IETF Logo Mail Archive

Re: [Isis-wg] Alissa Cooper's Discuss on draft-ietf-isis-te-metric-extensions-09: (with DISCUSS and COMMENT)

Alissa Cooper <alissa@cooperw.in> Tue, 02 February 2016 17:41 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 373A91B2DCF for <isis-wg@ietfa.amsl.com>; Tue, 2 Feb 2016 09:41:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eb-yTPuQkzOd for <isis-wg@ietfa.amsl.com>; Tue, 2 Feb 2016 09:41:46 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C69131B29E9 for <isis-wg@ietf.org>; Tue, 2 Feb 2016 09:41:46 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id B424E21452 for <isis-wg@ietf.org>; Tue, 2 Feb 2016 12:41:45 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute6.internal (MEProxy); Tue, 02 Feb 2016 12:41:45 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=KcSbhL2/w0QB1mxTo2Bgw6VcC68=; b=AXo/3I vSwxeLZIKIa8MO8d4FVwPwNkOnYU38u02ayIVT325qG0n/5GkmfXN1Ni97EqtoT0 851GYh+gcAMaifuuvrfQpva3oGZZd+7cHOeF/ZCeb2tnWhgRTDH2Xg+Qsse6CwjN QQ6n3d8hcjRedpEH1cwCaTExTtT4tiK6uZHNY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=KcSbhL2/w0QB1mx To2Bgw6VcC68=; b=sdlpM/qjU7/DSGpwEoxXv0+O1UetBYg9BZZJNSzKEPnXDpy BIfXHAsFd8Ju/6Pnoa4YJozlVMEIUHpatO3QxUxhtjPaqsgNuF50u1ztS2Y55Paj KoFC7rPfet1tuf474uG7OhOG96UXllBrzJGcm0Pcye9hyPApALbDlYazdT2I=
X-Sasl-enc: XzbLixYlTuV8So+hTjFOCAUCxnsMmtcitjkR5ibPpKza 1454434905
Received: from dhcp-171-68-20-64.cisco.com (dhcp-171-68-20-64.cisco.com [171.68.20.64]) by mail.messagingengine.com (Postfix) with ESMTPA id BC12B68015A; Tue, 2 Feb 2016 12:41:44 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <0313B05C-9CAF-4629-A598-C97CFE33AF8F@cisco.com>
Date: Tue, 02 Feb 2016 09:41:43 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <96D0C84E-DCAC-4905-B0C0-9085010CB7B1@cooperw.in>
References: <20160202000623.2041.75747.idtracker@ietfa.amsl.com> <0313B05C-9CAF-4629-A598-C97CFE33AF8F@cisco.com>
To: "Stefano Previdi (sprevidi)" <sprevidi@cisco.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/isis-wg/8qpRkDX7mtoqM9EObg-uOQ9favE>
X-Mailman-Approved-At: Tue, 02 Feb 2016 19:35:26 -0800
Cc: "isis-wg@ietf.org" <isis-wg@ietf.org>, "draft-ietf-isis-te-metric-extensions@ietf.org" <draft-ietf-isis-te-metric-extensions@ietf.org>, IESG <iesg@ietf.org>, "isis-chairs@ietf.org" <isis-chairs@ietf.org>
Subject: Re: [Isis-wg] Alissa Cooper's Discuss on draft-ietf-isis-te-metric-extensions-09: (with DISCUSS and COMMENT)
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2016 17:41:49 -0000

Hi Stefano,

> On Feb 2, 2016, at 7:49 AM, Stefano Previdi (sprevidi) <sprevidi@cisco.com> wrote:
> 
> Hi Alissa,
> 
> 
> thanks for the comments, see below.
> 
> 
>> On Feb 2, 2016, at 1:06 AM, Alissa Cooper <alissa@cooperw.in> wrote:
>> 
>> Alissa Cooper has entered the following ballot position for
>> draft-ietf-isis-te-metric-extensions-09: Discuss
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-isis-te-metric-extensions/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>> 
>> (1) There seems to be some inconsistency in the way the A-bit is
>> described as applied to the min/max delay sub-TLV. Section 4.2 says:
>> 
>> "A-bit.  The A-bit represents the Anomalous (A) bit.  The A-bit is set
>>  when the measured value of this parameter exceeds its configured
>>  maximum threshold.  The A bit is cleared when the measured value
>>  falls below its configured reuse threshold.  If the A-bit is clear,
>>  the sub-TLV represents steady state link performance."
>> 
>> Is the A-bit meant to apply only to the min delay? Or only to the max
>> delay?
> 
> 
> As stated, is the value of max-delay that triggers the setting of the a-bit and it is used to indicate that something is going wrong with that link.

What do you mean “as stated”? The text does not say whether the A-bit is triggered by min delay or max delay. It says it is triggered by “this parameter,” but there are two parameters in the sub-TLV.

> 
> 
>> Then Section 5 says:
>> 
>> "For sub-TLVs which include an A-bit (except min/max
>>     delay), an additional threshold SHOULD be included
>>     corresponding to the threshold for which the performance
>>     is considered anomalous (and sub-TLVs with the A-bit are
>>     sent)."
>> 
>> Since min/max delay is excepted from this recommendation, I don't
>> understand what the A-bit means in the min/max delay sub-TLV.
> 
> 
> if delay is higher than a configured value the a-bit is set.

Min delay? Or max delay? And if the min/max delay sub-TLV includes the A-bit a specified in 4.2, why is it excepted from this recommendation?

> Typically, the receiver of the subTLV will take the indication that something is happening on that list (i.e.: it is not steady state).
> 
> 
>> (2) Section 11 says:
>> 
>> "This document does not introduce security issues beyond those
>>  discussed in [RFC5305]."
>> 
>> This seems false. First, RFC 5305 doesn't seem to discuss any security
>> issues. It points to RFC 5304. But even compared to RFC 5304, it seems
>> this document does introduce new issues, because it exposes real-time
>> performance information about the network which may be commercially
>> sensitive, and which RFC 5305 does not expose.
> 
> 
> well, RFC5305 already advertises allocated BW information which may also be considered sensitive.

Agree, this is missing from RFC 5305, even more reason not to rely on it in total for its security considerations.

> 
> 
>> So, for example, the claim
>> in RFC 5304 that "Because a routing protocol contains information that
>> need not be kept secret, privacy is not a requirement," does not seem
>> true. It may be that the same authentication mechanisms can be used, but
>> that doesn't mean the threat model is the same.
> 
> 
> Probably we could re-phrase the first paragraph of section 11:
> 
>   "The subTLVs introduced in this document allow an operator 
>    to advertise state information of links (bandwidth, delay) 
>    that could be sensitive and that an operator may not want 
>    to disclose." 

WFM

Alissa

> 
> then the existing text about authentication illustrates how security is addressed.
> 
> 
>> Happy to defer to others with more routing security clue than I, but it
>> seems like at a minimum the potential value of the information contained
>> in the new sub-TLVs to an attacker needs to be acknowledged.
> 
> 
> as the result of another DISCUSS we added following text:
> 
>   [RFC5304] describes an authentication method for IS-IS LSP that
>   allows cryptographic authentication of IS-IS LSPs.
> 
>   It is anticipated that in most deployments, IS-IS protocol is used
>   within an infrastructure entirely under control of the dame operator.
>   However, it is worth to consider that the effect of sending IS-IS
>   Traffic Engineering sub-TLVs over insecure links could result in a
>   man-in-the-middle attacker delaying real time data to a given site
>   (or destination), which could negatively affect the value of the data
>   for that site/destination.  The use of LSP cryptographic
>   authentication allows to mitigate the risk of man-in-the-middle
>   attack.
> 
> this should address your comments. Let me know if it’s not the case.
> 
> 
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> (1) In Section 5:
>> 
>> OLD
>> Min and max delay MAY be the lowest and/or highest measured value
>>  over a measurement interval
>> 
>> NEW   
>> Min and max delay MAY be the lowest and highest measured value
>>  over a measurement interval, respectively,
> 
> 
> ok.
> 
> 
>> 
>> (2) Section 11 says:
>> 
>> "It is anticipated that in most deployments, IS-IS protocol is used
>>  within an infrastructure entirely under control of the dame
>> operator."
>> 
>> But Section 1 says:
>> 
>> "The data distributed by the IS-IS TE Metric Extensions proposed in
>>  this document is meant to be used as part of the operation of the
>>  routing protocol (e.g. by replacing cost with latency or considering
>>  bandwidth as well as cost), by enhancing Constrained-SPF (CSPF), or
>>  for other uses such as supplementing the data used by an ALTO server
>>  [RFC7285].”
> 
> 
> well, the two statement above are consistent with each other.
> 
> 
>> 
>> In the ALTO case at least it would seem like the point of using this data
>> would be to inform applications (outside the control of the operator)
>> about the cost of routing traffic a certain way. I think this section
>> could be more clear about the expectation that the performance data it
>> exposes may be factored into such costs that get published outside the
>> operator network.
> 
> 
> ALTO defines an api through which an operator controls what is exposed or not so still the control is on the operator hands.
> 
> s.
> 
> 
>> 
>> 
>

v2.23.0 | Report a Bug | By Email