Re: [Isis-wg] [Technical Errata Reported] RFC5310 (2462)
"Les Ginsberg (ginsberg)" <ginsberg@cisco.com> Fri, 13 August 2010 18:25 UTC
Return-Path: <ginsberg@cisco.com>
X-Original-To: isis-wg@core3.amsl.com
Delivered-To: isis-wg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BB543A682A for <isis-wg@core3.amsl.com>; Fri, 13 Aug 2010 11:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.561
X-Spam-Level:
X-Spam-Status: No, score=-10.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xJ9l3MjUbYFC for <isis-wg@core3.amsl.com>; Fri, 13 Aug 2010 11:25:10 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 23B6F3A67F3 for <isis-wg@ietf.org>; Fri, 13 Aug 2010 11:25:10 -0700 (PDT)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.55,364,1278288000"; d="scan'208";a="240060798"
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-5.cisco.com with ESMTP; 13 Aug 2010 18:25:46 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o7DIPkJe020805; Fri, 13 Aug 2010 18:25:46 GMT
Received: from xmb-sjc-222.amer.cisco.com ([128.107.191.106]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 13 Aug 2010 11:25:46 -0700
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 13 Aug 2010 11:25:44 -0700
Message-ID: <AE36820147909644AD2A7CA014B1FB520BA22E92@xmb-sjc-222.amer.cisco.com>
In-Reply-To: <DBCA1447-F194-41A5-9CAF-67AF4644D5E5@tony.li>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Isis-wg] [Technical Errata Reported] RFC5310 (2462)
Thread-Index: Acs7B5OFhckFpN3kRNKNkQf7jsSpxQADI7VA
References: <20100812185517.34298E06D7@rfc-editor.org><7C362EEF9C7896468B36C9B79200D8350CD03DB216@INBANSXCHMBSA1.in.alcatel-lucent.com> <DBCA1447-F194-41A5-9CAF-67AF4644D5E5@tony.li>
From: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
To: Tony Li <tony.li@tony.li>, "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
X-OriginalArrivalTime: 13 Aug 2010 18:25:46.0591 (UTC) FILETIME=[F29C5EF0:01CB3B14]
Cc: chopps@rawdofmt.org, isis-wg@ietf.org, rja@extremenetworks.com, mfanto@aegisdatasecurity.com, adrian.farrel@huawei.com, riw@cisco.com, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [Isis-wg] [Technical Errata Reported] RFC5310 (2462)
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Aug 2010 18:25:12 -0000
Tony - In the context of the discussion regarding draft-ietf-isis-purge-tlv-03.txt, what is the point of clarifying/correcting RFC5310 in this way given that we now need to update this behavior to allow TLVs other than the authentication TLV in purged LSPs? I would also point out that draft-ietf-isis-mi-03.txt also stipulates that the instance TLV MUST be retained in purged LSPs (see the last paragraph of Section 2.1) - so we now have two cases that require TLVs other than the authentication TLV to be included in purge LSPs. Les > -----Original Message----- > From: isis-wg-bounces@ietf.org [mailto:isis-wg-bounces@ietf.org] On > Behalf Of Tony Li > Sent: Friday, August 13, 2010 1:57 AM > To: Bhatia, Manav (Manav) > Cc: chopps@rawdofmt.org; isis-wg@ietf.org; rja@extremenetworks.com; > mfanto@aegisdatasecurity.com; RFC Errata System; > adrian.farrel@huawei.com; riw@cisco.com > Subject: Re: [Isis-wg] [Technical Errata Reported] RFC5310 (2462) > > > Sorry, there's confusion here caused by the tool and spacing. I'm > proposing an additional paragraph, that is not connected to the > original text, except positionally. > > The additional text is simply: > > >> ISes implementing > >> CRYPTO_AUTH authentication MUST NOT accept unauthenticated > >> purges. ISes MUST NOT accept purges that contain TLVs other > >> than the authentication TLV. These restrictions are > >> necessary to prevent a hostile system from receiving an LSP, > >> setting the Remaining Lifetime field to zero, and flooding > >> it, thereby initiating a purge without knowing the > >> authentication password. > > > I hope the rationale behind this is obvious. > > Regards, > Tony > > > > On Aug 13, 2010, at 1:33 AM, Bhatia, Manav (Manav) wrote: > > > I am not sure I understand why an IS, if it has not been configured > to be in a "transition mode" would process ISIS LS PDUs without the > CRYPTO_AUTH TLV? Is then the errata that even while an IS is in the > said mode, it MUST NOT process the purges without the CRYPTO_AUTH TLV? > If this is the case then how different is this from an attack where a > hostile IS sends an empty IIH without the CRYPTO_AUTH TLV thus bringing > down the adjacencies. > > > > This is also mentioned in the Security Considerations section of > RFC5310 which states the following: > > > > "There is a transition mode suggested where routers can ignore the > > CRYPTO_AUTH information carried in the PDUs. The operator must > > ensure that this mode is only used when migrating to the new > > CRYPTO_AUTH-based authentication scheme, as this leaves the router > > vulnerable to an attack." > > > > Cheers, Manav > > > >> -----Original Message----- > >> From: RFC Errata System [mailto:rfc-editor@rfc-editor.org] > >> Sent: Friday, August 13, 2010 12.25 AM > >> To: Bhatia, Manav (Manav); vishwas@ipinfusion.com; > >> tony.li@tony.li; rja@extremenetworks.com; riw@cisco.com; > >> mfanto@aegisdatasecurity.com; stbryant@cisco.com; > >> adrian.farrel@huawei.com; chopps@rawdofmt.org; dward@juniper.net > >> Cc: tony.li@tony.li; isis-wg@ietf.org; rfc-editor@rfc-editor.org > >> Subject: [Technical Errata Reported] RFC5310 (2462) > >> > >> > >> The following errata report has been submitted for RFC5310, > >> "IS-IS Generic Cryptographic Authentication". > >> > >> -------------------------------------- > >> You may review the report below and at: > >> http://www.rfc-editor.org/errata_search.php?rfc=5310&eid=2462 > >> > >> -------------------------------------- > >> Type: Technical > >> Reported by: Tony Li <tony.li@tony.li> > >> > >> Section: 3.5 > >> > >> Original Text > >> ------------- > >> An implementation MAY have a transition mode where it > >> includes CRYPTO_AUTH information in the PDUs but does not > >> verify this information. This is provided as a transition > >> aid for networks in the process of migrating to the new > >> CRYPTO_AUTH-based authentication schemes. > >> > >> Corrected Text > >> -------------- > >> An implementation MAY have a transition mode where it > >> includes CRYPTO_AUTH information in the PDUs but does not > >> verify this information. This is provided as a transition > >> aid for networks in the process of migrating to the new > >> CRYPTO_AUTH-based authentication schemes. ISes implementing > >> CRYPTO_AUTH authentication MUST NOT accept unauthenticated > >> purges. ISes MUST NOT accept purges that contain TLVs other > >> than the authentication TLV. These restrictions are > >> necessary to prevent a hostile system from receiving an LSP, > >> setting the Remaining Lifetime field to zero, and flooding > >> it, thereby initiating a purge without knowing the > >> authentication password. > >> > >> Notes > >> ----- > >> The RFC ignores the case of purges. With explicit > >> definition, purge packets would not include authentication, > >> which would open a trivial vector for attack. > >> > >> Instructions: > >> ------------- > >> This errata is currently posted as "Reported". If necessary, please > >> use "Reply All" to discuss whether it should be verified or > >> rejected. When a decision is reached, the verifying party (IESG) > >> can log in to change the status and edit the report, if necessary. > >> > >> -------------------------------------- > >> RFC5310 (draft-ietf-isis-hmac-sha-07) > >> -------------------------------------- > >> Title : IS-IS Generic Cryptographic Authentication > >> Publication Date : February 2009 > >> Author(s) : M. Bhatia, V. Manral, T. Li, R. > >> Atkinson, R. White, M. Fanto > >> Category : PROPOSED STANDARD > >> Source : IS-IS for IP Internets > >> Area : Routing > >> Stream : IETF > >> Verifying Party : IESG > >> > > _______________________________________________ > Isis-wg mailing list > Isis-wg@ietf.org > https://www.ietf.org/mailman/listinfo/isis-wg
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Bhatia, Manav (Manav)
- [Isis-wg] [Technical Errata Reported] RFC5310 (24… RFC Errata System
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Tony Li
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Bhatia, Manav (Manav)
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Tony Li
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Bhatia, Manav (Manav)
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Radia Perlman
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Les Ginsberg (ginsberg)
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Tony Li
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Les Ginsberg (ginsberg)
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Tony Li
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Tony Li
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… David Ward
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Jie Dong
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Tony Li
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Les Ginsberg (ginsberg)
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Tony Li
- Re: [Isis-wg] [Technical Errata Reported] RFC5310… Les Ginsberg (ginsberg)