Re: [Idr] Kathleen Moriarty's No Objection on draft-ietf-idr-add-paths-14: (with COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 12 May 2016 16:41 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFC3112D1ED; Thu, 12 May 2016 09:41:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3BpTxvDP39g; Thu, 12 May 2016 09:41:52 -0700 (PDT)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C7412D6C5; Thu, 12 May 2016 09:41:52 -0700 (PDT)
Received: by mail-vk0-x233.google.com with SMTP id f66so105006237vkh.2; Thu, 12 May 2016 09:41:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-transfer-encoding; bh=9+rLWZkqmdMiKAKALQkizcVeQrL9hitK5mzk6a+fYz8=; b=kV0s4EOmnvbJyIMgUASZnQFADm4ZkiZbICGw38zk3H2kqTMzo/8uRxGPye5rCPQ7GI vCgkkj1fSu37e7ARsG+pZHz5AC3sQe/6d6aXX/WQcQ1WitmhuAiw4Q2ACgU19N4IJjeO 09lazTiR7SFPSdlhB68nizjuBxNp8XheyBtfZYyFXfAcG8mt6L1hMO5wP8TnbGT3DEbf V862KXmbbm3x85VsL4/A+3QxCwf8QFGvxfbKe0hlahcQyyTGeVxawILhTudc8T50MWO9 qFpIxAIVzWjrcTrraXNpCpCEID6hrf5VHk2XUadnnwERU7jGC2cyjNzM/1lYE1rtEy8Y RLtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=9+rLWZkqmdMiKAKALQkizcVeQrL9hitK5mzk6a+fYz8=; b=PcZeAdFqfI1yewJyVfwDc6FZd/hQ0j48Ivk8UVd/yqbe7JhnC+qDWz6FT1FrgeRI9x iTkRL2e1hUGOFdost1FiZtqrErRKLtoDVjTcmRjrUvHL3zq7MDxZsyFAfGFTQfh5TXLm HCDoNCuqvAcB2UVFUacUB0AWg/oLJaA7Zr0ccI2Y3kjM+Di4JfEIzYsGv4zEaM95/W4x ZvWJxraBrluaFylwY6nXaSxRx3KoRO292fXB+PlPjLSdz2CWHS3n7lfjJmxt7ntE4JWK jvUW2T/PiNJHIhUcx+cUMXvNoFD+bOU/0WNRxcSmcKTwa+jOl10uky/ueWifnyIObWC/ riuQ==
X-Gm-Message-State: AOPr4FVuAAGH5BIP5sfy1xvnzU49TMAkbLfqRekohtnaWxrymTYG00g6TrjMXhpfyC8sRdkY5N/2fWDT99DHdw==
MIME-Version: 1.0
X-Received: by 10.159.35.15 with SMTP id 15mr5215478uae.109.1463071311609; Thu, 12 May 2016 09:41:51 -0700 (PDT)
Received: by 10.159.54.231 with HTTP; Thu, 12 May 2016 09:41:51 -0700 (PDT)
In-Reply-To: <AD40AFD7-66CF-4811-9D9F-54AB072377DA@juniper.net>
References: <20160502175801.15655.80242.idtracker@ietfa.amsl.com> <20160511143210.GC7636@pfrc.org> <CAHbuEH54U8MDaRVp882ZDyzNwsMnsp=4_rKV86ft5jC2VALFAg@mail.gmail.com> <AD40AFD7-66CF-4811-9D9F-54AB072377DA@juniper.net>
Date: Thu, 12 May 2016 12:41:51 -0400
Message-ID: <CAHbuEH6ffeFwZ-JyNsVn6NVXaTXG68a0wQOHDi75J+y+JNJ71A@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "John G. Scudder" <jgs@juniper.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/t1oEuKHQmqYOLYSfZQjkl7KamO4>
Cc: idr wg <idr@ietf.org>, Russ White <russ@riw.us>, idr-chairs@ietf.org, draft-ietf-idr-add-paths@ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [Idr] Kathleen Moriarty's No Objection on draft-ietf-idr-add-paths-14: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 16:41:55 -0000
On Thu, May 12, 2016 at 12:08 PM, John G. Scudder <jgs@juniper.net> wrote: > Hi Kathleen, > > On May 11, 2016, at 10:29 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: >> On Wed, May 11, 2016 at 10:32 AM, Jeffrey Haas <jhaas@pfrc.org> wrote: >>> Kathleen, >>> >>> On Mon, May 02, 2016 at 10:58:01AM -0700, Kathleen Moriarty wrote: >>>> 1. I'd like to see the security considerations explicitly state that this >>>> could result in a denial of service attack. The resource consumption is >>>> stated nicely, but it would be good (following RFC3552) to state the type >>>> of attack. >>>> >>>> "This document defines a BGP extension that allows the advertisement >>>> of multiple paths for the same address prefix without the new paths >>>> implicitly replacing any previous ones. As a result, multiple paths >>>> for a large number of prefixes may be received by a BGP speaker >>>> potentially depleting memory resources or even causing network-wide >>>> instability." >>>> >>>> Adding something like: "This could result in a denial of service >>>> attack." >>> >>> The considerations of a BGP peer's normal protocol interactions with a BGP >>> speaker - with or without add-paths - being considered a Denial of Service >>> seems to be unnecessary scare words. >>> >>> While the add-paths case does permit a much larger number of paths to be >>> propagated, the same issue may apply to simply sending along a much larger >>> amount of some routing table than expected. This could include sending a >>> full Internet routing table to a router scaled for a few thousands of >>> routes. >>> >>> I recommend against this change. >> >> This is just a comment, so it's up to the shepherd and AD, but adding >> this would be in line with the guidance from RFC3552. >> >> https://tools.ietf.org/html/rfc3552 > > Looking at RFC 3552 S. 2.3.3 ("Denial of Service") it does suggest that DoS be considered and identified when relevant. I think Jeff's point (which I agree with) is that add-path doesn't change the fundamentals of BGP with respect to DoS -- the peer can send me a bazillion routes, differentiating them by prefix, or by path-id, or both. It just comes down to which bits in the NLRI are used to make the routes unique. > > Anyway, point taken that we should think about this more before making any definite conclusion, and if add-path does create any new DoS vulnerability we should identify it. Thanks, John! > > Regards, > > --John -- Best regards, Kathleen
- [Idr] Kathleen Moriarty's No Objection on draft-i… Kathleen Moriarty
- Re: [Idr] Kathleen Moriarty's No Objection on dra… Alvaro Retana (aretana)
- Re: [Idr] Kathleen Moriarty's No Objection on dra… Jeffrey Haas
- Re: [Idr] Kathleen Moriarty's No Objection on dra… Kathleen Moriarty
- Re: [Idr] Kathleen Moriarty's No Objection on dra… John G. Scudder
- Re: [Idr] Kathleen Moriarty's No Objection on dra… Kathleen Moriarty