Re: [Int-dir] INT Directorate - Seeking Directorate reviews
<mohamed.boucadair@orange.com> Tue, 30 June 2015 07:03 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: int-dir@ietfa.amsl.com
Delivered-To: int-dir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 561B91B371D; Tue, 30 Jun 2015 00:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Q7AZ4jKiQJD; Tue, 30 Jun 2015 00:03:14 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias245.francetelecom.com [80.12.204.245]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5921F1B371A; Tue, 30 Jun 2015 00:03:14 -0700 (PDT)
Received: from omfeda06.si.francetelecom.fr (unknown [xx.xx.xx.199]) by omfeda14.si.francetelecom.fr (ESMTP service) with ESMTP id 87F232ACA88; Tue, 30 Jun 2015 09:03:12 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.75]) by omfeda06.si.francetelecom.fr (ESMTP service) with ESMTP id 5B383C804F; Tue, 30 Jun 2015 09:03:12 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILMA4.corporate.adroot.infra.ftgroup ([fe80::65de:2f08:41e6:ebbe%19]) with mapi id 14.03.0235.001; Tue, 30 Jun 2015 09:03:11 +0200
From: mohamed.boucadair@orange.com
To: "Bernie Volz (volz)" <volz@cisco.com>, Ralf Weber <ralf.weber@nominum.com>
Thread-Topic: INT Directorate - Seeking Directorate reviews
Thread-Index: AdCtWgKd9uySzZtfTP29eynCrU7S/QFR5skAAAm7SvAADfpKcA==
Date: Tue, 30 Jun 2015 07:03:11 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93300533E109@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <489D13FBFA9B3E41812EA89F188F018E1CB41327@xmb-rcd-x04.cisco.com> <02895A28-D94F-4553-8F35-BBC59F32BD08@nominum.com> <489D13FBFA9B3E41812EA89F188F018E1CB5216E@xmb-rcd-x04.cisco.com>
In-Reply-To: <489D13FBFA9B3E41812EA89F188F018E1CB5216E@xmb-rcd-x04.cisco.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.6.30.61516
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-dir/bJ6CfL0b31mrF7k5hK7ZiaCvB7A>
X-Mailman-Approved-At: Tue, 30 Jun 2015 04:36:36 -0700
Cc: "draft-vinapamula-softwire-dslite-prefix-binding@tools.ietf.org" <draft-vinapamula-softwire-dslite-prefix-binding@tools.ietf.org>, "Christopher LILJENSTOLPE (cdl@asgaard.org)" <cdl@asgaard.org>, "int-dir@ietf.org" <int-dir@ietf.org>, "int-ads@ietf.org" <int-ads@ietf.org>, "jeanmichel.combes@gmail.com" <jeanmichel.combes@gmail.com>
Subject: Re: [Int-dir] INT Directorate - Seeking Directorate reviews
X-BeenThere: int-dir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This list is for discussion between the members of the Internet Area directorate." <int-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-dir>, <mailto:int-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-dir/>
List-Post: <mailto:int-dir@ietf.org>
List-Help: <mailto:int-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-dir>, <mailto:int-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 07:03:16 -0000
Dear Bernie, Ralf, all, Thank you for the review. A misbehaving CPE can indeed vary the source IPv6 address it uses to send its IPv4-in-IPv6 packets to the DS-Lite AFTR. If the AFTR maintains state for each new softwire (from the same B4), then varying the source IPv6 address can be a source of DoS attack that may exhaust the AFTR resources. A first mitigation to this attack vector is to limit the number of softwire per B4 (already recorded in the draft). This countermeasure should be complemented with rate limiting softwires with new source IPv6 from the same CPE. A new version that includes changes to address your comment is available online: URL: https://www.ietf.org/internet-drafts/draft-vinapamula-softwire-dslite-prefix-binding-06.txt Status: https://datatracker.ietf.org/doc/draft-vinapamula-softwire-dslite-prefix-binding/ Htmlized: https://tools.ietf.org/html/draft-vinapamula-softwire-dslite-prefix-binding-06 Diff: https://www.ietf.org/rfcdiff?url2=draft-vinapamula-softwire-dslite-prefix-binding-06 Cheers, Med > -----Message d'origine----- > De : Bernie Volz (volz) [mailto:volz@cisco.com] > Envoyé : lundi 29 juin 2015 16:51 > À : Ralf Weber; int-dir@ietf.org; draft-vinapamula-softwire-dslite-prefix- > binding@tools.ietf.org > Cc : jeanmichel.combes@gmail.com; int-ads@ietf.org; Christopher > LILJENSTOLPE (cdl@asgaard.org) > Objet : RE: INT Directorate - Seeking Directorate reviews > > Thanks Ralf. > > Authors, please see below and note: > > "Ralf was an assigned INT directorate reviewer for draft-vinapamula- > softwire-dslite-prefix-binding-05. These comments were written primarily > for the benefit of the Internet Area Directors. Document editors and > shepherd(s) should treat these comments just like they would treat > comments from any other IETF contributors and resolve them along with any > other Last Call comments that have been received. For more details on the > INT Directorate, see http://www.ietf.org/iesg/directorate.html." > > - Bernie > > -----Original Message----- > From: Ralf Weber [mailto:ralf.weber@nominum.com] > Sent: Monday, June 29, 2015 10:27 AM > To: Bernie Volz (volz) > Cc: jeanmichel.combes@gmail.com; int-ads@ietf.org; Christopher > LILJENSTOLPE (cdl@asgaard.org) > Subject: Re: INT Directorate - Seeking Directorate reviews > > Moin! > > On 23 Jun 2015, at 4:15, Bernie Volz (volz) wrote: > > > Hi Ralf and Jean: > > > > Hopefully you guys can do the review for > > https://datatracker.ietf.org/doc/draft-vinapamula-softwire-dslite-pref > > ix-binding > > as requested by Terry. > Here we go: > > I've read the draft and am good with it. There is one thing that might be > added to it or it could also be that I not understood the protection > mechanism. > > As per recommendations there now is one Tunnel (default value) per /56 or > defined prefix instead of a /128. Now if someone from the same /56 > connects the CPE tunnel endpoint is switched if another session is > initiated. Now could that not be an DOS attack vector on the gateway, as > an attacker can use all of the prefix to constantly generate new tunnel > endpoints causing the gateway to migrate the traffic to the new endpoint. > Should we not point that out and maybe recommend some rate limiting on > tunnel connections? > > So long > -Ralf > --- > Ralf Weber > Principal Architect, Special Projects > office: +49 6446 4392053 > mobile: +49 151 22659325 > us: +1 650 817 5895 > Nominum > www.nominum.com > ralf.weber@nominum.com
- Re: [Int-dir] INT Directorate - Seeking Directora… Bernie Volz (volz)
- Re: [Int-dir] INT Directorate - Seeking Directora… mohamed.boucadair
- Re: [Int-dir] INT Directorate - Seeking Directora… Ralf Weber
- Re: [Int-dir] INT Directorate - Seeking Directora… mohamed.boucadair