Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt

"Les Ginsberg (ginsberg)" <ginsberg@cisco.com> Thu, 25 May 2017 04:54 UTC

Return-Path: <ginsberg@cisco.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 137D1126CB6 for <isis-wg@ietfa.amsl.com>; Wed, 24 May 2017 21:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKjUMc9NHWxp for <isis-wg@ietfa.amsl.com>; Wed, 24 May 2017 21:53:59 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12802120725 for <isis-wg@ietf.org>; Wed, 24 May 2017 21:53:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15338; q=dns/txt; s=iport; t=1495688039; x=1496897639; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=q+QAn8xTUVAeAiQ57pxO/hpvhFNIYjZWMKbzizWvxXg=; b=APkZIl1njfisQ1qkUO7UC4zBGDpfXgkzaw8X838RcGg3kAQugyMuLiHX 34n7cNutGrZpuADuye7UcLP0o7ECuEWVJXUd/bNmnzS2N7aa/CAPlkAip m6eAYOoc6RF7xrKAhFH6+rDFmSxGHSbCXpWvkdO85r3gpF9Cl2+qA7Cp0 A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C+AADhYiZZ/5tdJa1UCRkBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYNVYoEMB4NoihiRXIgojVCCDyELhXgCGoJZPxgBAgEBAQEBAQF?= =?us-ascii?q?rKIUYAQEBAQIBAQEhEToLDAQCAQgRBAEBAQICIwMCAgIfBgsUAQgIAgQOBQiKB?= =?us-ascii?q?gMNCA6uAIImhzQNhBEBAQEBAQEBAQEBAQEBAQEBAQEBAQEdgQuFVIFdAYMcglV?= =?us-ascii?q?NgRMICgFCgmyCYAWdaDsBhx+HMIRPgg9VhGeKNYsyiRsBHzh/C3EVHCqEdxyBY?= =?us-ascii?q?3YBhxOBIYENAQEB?=
X-IronPort-AV: E=Sophos;i="5.38,389,1491264000"; d="scan'208";a="247451837"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 May 2017 04:53:57 +0000
Received: from XCH-ALN-007.cisco.com (xch-aln-007.cisco.com [173.36.7.17]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v4P4rvdP015018 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 25 May 2017 04:53:57 GMT
Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 24 May 2017 23:53:56 -0500
Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1210.000; Wed, 24 May 2017 23:53:56 -0500
From: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: "isis-wg@ietf.org" <isis-wg@ietf.org>, =?utf-8?B?TWlyamEgS8O8aGxld2luZA==?= <ietf@kuehlewind.net>, Adam Roach <adam@nostrum.com>, Eric Rescorla <ekr@rtfm.com>, Suresh Krishnan <suresh.krishnan@gmail.com>, "Benoit Claise (bclaise)" <bclaise@cisco.com>, "mjethanandani@gmail.com" <mjethanandani@gmail.com>, Alissa Cooper <alissa@cooperw.in>, "Alvaro Retana (aretana)" <aretana@cisco.com>, "Ben Campbell" <ben@nostrum.com>
Thread-Topic: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt
Thread-Index: AQHS1PAo4KdfACMqLUawlr6I8TMo4KIEOBAAgABedQD//64hsIAAZF4A///QigA=
Date: Thu, 25 May 2017 04:53:56 +0000
Message-ID: <8bf15bb4c0cc42ba9cb480efa60508d6@XCH-ALN-001.cisco.com>
References: <149567309799.8624.16080269380002810311@ietfa.amsl.com> <9b951044ae6b4bc69012fffe393ceefc@XCH-ALN-001.cisco.com> <CAHbuEH6fNcTEvt6m5UOk+Qj_+HuzG_HfUpfD=A7zk75xoomtVg@mail.gmail.com> <f0893e23975b44228803df5510ad6198@XCH-ALN-001.cisco.com> <CAHbuEH6yR3zL6WoXUwZ=PyLe5=0TR6wpjyt2Nk4-YArWjsDajA@mail.gmail.com>
In-Reply-To: <CAHbuEH6yR3zL6WoXUwZ=PyLe5=0TR6wpjyt2Nk4-YArWjsDajA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.61.9]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/isis-wg/1CT2oTPCSx7U4XluVkdvYtHdFiw>
Subject: Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 04:54:02 -0000

Kathleen -

> -----Original Message-----
> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> Sent: Wednesday, May 24, 2017 7:35 PM
> To: Les Ginsberg (ginsberg)
> Cc: isis-wg@ietf.org; Mirja Kühlewind; Adam Roach; Eric Rescorla; Suresh
> Krishnan; Benoit Claise (bclaise); mjethanandani@gmail.com; Alissa Cooper;
> Alvaro Retana (aretana); Ben Campbell
> Subject: Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt
> 
> Hi Les,
> 
> On Wed, May 24, 2017 at 9:39 PM, Les Ginsberg (ginsberg)
> <ginsberg@cisco.com> wrote:
> > Kathleen -
> >
> >> -----Original Message-----
> >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> >> Sent: Wednesday, May 24, 2017 6:29 PM
> >> To: Les Ginsberg (ginsberg)
> >> Cc: isis-wg@ietf.org; Mirja Kühlewind; Adam Roach; Eric Rescorla;
> >> Suresh Krishnan; Benoit Claise (bclaise); mjethanandani@gmail.com;
> >> Alissa Cooper; Alvaro Retana (aretana); Ben Campbell
> >> Subject: Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt
> >>
> >> Hi Les,
> >>
> >> On Wed, May 24, 2017 at 9:16 PM, Les Ginsberg (ginsberg)
> >> <ginsberg@cisco.com> wrote:
> >> > Folks -
> >> >
> >> > This revision addresses a number of review comments received during
> >> IESG review.
> >> >
> >> > Here are some responses to some of the points raised by reviewers
> >> > (all
> >> reviewers have been copied on this email I hope).
> >> >
> >> > 1)Security section has been revised.
> >> >
> >> > 2)* Appendix A: The length value for "L2 Bundle Attribute Descriptors"
> >> > under "TLV for Adjacency #2" is wrong. It says 29 but it needs to
> >> > be
> >> > 32
> >> >
> >> > This has been corrected - thank you Suresh.
> >> > I also changed to using RFC5737 approved addresses in the examples.
> >> >
> >> > 3)Comments provided by Mahesh in his OPS DIR review and cited by
> >> > Benoit have been addressed
> >> >
> >> > 4)Alvaro commented:
> >> >
> >> >     " I would like to see some discussion related to the
> >> > "interface" with these
> >> external entities."
> >> >
> >> > I have added explicit text indicating this is out of scope. To
> >> > defend this here
> >> are several examples:
> >> >
> >> >    RFC 5305 does not discuss how link attribute information is
> >> > passed to TE
> >> applications
> >> >    Protocol documents do not define how information is passed to
> >> > PCE - we
> >> have PCE WG documents for that
> >> >    Protocol documents do not define how link state info is passed
> >> > to BGP-LS - we write separate BGP-LS drafts for that
> >> >
> >> > I hope my response suffices.
> >> >
> >> > 5)Kathleen Moriarty argued that advertisement of
> >> >    o  IPv4 Interface Address (sub-TLV 6 defined in [RFC5305])
> >> >    o  IPv6 Interface Address (sub-TLV 12 defined in [RFC6119])
> >> >    o  Link Local/Remote Identifiers (sub-TLV 4 defined in
> >> > [RFC5307])
> >> >
> >> > exposes new security issues.
> >>
> >> This was a question as opposed to an argument as I was trying to find
> >> all possible security issues to assist with adding a security
> >> considerations section.  I do see that path exposure is covered by
> >> the security considerations in other is-is documents.
> >>
> >> >
> >> > I disagree.
> >> >
> >> > Interface addresses are associated with the parent L3 link and are
> >> > already
> >> being advertised by IS-IS via existing TE extensions (e.g. RFC 5305, RFC
> 4205).
> >> > Link IDs for the L2 Links which are advertised are readily
> >> > available today via
> >> network management tools.
> >>
> >> Will these be referenced then in the security consideration section
> >> for completeness as it is still an issue?
> >>
> > [Les:] I did not do this. It is a difficult model to follow when writing a
> document if one is required to explain everything that is NOT an issue.
> 
> Let's try to work through this as it should be easy to resolve.
> Walking through the possibilities should help with EKR's discuss too.
> 
> This draft does add these sub-TLVs, so I would think some text would be
> appropriate, even to say this is already an issue (path and other information
> is already exposed since confidentiality is not provided).
> The draft adds the lag member identity and disaggregated info, is there
> anything that needs to be said about them?  We typically include text in
> drafts about security considerations specific to a draft or include a reference
> that explains existing known security considerations with a reference and I
> see you are the author on several from is-is that were nicely written (thanks
> for that).
> 

[Les:] I appreciate your intent and your willingness to work on proposed text. The point I would like to emphasize is that nothing being advertised in these extensions is new information. All of it is already being advertised by IS-IS for L3 links. The only thing new here is advertising this same information for links which are members of an L2 bundle. I do not believe that introduces new security concerns. But, here is proposed text - let me know if this will address your concerns.

" The IS-IS protocol has supported the advertisement of link attribute 
information, including link identifiers, for many years. The advertisements
defined in this document are identical to existing advertisements defined in
 [RFC4205], [RFC5305], [RFC7810], and [SR-IS-IS] - but are associated with L2 links
which are part of a bundle interface on which the IS-IS protocol operates. 
There are therefore no new security issues introduced by the extensions 
in this document.

As always, if the protocol is used in an environment where unauthorized
access to the physical links on which IS-IS PDUs are sent occurs then
attacks are possible. The use of cryptographic authentication as defined in
[RFC5304] and [5310] is recommended to prevent such attacks."

   Les



> > The new statement in the draft says:
> >
> > "No new security issues are introduced by the protocol extensions
> >    defined inn this document.  Security concerns for IS-IS are addressed
> >    in [RFC5304] and [RFC5310]."
> 
> These 2 references are about authentication and the text in prior drafts that
> use these references provide an explanation as to why they are included as
> references.
> 
> RFC7810 and RFC 7891 do include some helpful explanations for the security
> consideration section that might serve as good examples to
> follow.    I had included the following in my discuss as I thought the
> text in this RFC was helpful:
> 
>    Security concerns for IS-IS are already addressed in [ISO10589],
>    [RFC5304], and [RFC5310] and are applicable to the mechanisms
>    described in this document.  Extended authentication mechanisms
>    described in [RFC5304] or [RFC5310] SHOULD be used in deployments
>    where attackers have access to the physical networks, because nodes
>    included in the IS-IS domain are vulnerable.
> 
> Thank you,
> Kathleen
> 
> >
> > I believe this is both accurate and complete - and my comments above
> explain why.
> >
> >    Les
> >
> >> Thank you,
> >> Kathleen
> >>
> >> >
> >> > 6)The shepherd's report and some reviewers have mentioned that
> >> > there
> >> currently is no OSPF equivalent document.
> >> >
> >> > This statement is true, but I fail to see how this is relevant to
> >> > the progress
> >> of this IS-IS draft.
> >> > It is often the case that equivalent drafts are written for OSPF
> >> > and IS-IS
> >> because the same functionality may be required in deployments using
> >> either protocol. However we have never linked the progress of the two
> >> documents together - it is often the case that one document is
> >> written and proceeds before the other.
> >> >
> >> > I think it would be quite reasonable for OSPF to support equivalent
> >> functionality and it may be that someone - based on real deployment
> >> requirements (which is what has driven the writing of the IS-IS
> >> draft) - will write such a draft soon. But why this is deemed an
> >> issue for the progression of the IS-IS draft is a mystery to me.
> >> >
> >> > I do want to thank all the reviewers for their time and their
> >> > diligence. I think
> >> the document is significantly improved based on your comments.
> >> >
> >> >    Les
> >> >
> >> >> -----Original Message-----
> >> >> From: Isis-wg [mailto:isis-wg-bounces@ietf.org] On Behalf Of
> >> >> internet- drafts@ietf.org
> >> >> Sent: Wednesday, May 24, 2017 5:45 PM
> >> >> To: i-d-announce@ietf.org
> >> >> Cc: isis-wg@ietf.org
> >> >> Subject: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt
> >> >>
> >> >>
> >> >> A New Internet-Draft is available from the on-line Internet-Drafts
> >> directories.
> >> >> This draft is a work item of the IS-IS for IP Internets of the IETF.
> >> >>
> >> >>         Title           : Advertising L2 Bundle Member Link Attributes in IS-IS
> >> >>         Authors         : Les Ginsberg
> >> >>                           Ahmed Bashandy
> >> >>                           Clarence Filsfils
> >> >>                           Mohan Nanduri
> >> >>                           Ebben Aries
> >> >>       Filename        : draft-ietf-isis-l2bundles-06.txt
> >> >>       Pages           : 17
> >> >>       Date            : 2017-05-24
> >> >>
> >> >> Abstract:
> >> >>    There are deployments where the Layer 3 interface on which IS-IS
> >> >>    operates is a Layer 2 interface bundle.  Existing IS-IS
> >> >>    advertisements only support advertising link attributes of the Layer
> >> >>    3 interface.  If entities external to IS-IS wish to control traffic
> >> >>    flows on the individual physical links which comprise the Layer 2
> >> >>    interface bundle link attribute information about the bundle
> members
> >> >>    is required.
> >> >>
> >> >>    This document introduces the ability for IS-IS to advertise the link
> >> >>    attributes of layer 2 (L2) bundle members.
> >> >>
> >> >>
> >> >>
> >> >> The IETF datatracker status page for this draft is:
> >> >> https://datatracker.ietf.org/doc/draft-ietf-isis-l2bundles/
> >> >>
> >> >> There are also htmlized versions available at:
> >> >> https://tools.ietf.org/html/draft-ietf-isis-l2bundles-06
> >> >> https://datatracker.ietf.org/doc/html/draft-ietf-isis-l2bundles-06
> >> >>
> >> >> A diff from the previous version is available at:
> >> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-isis-l2bundles-06
> >> >>
> >> >>
> >> >> Please note that it may take a couple of minutes from the time of
> >> >> submission until the htmlized version and diff are available at
> >> tools.ietf.org.
> >> >>
> >> >> Internet-Drafts are also available by anonymous FTP at:
> >> >> ftp://ftp.ietf.org/internet-drafts/
> >> >>
> >> >> _______________________________________________
> >> >> Isis-wg mailing list
> >> >> Isis-wg@ietf.org
> >> >> https://www.ietf.org/mailman/listinfo/isis-wg
> >>
> >>
> >>
> >> --
> >>
> >> Best regards,
> >> Kathleen
> 
> 
> 
> --
> 
> Best regards,
> Kathleen