Re: [Isis-wg] WG Last Call for for draft-ietf-isis-pcr

Eric Gray <eric.gray@ericsson.com> Wed, 02 September 2015 19:39 UTC

Return-Path: <eric.gray@ericsson.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4EE01B3E9A for <isis-wg@ietfa.amsl.com>; Wed, 2 Sep 2015 12:39:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59_t2pkriGli for <isis-wg@ietfa.amsl.com>; Wed, 2 Sep 2015 12:39:22 -0700 (PDT)
Received: from usevmg20.ericsson.net (usevmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DABF1B3A06 for <isis-wg@ietf.org>; Wed, 2 Sep 2015 12:39:22 -0700 (PDT)
X-AuditID: c618062d-f79ef6d000007f54-8a-55e6f253b1a1
Received: from EUSAAHC008.ericsson.se (Unknown_Domain [147.117.188.96]) by usevmg20.ericsson.net (Symantec Mail Security) with SMTP id D1.3F.32596.352F6E55; Wed, 2 Sep 2015 14:57:55 +0200 (CEST)
Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC008.ericsson.se ([147.117.188.96]) with mapi id 14.03.0248.002; Wed, 2 Sep 2015 15:39:20 -0400
From: Eric Gray <eric.gray@ericsson.com>
To: "draft-ietf-isis-pcr-all@tools.ietf.org" <draft-ietf-isis-pcr-all@tools.ietf.org>
Thread-Topic: [Isis-wg] WG Last Call for for draft-ietf-isis-pcr
Thread-Index: AQHQ4ZIamA/X5PcKM06mmdE8/iKsFp4mHMAAgAAo3vCAAaRGgIABshfQgAAGF4A=
Date: Wed, 2 Sep 2015 19:39:20 +0000
Message-ID: <48E1A67CB9CA044EADFEAB87D814BFF6448CB62C@eusaamb107.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.9]
Content-Type: multipart/alternative; boundary="_000_48E1A67CB9CA044EADFEAB87D814BFF6448CB62Ceusaamb107erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKLMWRmVeSWpSXmKPExsUyuXRPgm7wp2ehBl0rDS2mbT7IbHFtcwOj xcETDcwWRw+9Z3Vg8bh3dzGTx6Pt8R5Llvxk8vhy+TNbAEsUl01Kak5mWWqRvl0CV8bbGTdZ CpbMY6qY+r2drYHxyTSmLkYODgkBE4kXF4FMTiBTTOLCvfVsXYxcHEICRxkl/jy4wwjhLGOU aLv3AayKTUBD4tidtYwgtohAuMS0rnMsIEXMApMZJR7c2wOWEBawl5i65hcbRJGDxJY/j5gg bD+JI1veMIPYLAIqEis+rGQHsXkFfCXun5oCFmcEOuP7qTVg9cwC4hK3nsyHOk9AYsme88wQ tqjEy8f/WCFsRYl9/dPZIerzJV6dXcoGMVNQ4uTMJywTGIVnIRk1C0nZLCRls4CBwSygKbF+ lz5EiaLElO6H7BC2hkTrnLnsyOILGNlXMXKUFqeW5aYbGWxiBMbTMQk23R2Me15aHmIU4GBU 4uF9IP8sVIg1say4MvcQozQHi5I47/4l90OFBNITS1KzU1MLUovii0pzUosPMTJxcEo1MK7b vuXhijMeckbJpZwJjEeONdy4KvZkxdqXxk8ubY1QtIsJ2mgYs2Idi+ITI/uuGvFGWynx/ddv LfgfNpNj8yGllvhjt92+OTMe8xQ6/or16McDvOVp6zfMfF7y67XS5YkuuQnbulb32VuLn/Jd 1St+4vY5pueeFxMelfm9+vktxyo60klx3WwlluKMREMt5qLiRABrQfW4iAIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/isis-wg/5UDDdk-94vknyYmnO3bMd0PBhoc>
Cc: Hannes Gredler <hannes@gredler.at>, Christian Hopps <chopps@chopps.org>, ISIS-WG <isis-wg@ietf.org>
Subject: Re: [Isis-wg] WG Last Call for for draft-ietf-isis-pcr
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2015 19:39:25 -0000

Authors,

                I have the following comments on the draft…

                We start section 4 with the statement: “An explicit tree is determined by a Path Computation
Element (PCE) …”

                I believe that explicit trees may be determined without using a PCE, even if we might prefer
to use a PCE.  One could, for example, construct one on paper.

I suspect we could say:


-          “Explicit trees may be determined in some fashion.  For example, an explicit tree may be

determined by a Path Computation Element (PCE) [RFC4655].  A PCE is an entity that is

capable of computing a topology for forwarding based on a network topology, its

corresponding attributes, and potential constraints.  If a PCE is used, it MUST explicitly

describe a forwarding tree as described in Section 6.1.  Either a single PCE or multiple

PCEs determine explicit trees for a domain.  Even if there are multiple PCEs in a domain,

each explicit tree MUST be determined only by one PCE, which is referred to as the owner

PCE of that tree.  PCEs and IS-IS PCR can  be used in combination with IS-IS shortest path

bridging.



“The remainder of this section, and subsequent sections, are written assuming PCE use.”



A few minor points (reflected in the above re-wording):

-          “MUST be only determined by one PCE” is awkward (implies everything else has to be done by

another PCE).

-          “SPB shortest path routing” is either redundant or incorrect.

-          It would  be very difficult to re-write the section to avoid dependence on PCE, but I suspect a

statement to the effect that PCE is assumed will allow it to be read without loss of generality.

-          I left out the bit about not being required to follow shortest path as this seems obvious.

I am not sure how the second paragraph in the security considerations section is related to security, as
it is currently worded.

As I understand it, the issue that the paragraph aims to address has to do with a vulnerability that may
exist when multiple PCEs are used and may be independently managed.  In particular, the importance
parameter could be used maliciously by one PCE to ensure that it gets reservations.

This is simply one variation of a general PCE issue; an independently managed, non-cooperating PCE is
indistinguishable from a PCE impersonation (in the sense used in the Security Considerations section of
RFC 4655).

We may want to consider replacing the current second paragraph with the following two paragraphs.

Any mechanism that chooses forwarding paths, and allocates resources to those paths, is potentially
vulnerable to attack.  The security considerations section of RFC 4655 describes the risks associated
with the use of PCE for this purpose and should be referred to.  Use of any other means to determine
paths should only be used after considering similar concerns.

Because the mechanism assumed for distributing tree information relies on IS-IS routing, IS-IS routing
security considerations (Section 6, RFC 1195) and mechanisms (e.g. – RFC 5310)  used to authenticate
peer advertisements apply.

--
Eric

Subject:

[Isis-wg] WG Last Call for for draft-ietf-isis-pcr

Date:

Mon, 24 Aug 2015 09:54:27 -0400

From:

Christian Hopps <chopps@chopps.org><mailto:chopps@chopps.org>

To:

ISIS-WG <isis-wg@ietf.org><mailto:isis-wg@ietf.org>

CC:

Hannes Gredler <hannes@gredler.at><mailto:hannes@gredler.at>



Hi Folks,



We are starting a WG Last Call on the following draft.



“IS-IS Path Computation and Reservation”

https://datatracker.ietf.org/doc/draft-ietf-isis-pcr/



The LC is set to expire 3 weeks from now (allowing for common vacation

time) on Monday, September 14, 2015.



Thanks,

Chris & Hannes.



_______________________________________________

Isis-wg mailing list

Isis-wg@ietf.org<mailto:Isis-wg@ietf.org>

https://www.ietf.org/mailman/listinfo/isis-wg