Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt
"Les Ginsberg (ginsberg)" <ginsberg@cisco.com> Thu, 25 May 2017 14:24 UTC
Return-Path: <ginsberg@cisco.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5266A1293FD for <isis-wg@ietfa.amsl.com>; Thu, 25 May 2017 07:24:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pY2UlUMrl2b3 for <isis-wg@ietfa.amsl.com>; Thu, 25 May 2017 07:24:55 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 259BF1243F3 for <isis-wg@ietf.org>; Thu, 25 May 2017 07:24:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17322; q=dns/txt; s=iport; t=1495722295; x=1496931895; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=0+5W3T79QPeEGX7x6XY+WdH/MCaAszJqy7enz5NAg/s=; b=kBUh6jOTLIgwTZWU+LJKaeacyT2pahT0nhO5F9y2D+wooFe9C2IGl9HP Pqk2xwmVK5Ap4UohC+2ejgU0YdRVXapWPNOi7nEGAf6Q0r4ZXw3bBcamN aox/3fqQX2pJhAw0oB4OlBgXtZyVoWWux3K7YSf4EV0N7JSIQ5pRTnvTg U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CnAADs5yZZ/4cNJK1UCRkBAQEBAQEBAQEBAQcBAQEBAYNVYoENB4NoihiRXYgojVCCDyELhXgCGoJjPxgBAgEBAQEBAQFrKIUYAQEBAQMBASEROgsMBAIBCBEEAQEBAgIjAwICAh8GCxQBCAgCBA4FCIoJAxUQrleCJocxDYQHAQEBAQEBAQEBAQEBAQEBAQEBAQEBHYELhVSBXQGCEIEMgldNgRMICgFCgmyCYAWdaDsBhx+HMIRPgg9VhGeKNYsyiRsBHzh/C3MVHCqEexyBY3YBhnWBIQGBDAEBAQ
X-IronPort-AV: E=Sophos;i="5.38,391,1491264000"; d="scan'208";a="431306169"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 25 May 2017 14:24:53 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id v4PEOrr8031958 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 25 May 2017 14:24:53 GMT
Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 25 May 2017 09:24:52 -0500
Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1210.000; Thu, 25 May 2017 09:24:52 -0500
From: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: "isis-wg@ietf.org" <isis-wg@ietf.org>, Mirja Kühlewind <ietf@kuehlewind.net>, Adam Roach <adam@nostrum.com>, Eric Rescorla <ekr@rtfm.com>, Suresh Krishnan <suresh.krishnan@gmail.com>, "Benoit Claise (bclaise)" <bclaise@cisco.com>, "mjethanandani@gmail.com" <mjethanandani@gmail.com>, Alissa Cooper <alissa@cooperw.in>, "Alvaro Retana (aretana)" <aretana@cisco.com>, Ben Campbell <ben@nostrum.com>
Thread-Topic: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt
Thread-Index: AQHS1PAo4KdfACMqLUawlr6I8TMo4KIEOBAAgABedQD//64hsIAAZF4A///QigCAAMeAAP//2jSQ
Date: Thu, 25 May 2017 14:24:52 +0000
Message-ID: <729a4dd6517f45c3aa9175f609ea57d6@XCH-ALN-001.cisco.com>
References: <149567309799.8624.16080269380002810311@ietfa.amsl.com> <9b951044ae6b4bc69012fffe393ceefc@XCH-ALN-001.cisco.com> <CAHbuEH6fNcTEvt6m5UOk+Qj_+HuzG_HfUpfD=A7zk75xoomtVg@mail.gmail.com> <f0893e23975b44228803df5510ad6198@XCH-ALN-001.cisco.com> <CAHbuEH6yR3zL6WoXUwZ=PyLe5=0TR6wpjyt2Nk4-YArWjsDajA@mail.gmail.com> <8bf15bb4c0cc42ba9cb480efa60508d6@XCH-ALN-001.cisco.com> <07C87855-77EE-43AB-A178-DC7448E68769@gmail.com>
In-Reply-To: <07C87855-77EE-43AB-A178-DC7448E68769@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [128.107.147.95]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/isis-wg/AuKvsX1OtHc97ebXdoAjG8oW7F8>
Subject: Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 14:24:57 -0000
Kathleen - Thanx for your assistance - https://www.ietf.org/internet-drafts/draft-ietf-isis-l2bundles-07.txt has been posted. Les > -----Original Message----- > From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > Sent: Thursday, May 25, 2017 4:39 AM > To: Les Ginsberg (ginsberg) > Cc: isis-wg@ietf.org; Mirja Kühlewind; Adam Roach; Eric Rescorla; Suresh > Krishnan; Benoit Claise (bclaise); mjethanandani@gmail.com; Alissa Cooper; > Alvaro Retana (aretana); Ben Campbell > Subject: Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt > > Hi Les, > > Thank you, this text is much better and it is helpful to detail the full set of > considerations. I'll clear my discuss once this has been posted. > > Best regards, > Kathleen > > Sent from my iPhone > > > On May 25, 2017, at 12:53 AM, Les Ginsberg (ginsberg) > <ginsberg@cisco.com> wrote: > > > > Kathleen - > > > >> -----Original Message----- > >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > >> Sent: Wednesday, May 24, 2017 7:35 PM > >> To: Les Ginsberg (ginsberg) > >> Cc: isis-wg@ietf.org; Mirja Kühlewind; Adam Roach; Eric Rescorla; > >> Suresh Krishnan; Benoit Claise (bclaise); mjethanandani@gmail.com; > >> Alissa Cooper; Alvaro Retana (aretana); Ben Campbell > >> Subject: Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt > >> > >> Hi Les, > >> > >> On Wed, May 24, 2017 at 9:39 PM, Les Ginsberg (ginsberg) > >> <ginsberg@cisco.com> wrote: > >>> Kathleen - > >>> > >>>> -----Original Message----- > >>>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > >>>> Sent: Wednesday, May 24, 2017 6:29 PM > >>>> To: Les Ginsberg (ginsberg) > >>>> Cc: isis-wg@ietf.org; Mirja Kühlewind; Adam Roach; Eric Rescorla; > >>>> Suresh Krishnan; Benoit Claise (bclaise); mjethanandani@gmail.com; > >>>> Alissa Cooper; Alvaro Retana (aretana); Ben Campbell > >>>> Subject: Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt > >>>> > >>>> Hi Les, > >>>> > >>>> On Wed, May 24, 2017 at 9:16 PM, Les Ginsberg (ginsberg) > >>>> <ginsberg@cisco.com> wrote: > >>>>> Folks - > >>>>> > >>>>> This revision addresses a number of review comments received > >>>>> during > >>>> IESG review. > >>>>> > >>>>> Here are some responses to some of the points raised by reviewers > >>>>> (all > >>>> reviewers have been copied on this email I hope). > >>>>> > >>>>> 1)Security section has been revised. > >>>>> > >>>>> 2)* Appendix A: The length value for "L2 Bundle Attribute > Descriptors" > >>>>> under "TLV for Adjacency #2" is wrong. It says 29 but it needs to > >>>>> be > >>>>> 32 > >>>>> > >>>>> This has been corrected - thank you Suresh. > >>>>> I also changed to using RFC5737 approved addresses in the examples. > >>>>> > >>>>> 3)Comments provided by Mahesh in his OPS DIR review and cited by > >>>>> Benoit have been addressed > >>>>> > >>>>> 4)Alvaro commented: > >>>>> > >>>>> " I would like to see some discussion related to the > >>>>> "interface" with these > >>>> external entities." > >>>>> > >>>>> I have added explicit text indicating this is out of scope. To > >>>>> defend this here > >>>> are several examples: > >>>>> > >>>>> RFC 5305 does not discuss how link attribute information is > >>>>> passed to TE > >>>> applications > >>>>> Protocol documents do not define how information is passed to > >>>>> PCE - we > >>>> have PCE WG documents for that > >>>>> Protocol documents do not define how link state info is passed > >>>>> to BGP-LS - we write separate BGP-LS drafts for that > >>>>> > >>>>> I hope my response suffices. > >>>>> > >>>>> 5)Kathleen Moriarty argued that advertisement of > >>>>> o IPv4 Interface Address (sub-TLV 6 defined in [RFC5305]) > >>>>> o IPv6 Interface Address (sub-TLV 12 defined in [RFC6119]) > >>>>> o Link Local/Remote Identifiers (sub-TLV 4 defined in > >>>>> [RFC5307]) > >>>>> > >>>>> exposes new security issues. > >>>> > >>>> This was a question as opposed to an argument as I was trying to > >>>> find all possible security issues to assist with adding a security > >>>> considerations section. I do see that path exposure is covered by > >>>> the security considerations in other is-is documents. > >>>> > >>>>> > >>>>> I disagree. > >>>>> > >>>>> Interface addresses are associated with the parent L3 link and are > >>>>> already > >>>> being advertised by IS-IS via existing TE extensions (e.g. RFC > >>>> 5305, RFC > >> 4205). > >>>>> Link IDs for the L2 Links which are advertised are readily > >>>>> available today via > >>>> network management tools. > >>>> > >>>> Will these be referenced then in the security consideration section > >>>> for completeness as it is still an issue? > >>>> > >>> [Les:] I did not do this. It is a difficult model to follow when > >>> writing a > >> document if one is required to explain everything that is NOT an issue. > >> > >> Let's try to work through this as it should be easy to resolve. > >> Walking through the possibilities should help with EKR's discuss too. > >> > >> This draft does add these sub-TLVs, so I would think some text would > >> be appropriate, even to say this is already an issue (path and other > >> information is already exposed since confidentiality is not provided). > >> The draft adds the lag member identity and disaggregated info, is > >> there anything that needs to be said about them? We typically > >> include text in drafts about security considerations specific to a > >> draft or include a reference that explains existing known security > >> considerations with a reference and I see you are the author on > >> several from is-is that were nicely written (thanks for that). > >> > > > > [Les:] I appreciate your intent and your willingness to work on proposed > text. The point I would like to emphasize is that nothing being advertised in > these extensions is new information. All of it is already being advertised by > IS-IS for L3 links. The only thing new here is advertising this same information > for links which are members of an L2 bundle. I do not believe that introduces > new security concerns. But, here is proposed text - let me know if this will > address your concerns. > > > > " The IS-IS protocol has supported the advertisement of link attribute > > information, including link identifiers, for many years. The > > advertisements defined in this document are identical to existing > > advertisements defined in [RFC4205], [RFC5305], [RFC7810], and > > [SR-IS-IS] - but are associated with L2 links which are part of a bundle > interface on which the IS-IS protocol operates. > > There are therefore no new security issues introduced by the > > extensions in this document. > > > > As always, if the protocol is used in an environment where > > unauthorized access to the physical links on which IS-IS PDUs are sent > > occurs then attacks are possible. The use of cryptographic > > authentication as defined in [RFC5304] and [5310] is recommended to > prevent such attacks." > > > > Les > > > > > > > >>> The new statement in the draft says: > >>> > >>> "No new security issues are introduced by the protocol extensions > >>> defined inn this document. Security concerns for IS-IS are addressed > >>> in [RFC5304] and [RFC5310]." > >> > >> These 2 references are about authentication and the text in prior > >> drafts that use these references provide an explanation as to why > >> they are included as references. > >> > >> RFC7810 and RFC 7891 do include some helpful explanations for the > >> security consideration section that might serve as good examples to > >> follow. I had included the following in my discuss as I thought the > >> text in this RFC was helpful: > >> > >> Security concerns for IS-IS are already addressed in [ISO10589], > >> [RFC5304], and [RFC5310] and are applicable to the mechanisms > >> described in this document. Extended authentication mechanisms > >> described in [RFC5304] or [RFC5310] SHOULD be used in deployments > >> where attackers have access to the physical networks, because nodes > >> included in the IS-IS domain are vulnerable. > >> > >> Thank you, > >> Kathleen > >> > >>> > >>> I believe this is both accurate and complete - and my comments above > >> explain why. > >>> > >>> Les > >>> > >>>> Thank you, > >>>> Kathleen > >>>> > >>>>> > >>>>> 6)The shepherd's report and some reviewers have mentioned that > >>>>> there > >>>> currently is no OSPF equivalent document. > >>>>> > >>>>> This statement is true, but I fail to see how this is relevant to > >>>>> the progress > >>>> of this IS-IS draft. > >>>>> It is often the case that equivalent drafts are written for OSPF > >>>>> and IS-IS > >>>> because the same functionality may be required in deployments using > >>>> either protocol. However we have never linked the progress of the > >>>> two documents together - it is often the case that one document is > >>>> written and proceeds before the other. > >>>>> > >>>>> I think it would be quite reasonable for OSPF to support > >>>>> equivalent > >>>> functionality and it may be that someone - based on real deployment > >>>> requirements (which is what has driven the writing of the IS-IS > >>>> draft) - will write such a draft soon. But why this is deemed an > >>>> issue for the progression of the IS-IS draft is a mystery to me. > >>>>> > >>>>> I do want to thank all the reviewers for their time and their > >>>>> diligence. I think > >>>> the document is significantly improved based on your comments. > >>>>> > >>>>> Les > >>>>> > >>>>>> -----Original Message----- > >>>>>> From: Isis-wg [mailto:isis-wg-bounces@ietf.org] On Behalf Of > >>>>>> internet- drafts@ietf.org > >>>>>> Sent: Wednesday, May 24, 2017 5:45 PM > >>>>>> To: i-d-announce@ietf.org > >>>>>> Cc: isis-wg@ietf.org > >>>>>> Subject: [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-06.txt > >>>>>> > >>>>>> > >>>>>> A New Internet-Draft is available from the on-line > >>>>>> Internet-Drafts > >>>> directories. > >>>>>> This draft is a work item of the IS-IS for IP Internets of the IETF. > >>>>>> > >>>>>> Title : Advertising L2 Bundle Member Link Attributes in IS-IS > >>>>>> Authors : Les Ginsberg > >>>>>> Ahmed Bashandy > >>>>>> Clarence Filsfils > >>>>>> Mohan Nanduri > >>>>>> Ebben Aries > >>>>>> Filename : draft-ietf-isis-l2bundles-06.txt > >>>>>> Pages : 17 > >>>>>> Date : 2017-05-24 > >>>>>> > >>>>>> Abstract: > >>>>>> There are deployments where the Layer 3 interface on which IS-IS > >>>>>> operates is a Layer 2 interface bundle. Existing IS-IS > >>>>>> advertisements only support advertising link attributes of the Layer > >>>>>> 3 interface. If entities external to IS-IS wish to control traffic > >>>>>> flows on the individual physical links which comprise the Layer 2 > >>>>>> interface bundle link attribute information about the bundle > >> members > >>>>>> is required. > >>>>>> > >>>>>> This document introduces the ability for IS-IS to advertise the link > >>>>>> attributes of layer 2 (L2) bundle members. > >>>>>> > >>>>>> > >>>>>> > >>>>>> The IETF datatracker status page for this draft is: > >>>>>> https://datatracker.ietf.org/doc/draft-ietf-isis-l2bundles/ > >>>>>> > >>>>>> There are also htmlized versions available at: > >>>>>> https://tools.ietf.org/html/draft-ietf-isis-l2bundles-06 > >>>>>> https://datatracker.ietf.org/doc/html/draft-ietf-isis-l2bundles-0 > >>>>>> 6 > >>>>>> > >>>>>> A diff from the previous version is available at: > >>>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-isis-l2bundles-06 > >>>>>> > >>>>>> > >>>>>> Please note that it may take a couple of minutes from the time of > >>>>>> submission until the htmlized version and diff are available at > >>>> tools.ietf.org. > >>>>>> > >>>>>> Internet-Drafts are also available by anonymous FTP at: > >>>>>> ftp://ftp.ietf.org/internet-drafts/ > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Isis-wg mailing list > >>>>>> Isis-wg@ietf.org > >>>>>> https://www.ietf.org/mailman/listinfo/isis-wg > >>>> > >>>> > >>>> > >>>> -- > >>>> > >>>> Best regards, > >>>> Kathleen > >> > >> > >> > >> -- > >> > >> Best regards, > >> Kathleen
- [Isis-wg] I-D Action: draft-ietf-isis-l2bundles-0… internet-drafts
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Les Ginsberg (ginsberg)
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Kathleen Moriarty
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Les Ginsberg (ginsberg)
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Eric Rescorla
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Kathleen Moriarty
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Les Ginsberg (ginsberg)
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Kathleen Moriarty
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Alvaro Retana (aretana)
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Eric Rescorla
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Les Ginsberg (ginsberg)
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Kathleen Moriarty
- Re: [Isis-wg] I-D Action: draft-ietf-isis-l2bundl… Alia Atlas