IETF Logo Mail Archive

Re: [Int-area] Fwd: I-D Action:draft-rahman-rtg-router-alert-considerations-03.txt

Francois Le Faucheur <flefauch@cisco.com> Tue, 24 November 2009 10:38 UTC

Return-Path: <flefauch@cisco.com>
X-Original-To: int-area@core3.amsl.com
Delivered-To: int-area@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D9E003A6928 for <int-area@core3.amsl.com>; Tue, 24 Nov 2009 02:38:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.677
X-Spam-Level:
X-Spam-Status: No, score=-10.677 tagged_above=-999 required=5 tests=[AWL=-0.078, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYhkp+3CaYl6 for <int-area@core3.amsl.com>; Tue, 24 Nov 2009 02:38:51 -0800 (PST)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id A42023A6937 for <int-area@ietf.org>; Tue, 24 Nov 2009 02:38:50 -0800 (PST)
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.47,277,1257120000"; d="scan'208";a="55078379"
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 24 Nov 2009 10:38:45 +0000
Received: from ams-flefauch-87110.cisco.com (ams-flefauch-87110.cisco.com [10.55.161.203]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nAOAciV1015746; Tue, 24 Nov 2009 10:38:44 GMT
References: <20091026141502.19A653A6832@core3.amsl.com> <2727_1256568272_ZZ0KS4007M6MA5K0.00_E5FA0438-FCA0-49C0-824A-F59B46624F46@cisco.com> <4AF3DF94.7090904@tkk.fi> <78CD73AD-BDF3-4F09-B4D7-4163A2023C5F@cisco.com> <4AF8E232.9060500@tkk.fi> <3BEF90A9-332B-4EF8-ADE8-8021DD6A52B7@cisco.com> <4B0B8F24.1090406@tkk.fi>
In-Reply-To: <4B0B8F24.1090406@tkk.fi>
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <82392B90-DA95-47D3-A2D3-2F2A2B4F49D3@cisco.com>
Content-Transfer-Encoding: quoted-printable
From: Francois Le Faucheur <flefauch@cisco.com>
Date: Tue, 24 Nov 2009 11:38:43 +0100
To: Jukka Manner <jukka.manner@tkk.fi>
X-Mailer: Apple Mail (2.1077)
Cc: int-area@ietf.org
Subject: Re: [Int-area] Fwd: I-D Action:draft-rahman-rtg-router-alert-considerations-03.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 10:38:52 -0000

Hello Jukka,

On 24 Nov 2009, at 08:45, Jukka Manner wrote:

> Hi,
> 
> You had one question below about providing a proposal for a "default" rule.

I was only asking whether you felt it was possible to converge on one "default" rule. 
As explained below, I personally don't think it is possible (or even desirable) because the trade-off is very dependent on a few key environment specifics (listed below).

> I'm the wrong person (an academic) to make proposals on what an operator SHOULD or SHOULD NOT do. Probably someone else should think about the right approach. My only point was to make it as clear and simple as possible, what the alternatives and their pros and cons are.

My proposal is that:
	* we keep the statement that option 3 is the "last resort" option
	* we further clarify the alternatives (1, 2a, 2b)
	* we further clarify pros & cons of each of those
	* we leave it to the network operator to decide which is best in his environment.

Cheers

Francois


> 
> cheers,
> Jukka
> 
> Francois Le Faucheur wrote:
>> Hello Jukka,
>> On 10 Nov 2009, at 12:46, Jukka Manner wrote:
>>> Hi Francois,
>>> 
>>> I read the doc on the plane over to Hiroshima.
>> and I happen to be reading this message on the plane back from Hiroshima  ^)
>>> I pretty much agree with
>>> the discussion. Yet, after having read the  document, I was left wondering, what is it that you actually want to say with?
>>> 
>>> In summary, you want to say that a network operator has three options:
>>> 
>>> 1. Catch RAO packets (grab the hand grenade and hope it doesn't blow *)
>>> 2. Ignore them, let them pass (pass it on quickly to the next router)
>>> 3. Drop them (throw far, far, away, e.g. to /dev/null)
>> right.
>> Note that "2 Let them pass" has several flavours:
>>    2a. "really Ignore them"
>>    2b. "tunnel them over"
>> and those have different implications (eg with 2a the operator cannot use RAO-based application inside his network, with 2b he can).
>>> 
>>> [* Scott Bradner once in a discussion with him compared RAO to a hand
>>> grenade :) ]
>>> 
>>> All of those choices have implications, of course. Maybe you could be
>>> more clear on these options.
>> Valid point.
>> We could make explicit for each options the implications in terms of:
>>    (i) does this prevent/allow users to deploy RAO-based applications transparently on top of the operator (ie overlay model)
>>    (ii) does this prevent/allow operator to deploy RAO-based applications in his network
>>    (iii) how much does this isolate the operator from external RAO
>>> What would be a default behavior to do? if
>>> you do 1, you are vulnerable, if you do 2, the next guy might not be happy, if you do 3, someone else might not be happy.
>> Right now, the doc says that 3 is the least preferred.
>> Beyond that, I find it difficult to make a universal recommendation between 1 and 2. To me it seems a choice the operator has to make based on the "implications" discussed above, based on the operators requirements (e.g. does the operator need to deploy RAO application in his network?) and based on whether some options are feasible (e.g. does the transport technology & routers allow tunneling of RAO?). I'm thinking that if we make the "implications" explicit as discussed above, the operator would have all the necessary information to make the decision.
>> Do you feel we can make a default universal recommendation?
>>> 
>>> (Note that in Section 5 you talk about looking at payload of interest,
>>> yet, here you come back to the problem of how to define the filter at a
>>> suitable granularity as to not catch all RAO packets and DoS yourself.)
>>> 
>>> Some answers in addition below.
>> One more comment below:
>>> 
>>> Cheers,
>>> Jukka
>>> 
>>> Francois Le Faucheur wrote:
>>>> Hello Jukka,
>>>> On 6 Nov 2009, at 09:34, Jukka MJ Manner wrote:
>>>>> 
>>>>> My WG having been a victim of a long debate on router alert, I believe there is value in documenting if or when RAO should or should not be used.
>>>> Good.
>>>>> Yet, there are already several RFCs that discuss/present RAO (2113, 2711, 5350). I have thought about the RAO lately and how to go forward, and it might make sense to merge these existing specs together, add recent views on RAO, and obsolete the previous RFCs.
>>>> There has been quite a bit of discussion about obsoleting (or not) RFC 2113 & RFC 2711. Our conclusions from that discussion was that the most effective approach was to :
>>>> break down the RAO discussions into two different "tracks":
>>>>   * one track that assumes current RAO definition (RFC2113 & 2711) and router implementation. The aim there is to define a BCP discussing if/where/how RAO should/should not be used in the current IP world. This can be done in a short time frame. This is the scope of draft-rahman-rtg-router-alert-considerations
>>>>   * one track that investigates potential changes to RAO definition. This is the scope of draft-narayanan-rtg-router-alert-extensions. This is much more exploratory and with longer term implications since it would depend on deployment of routers supporting the "new" RAO. This would be a Standards Track document.
>>> 
>>> Sounds fine. Not sure of the STD track above, maybe first experimental?
>> Makes sense.
>> Thanks again for your comments.
>> Francois
>>> 
>>>> Could we agree to:
>>>>   *  "add recent views on RAO"  (including pointers to relevant parts of RFC5350 such as discussion on Experimental RAO values, and as already done including pointers to relevant text of RFC2113/2711) into draft-rahman-rtg-router-alert-considerations, and
>>>>   * "merge RFC 2113/2711 and obsolete/update/work-along these previous RFCs" in draft-narayanan-rtg-router-alert-extensions if/when the work on changing RAO definition progresses
>>>> ?
>>> 
>>> Sounds okey to me.
>>> 
>>>> I believe it is really important to provide a BCP asap on use of RAO in the current situation and the above proposal would help us get there in a reasonable timeframe.
>>>> Thanks
>>>> Francois
>>>>> 
>>>>> I will arrive too late on Monday to take part in the int are meeting and hear the discussion, unless it would happen as the last item on the agenda.
>>>>> 
>>>>> cheers,
>>>>> Jukka
>>>>> 
>>>>> Francois Le Faucheur wrote:
>>>>>> FYI.
>>>>>> Francois
>>>>>> Begin forwarded message:
>>>>>>> *From: *Internet-Drafts@ietf.org <mailto:Internet-Drafts@ietf.org>
>>>>>>> *Date: *26 October 2009 15:15:02 CET
>>>>>>> *To: *i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>
>>>>>>> *Subject: **I-D Action:draft-rahman-rtg-router-alert-considerations-03.txt *
>>>>>>> *Reply-To: *internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>>>>>> 
>>>>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>>>>> 
>>>>>>> Title           : IP Router Alert Considerations and Usage
>>>>>>> Author(s)       : F. Le Faucheur
>>>>>>> Filename        : draft-rahman-rtg-router-alert-considerations-03.txt
>>>>>>> Pages           : 25
>>>>>>> Date            : 2009-10-26
>>>>>>> 
>>>>>>> The IP Router Alert Option is an IP option that alerts transit
>>>>>>> routers to more closely examine the contents of an IP packet.  RSVP,
>>>>>>> PGM, IGMP/MLD, MRD and GIST are some of the protocols that make use
>>>>>>> of the IP Router Alert option.  This document discusses security
>>>>>>> aspects and usage guidelines around the use of the current IP Router
>>>>>>> Alert option.  Specifically, it provides recommendation against using
>>>>>>> the Router Alert in the end-to-end open Internet as well as identify
>>>>>>> controlled environments where protocols depending on Router Alert can
>>>>>>> be used safely.  It also provides recommendation about protection
>>>>>>> approaches for Service Providers.  Finally it provides brief
>>>>>>> guidelines for Router Alert implementation on routers.
>>>>>>> 
>>>>>>> A URL for this Internet-Draft is:
>>>>>>> http://www.ietf.org/internet-drafts/draft-rahman-rtg-router-alert-considerations-03.txt 
>>>>>>> 
>>>>>>> Internet-Drafts are also available by anonymous FTP at:
>>>>>>> ftp://ftp.ietf.org/internet-drafts/
>>>>>>> 
>>>>>>> Below is the data which will enable a MIME compliant mail reader
>>>>>>> implementation to automatically retrieve the ASCII version of the
>>>>>>> Internet-Draft.
>>>>>> ------------------------------------------------------------------------ 
>>>>>>> _______________________________________________
>>>>>>> I-D-Announce mailing list
>>>>>>> I-D-Announce@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/i-d-announce
>>>>>>> Internet-Draft directories: http://www.ietf.org/shadow.html
>>>>>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>>>>> ------------------------------------------------------------------------ 
>>>>>> _______________________________________________
>>>>>> Int-area mailing list
>>>>>> Int-area@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/int-area
> 
> -- 
> Jukka MJ Manner, Professor, PhD.  Phone:  +358+(0)9+451 2481
> Helsinki University of Technology Mobile: +358+(0)50+5112973
> Department of Communications      Fax:    +358+(0)9+451 2474
> and Networking (Comnet)           Office: G320 (Otakaari 5A)
> P.O. Box 3000, FIN-02015 TKK      E-mail: jukka.manner@tkk.fi
> Finland                           WWW:    www.comnet.tkk.fi

v2.23.0 | Report a Bug | By Email