jeff

_______________________________________________
Idr mailing list
Idr@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!TmhAR2N3V-_dp8Rgj1nEy5nCfQLccjMP5gTeFjwcGFy01QA7YkxJT4Rqmse0rw$<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!TmhAR2N3V-_dp8Rgj1nEy5nCfQLccjMP5gTeFjwcGFy01QA7YkxJT4Rqmse0rw$>

_______________________________________________
Idr mailing list
Idr@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!TmhAR2N3V-_dp8Rgj1nEy5nCfQLccjMP5gTeFjwcGFy01QA7YkxJT4Rqmse0rw$<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!TmhAR2N3V-_dp8Rgj1nEy5nCfQLccjMP5gTeFjwcGFy01QA7YkxJT4Rqmse0rw$>


Juniper Business Use Only

v2.23.0 | Report a Bug | By Email