Re: [Int-area] Intdir early review of draft-ietf-intarea-probe-00
Ron Bonica <rbonica@juniper.net> Mon, 30 October 2017 15:14 UTC
Return-Path: <rbonica@juniper.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A89913FA64 for <int-area@ietfa.amsl.com>; Mon, 30 Oct 2017 08:14:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id au6KSqh0NVbh for <int-area@ietfa.amsl.com>; Mon, 30 Oct 2017 08:14:19 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0120.outbound.protection.outlook.com [104.47.40.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B7FC13FA52 for <int-area@ietf.org>; Mon, 30 Oct 2017 08:13:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=w12cgKAI2bCnxGOh2IMOklLAR6ZzObXV/1TC/JZJNQg=; b=GwNmIsA+oEAKnz9uE2Vzxql4K1ZCqXdQZCnklEjTKAXksZF5+4mMAqi9hGQkKXNQhozc0fcMgdVxiq8iqYC0wQ2IBhy26wTI2BPi+UrrkVvbEoYh2qcZS2kwegvJoPqumzGTZbtNeliZg8ybY4VU13PkzmeV1E3dfc0aZaIM7WQ=
Received: from BLUPR0501MB2051.namprd05.prod.outlook.com (10.164.23.21) by BLUPR0501MB2051.namprd05.prod.outlook.com (10.164.23.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.197.4; Mon, 30 Oct 2017 15:13:32 +0000
Received: from BLUPR0501MB2051.namprd05.prod.outlook.com ([10.164.23.21]) by BLUPR0501MB2051.namprd05.prod.outlook.com ([10.164.23.21]) with mapi id 15.20.0197.011; Mon, 30 Oct 2017 15:13:31 +0000
From: Ron Bonica <rbonica@juniper.net>
To: "int-area@ietf.org" <int-area@ietf.org>
Thread-Topic: [Int-area] Intdir early review of draft-ietf-intarea-probe-00
Thread-Index: AdNRkad/Tunx7+FuSTaS13N5HtqIrQ==
Date: Mon, 30 Oct 2017 15:13:31 +0000
Message-ID: <BLUPR0501MB20517EBD5439473C0282F785AE590@BLUPR0501MB2051.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rbonica@juniper.net;
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BLUPR0501MB2051; 6:TGtG+GaO2ML+K/8MP2tC2eDMFkk73x1/3FhhTJ9nbZl+Atg8iHUjmoqXe2AIyRGzmC3j68X15fSvVxF5TFSzc9tXJ12eCHc0dm0bQdGJ8xK+mU3NEVOS8wXsBX9Jb1IyCLldUC7zCxAp7fx/DG2VJaJqV23vXCXL5SwdYBqOJ9vCxrkMyVukCqjw+oLhW2SvRFUyYPfGJB+f1CkM7VE0FyHyhNKytSUL4poDINnl9yfuBGeN4MYYxa/gPz4/7UwWLa1ljjN6S6ttMyGl1EgDEbar8IPDrcVwacUBN7nAMebQiAzfOyl10yz+rlMSMw8z13QrR9568tItRo0Aqk/Z5mOMpGbWljQBHk6PfqBSiCY=; 5:MzL0RXEypm9vAbagFEUfCmPSbETJ5CbURG2md27z8fYRKnoc8u3Dk2PYmdWqjQNeFJ6K0o/tOqhlzz+wK9KrMZZXR59fJfwdRBBKOLGXTCNy2LyQy8bpqP8BiZ7XP04N9XLGPZPDzMEIEq75tNfSli9kW7JnzcZIiSFM1rA94qo=; 24:UddEw+o1Py6MI4474IZrYacIYVIkUO32Dt12OOo1AElcCvUsGpxDf3777mPnK4iAwcllaSCSO5lhO/MDcBeL91amazit/Ne1+u2D+xLLaCo=; 7:RaGFSH5iOb8wXJd7UTEFa9Wp3w7vY5C2VvlH2m+nc+pA42jE324ySiQBsACh3+7kCuaVRJb1QEh7vTOXLv2TG/I4VVa3Ug6orMoSd9/LAOo0FNku/DPss1BWlNDr1iBHO4PMkqd7WvtLVLjHkCio7MNSu8Wt5PHjUyVArtKnb6lI9t3CpS4aFZHhB6X7LMGuO5edPlXWr1kb651KmFVw12MiTzYNvMOCdOIOor67oKbGv8Q+G98RMl+BhX2nUtbj
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 9fb974c0-4d4e-4d78-3f9d-08d51fa8c864
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(48565401081)(2017052603199); SRVR:BLUPR0501MB2051;
x-ms-traffictypediagnostic: BLUPR0501MB2051:
x-exchange-antispam-report-test: UriScan:(20558992708506)(10436049006162)(192374486261705);
x-microsoft-antispam-prvs: <BLUPR0501MB20516F882BD337362B948F90AE590@BLUPR0501MB2051.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(3231020)(10201501046)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(20161123560025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BLUPR0501MB2051; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BLUPR0501MB2051;
x-forefront-prvs: 0476D4AB88
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(346002)(376002)(39860400002)(51914003)(51874003)(43784003)(199003)(189002)(86362001)(106356001)(2351001)(81156014)(105586002)(8676002)(478600001)(33656002)(54356999)(50986999)(101416001)(3280700002)(3660700001)(8936002)(966005)(14454004)(68736007)(5640700003)(77096006)(81166006)(229853002)(6436002)(230783001)(3846002)(102836003)(6116002)(7736002)(66066001)(305945005)(74316002)(2906002)(189998001)(316002)(6506006)(2501003)(6246003)(6916009)(25786009)(7696004)(575784001)(5660300001)(2900100001)(512874002)(55016002)(6306002)(9686003)(99286003)(53936002)(97736004)(19627235001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR0501MB2051; H:BLUPR0501MB2051.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 9fb974c0-4d4e-4d78-3f9d-08d51fa8c864
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Oct 2017 15:13:31.8366 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0501MB2051
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/ULbDPLkkNuHCRXQSylRYzpCFwis>
Subject: Re: [Int-area] Intdir early review of draft-ietf-intarea-probe-00
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 15:14:23 -0000
Jean-Michele,
Thanks for the thoughtful review. I will post a new version addressing your comments today or tomorrow.
Responses inline......
Ron
> Subject: [Int-area] Intdir early review of draft-ietf-intarea-probe-00
> Message-ID: <150912536515.22228.10940363588216201270@ietfa.amsl.com>
> Content-Type: text/plain; charset="utf-8"
>
> Reviewer: Jean-Michel Combes
> Review result: Almost Ready
>
> Hi,
>
> I am an assigned INT directorate reviewer for draft-ietf-intarea-probe-06.
> These comments were written primarily for the benefit of the Internet Area
> Directors. Document editors and shepherd(s) should treat these comments
> just like they would treat comments from any other IETF contributors and
> resolve them along with any other Last Call comments that have been
> received. For more details on the INT Directorate, see
> https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__www.ietf.org_iesg_directorate.html&d=DwICAg&c=HAkYuh63rsuhr6Sc
> bfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=VGSSVlquIpFROEmOdJ5fpnG3ivRSQQaY23hP8P0
> dBQs&s=mO2Ham-yMdBeeKDYThOOP6vfCePpUoAVnBorws9AIuU&e=.
>
> PROBE: A Utility For Probing Interfaces
> draft-ietf-intarea-probe-06
>
> <snip>
>
> 1. Introduction
>
> <snip>
>
> If the probed interface resides on a node that is directly connected to the
> probed node, PROBE reports that the interface is up if it appears in the IPv4
> Address Resolution Protocol (ARP) table or the IPv6 Neighbor Cache.
> Otherwise, it reports that the interface does not exist.
>
> <JMC>
> Comment:
> Normative references to "IPv4 Address Resolution Protocol (ARP) table" (i.e.,
> RFC 826) and "IPv6 Neighbor Cache" (i.e., RFC 4861) are missing. </JMC>
>
> <snip>
>
[RB ]
Good catch. Fixed in next version.
> 2. ICMP Extended Echo Request
>
> <snip>
>
> o L (local) - The L-bit is set of the probed interface resides on the probed
> node. The L-bit is clear if the probed interface is directly connected to the
> probed node.
>
> <JMC>
> Typo:
> s/"The L-bit is set of the probed interface resides on the probed node."/"The
> L-bit is set if the probed interface resides on the probed node." </JMC>
>
> <snip>
[RB ]
Another good catch. Fixed in the next version.
>
> 3. ICMP Extended Echo Reply
>
> <snip>
>
> o F (IPv4) - The F-bit is set if the A-bit is also set and IPv4 is running on the
> probed interface. Otherwise, the F-bit is clear.
>
> o S (IPv6) - The S-bit is set if the A-bit is also set and IPv6 is running on the
> probed interface. Otherwise, the S-bit is clear.
>
> o E (Ethernet) - The E-bit is set if the A-bit is also set and IPv4 is running on
> the probed interface. Otherwise, the E-bit is clear.
>
> <JMC>
> Question:
> Why IPv4 must also run to have the E-bit set?
> Question:
> Why the E-bit is not set if IPv4 is not running and IPv6 is running?
> </JMC>
[RB ]
This was a typo. I meant to say:
0 E (Ethernet) - The E-bit is set if the A-bit is also set and Ethernet is running on the probed interface. Otherwise, the E-bit is clear.
>
> 4. ICMP Message Processing
>
> <snip>
>
> o Set the Code field as described Section 4.1
>
> o If the Code Field is equal to No Error (0) and the L-bit is clear,
> set the A-Bit.
>
> o If the Code Field is equal to No Error (0) and the L-bit is set
> and the probed interface is active, set the A-bit.
>
> <JMC>
> Question:
> Why the A-bit is not set when Code Field is equal to Multiple Interfaces
> Satisfy Query (3) and the L-bit is clear? Question: Same question when L-bit is
> set. </JMC>
>
> <snip>
>
[RB ]
Error code 3 (Multiple Interfaces Satisfy Query) means that they query is ambiguous. Or, on other words, that two or more interfaces satisfy the match conditions specified by the query. So, we can't set the A, F, S or E bits because we don't know which interface the user is asking about.
> 8. Security Considerations
>
> <snip>
>
> In order to protect local resources, implementations SHOULD rate-limit
> incoming ICMP Extended Echo Request messages.
>
> <JMC>
> Comment:
> IMHO, the main security threat I see with this mechanism is to use it as
> "reflection" scanning: to discover nodes "behind" the proxy interface,
> without raising alarms from security probes watching the networks hosting
> these nodes.
> So, rate-limit can help to mitigate this potential threat too. </JMC>
[RB ]
Yes, this does slow down the scanning attack. But it doesn't really mitigate it. The savvy attacker will scan slowly.
Thanks again for the thorough review.
Ron
>
> 9. References
>
> 9.1. Normative References
>
> <snip>
>
> <JMC>
> Comment:
> Too add normative references to "IPv4 Address Resolution Protocol (ARP)
> table"
> (i.e., RFC 826) and "IPv6 Neighbor Cache" (i.e., RFC 4861), as commented
> previously. </JMC>
>
> <snip>
>
> Thanks in advance for your replies.
>
> Best regards,
>
> JMC.
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Int-area mailing list
> Int-area@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__www.ietf.org_mailman_listinfo_int-
> 2Darea&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
> ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=VGSSVlquIpFROEmOdJ5fpnG3ivRSQQaY23hP8P0
> dBQs&s=Y0X9xlzWjiF5Nk7ImagKKmupi29NSBXKlHFhrzO7dYc&e=
>
>
> ------------------------------
>
> End of Int-area Digest, Vol 146, Issue 28
> *****************************************
- [Int-area] Intdir early review of draft-ietf-inta… Jean-Michel Combes
- Re: [Int-area] Intdir early review of draft-ietf-… Ron Bonica
- Re: [Int-area] Intdir early review of draft-ietf-… Jean-Michel Combes
- Re: [Int-area] Intdir early review of draft-ietf-… Ron Bonica
- Re: [Int-area] Intdir early review of draft-ietf-… Jean-Michel Combes
- Re: [Int-area] Intdir early review of draft-ietf-… Ron Bonica
- Re: [Int-area] Intdir early review of draft-ietf-… Jean-Michel Combes