Re: [Isis-wg] [Technical Errata Reported] RFC5310 (2462)

["Les Ginsberg (ginsberg)" <ginsberg@cisco.com>]

Tony -

In the context of the discussion regarding
draft-ietf-isis-purge-tlv-03.txt, what is the point of
clarifying/correcting RFC5310 in this way given that we now need to
update this behavior to allow TLVs other than the authentication TLV in
purged LSPs?

I would also point out that draft-ietf-isis-mi-03.txt also stipulates
that the instance TLV MUST be retained in purged LSPs (see the last
paragraph of Section 2.1) - so we now have two cases that require TLVs
other than the authentication TLV to be included in purge LSPs.

   Les

> -----Original Message-----
> From: isis-wg-bounces@ietf.org [mailto:isis-wg-bounces@ietf.org] On
> Behalf Of Tony Li
> Sent: Friday, August 13, 2010 1:57 AM
> To: Bhatia, Manav (Manav)
> Cc: chopps@rawdofmt.org; isis-wg@ietf.org; rja@extremenetworks.com;
> mfanto@aegisdatasecurity.com; RFC Errata System;
> adrian.farrel@huawei.com; riw@cisco.com
> Subject: Re: [Isis-wg] [Technical Errata Reported] RFC5310 (2462)
> 
> 
> Sorry, there's confusion here caused by the tool and spacing.  I'm
> proposing an additional paragraph, that is not connected to the
> original text, except positionally.
> 
> The additional text is simply:
> 
> >> ISes implementing
> >> CRYPTO_AUTH authentication MUST NOT accept unauthenticated
> >> purges.   ISes MUST NOT accept purges that contain TLVs other
> >> than the authentication TLV.  These restrictions are
> >> necessary to prevent a hostile system from receiving an LSP,
> >> setting the Remaining Lifetime field to zero, and flooding
> >> it, thereby initiating a purge without knowing the
> >> authentication password.
> 
> 
> I hope the rationale behind this is obvious.
> 
> Regards,
> Tony
> 
> 
> 
> On Aug 13, 2010, at 1:33 AM, Bhatia, Manav (Manav) wrote:
> 
> > I am not sure I understand why an IS, if it has not been configured
> to be in a "transition mode" would process ISIS LS PDUs without the
> CRYPTO_AUTH TLV? Is then the errata that even while an IS is in the
> said mode, it MUST NOT process the purges without the CRYPTO_AUTH TLV?
> If this is the case then how different is this from an attack where a
> hostile IS sends an empty IIH without the CRYPTO_AUTH TLV thus
bringing
> down the adjacencies.
> >
> > This is also mentioned in the Security Considerations section of
> RFC5310 which states the following:
> >
> > "There is a transition mode suggested where routers can ignore the
> > CRYPTO_AUTH information carried in the PDUs.  The operator must
> > ensure that this mode is only used when migrating to the new
> > CRYPTO_AUTH-based authentication scheme, as this leaves the router
> > vulnerable to an attack."
> >
> > Cheers, Manav
> >
> >> -----Original Message-----
> >> From: RFC Errata System [mailto:rfc-editor@rfc-editor.org]
> >> Sent: Friday, August 13, 2010 12.25 AM
> >> To: Bhatia, Manav (Manav); vishwas@ipinfusion.com;
> >> tony.li@tony.li; rja@extremenetworks.com; riw@cisco.com;
> >> mfanto@aegisdatasecurity.com; stbryant@cisco.com;
> >> adrian.farrel@huawei.com; chopps@rawdofmt.org; dward@juniper.net
> >> Cc: tony.li@tony.li; isis-wg@ietf.org; rfc-editor@rfc-editor.org
> >> Subject: [Technical Errata Reported] RFC5310 (2462)
> >>
> >>
> >> The following errata report has been submitted for RFC5310,
> >> "IS-IS Generic Cryptographic Authentication".
> >>
> >> --------------------------------------
> >> You may review the report below and at:
> >> http://www.rfc-editor.org/errata_search.php?rfc=5310&eid=2462
> >>
> >> --------------------------------------
> >> Type: Technical
> >> Reported by: Tony Li <tony.li@tony.li>
> >>
> >> Section: 3.5
> >>
> >> Original Text
> >> -------------
> >> An implementation MAY have a transition mode where it
> >> includes CRYPTO_AUTH information in the PDUs but does not
> >> verify this information.  This is provided as a transition
> >> aid for networks in the process of migrating to the new
> >> CRYPTO_AUTH-based authentication schemes.
> >>
> >> Corrected Text
> >> --------------
> >> An implementation MAY have a transition mode where it
> >> includes CRYPTO_AUTH information in the PDUs but does not
> >> verify this information.  This is provided as a transition
> >> aid for networks in the process of migrating to the new
> >> CRYPTO_AUTH-based authentication schemes.  ISes implementing
> >> CRYPTO_AUTH authentication MUST NOT accept unauthenticated
> >> purges.   ISes MUST NOT accept purges that contain TLVs other
> >> than the authentication TLV.  These restrictions are
> >> necessary to prevent a hostile system from receiving an LSP,
> >> setting the Remaining Lifetime field to zero, and flooding
> >> it, thereby initiating a purge without knowing the
> >> authentication password.
> >>
> >> Notes
> >> -----
> >> The RFC ignores the case of purges.  With explicit
> >> definition, purge packets would not include authentication,
> >> which would open a trivial vector for attack.
> >>
> >> Instructions:
> >> -------------
> >> This errata is currently posted as "Reported". If necessary, please
> >> use "Reply All" to discuss whether it should be verified or
> >> rejected. When a decision is reached, the verifying party (IESG)
> >> can log in to change the status and edit the report, if necessary.
> >>
> >> --------------------------------------
> >> RFC5310 (draft-ietf-isis-hmac-sha-07)
> >> --------------------------------------
> >> Title               : IS-IS Generic Cryptographic Authentication
> >> Publication Date    : February 2009
> >> Author(s)           : M. Bhatia, V. Manral, T. Li, R.
> >> Atkinson, R. White, M. Fanto
> >> Category            : PROPOSED STANDARD
> >> Source              : IS-IS for IP Internets
> >> Area                : Routing
> >> Stream              : IETF
> >> Verifying Party     : IESG
> >>
> 
> _______________________________________________
> Isis-wg mailing list
> Isis-wg@ietf.org
> https://www.ietf.org/mailman/listinfo/isis-wg