Re: [Isis-wg] WG Last Call for for draft-ietf-isis-pcr

János Farkas <janos.farkas@ericsson.com> Fri, 04 September 2015 15:23 UTC

Return-Path: <Janos.Farkas@ericsson.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B6791ACD0F for <isis-wg@ietfa.amsl.com>; Fri, 4 Sep 2015 08:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GJhuJS2MSNMo for <isis-wg@ietfa.amsl.com>; Fri, 4 Sep 2015 08:23:00 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9B151B3094 for <isis-wg@ietf.org>; Fri, 4 Sep 2015 08:22:57 -0700 (PDT)
X-AuditID: c1b4fb2d-f79626d000004282-e6-55e9b74fe133
Received: from ESESSHC001.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id F1.A0.17026.F47B9E55; Fri, 4 Sep 2015 17:22:55 +0200 (CEST)
Received: from [159.107.143.212] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.23) with Microsoft SMTP Server id 14.3.248.2; Fri, 4 Sep 2015 17:22:54 +0200
Message-ID: <55E9B74E.3060407@ericsson.com>
Date: Fri, 4 Sep 2015 17:22:54 +0200
From: =?UTF-8?B?SsOhbm9zIEZhcmthcw==?= <janos.farkas@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Eric Gray <eric.gray@ericsson.com>
References: <48E1A67CB9CA044EADFEAB87D814BFF6448CB62C@eusaamb107.ericsson.se>
In-Reply-To: <48E1A67CB9CA044EADFEAB87D814BFF6448CB62C@eusaamb107.ericsson.se>
Content-Type: multipart/alternative; boundary="------------000604090100040004080905"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrCLMWRmVeSWpSXmKPExsUyM+Jvja7/9pehBhNmWlscPfSe1YHRY8mS n0wBjFFcNimpOZllqUX6dglcGYd6O1kL3v5hrNjwp4exgbHxFGMXIyeHhICJRNO+acwQtpjE hXvr2boYuTiEBI4ySjztncEE4axhlHjXe5INpIpXQFvi8v2fYN0sAioSew7+YgGx2QScJPoX nAazRQWiJI4uucoOUS8ocXLmE7C4iICaxL1FjawgNjPQtq7Vl4EWcHAIC9hL/J/MBxIWEvCV 2LpwDzNImFPAT+L3gWKI6jCJee17mSFK1CQ+vX3IPoFRYBaSBbOQlEHYFhIz559nhLDlJZq3 zoaKa0i0zpnLjiy+gJFtFaNocWpxcW66kbFealFmcnFxfp5eXmrJJkZgMB/c8lt3B+Pq146H GAU4GJV4eBV+vwgVYk0sK67MPcQozcGiJM7bwvQgVEggPbEkNTs1tSC1KL6oNCe1+BAjEwen VAMjg439/nOLcx3Spqw/q5muIDhVQPe+SO434f//bpZvkHz+efKkyo/CXFzXa7JfVuT3uTq0 swV3tNV3dsXIajxY/+rQ9+IVE28ouatmT75rz6m8XXOdW+pFb40HEsZX9t2pFmCNO/7m4ZUb WTOubd++TCTo4Nkm6wtlBYUr9673v377uEXxj1mNSizFGYmGWsxFxYkA5gE/WkcCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/isis-wg/TbELhA72FaBfUKti_pAQjl235ZE>
Cc: isis-wg@ietf.org
Subject: Re: [Isis-wg] WG Last Call for for draft-ietf-isis-pcr
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2015 15:23:03 -0000

Hi Eric,

Thank you very much for your review and comments!

On 9/2/2015 9:39 PM, Eric Gray wrote:
>
> Authors,
>
> I have the following comments on the draft…
>
> We start section 4 with the statement: “An explicit tree is determined 
> by a Path Computation
>
> Element (PCE) …”
>
> I believe that explicit trees may be determined without using a PCE, 
> even if we might prefer
>
> to use a PCE.  One could, for example, construct one on paper.
>
I agree.

>
> I suspect we could say:
>
> -“Explicit trees may be determined in some fashion.  For example, an 
> explicit tree may be
>
> determined by a Path Computation Element (PCE) [_RFC4655_].  A PCE is 
> an entity that is
>
> capable of computing a topology for forwarding based on a network 
> topology, its
>
> corresponding attributes, and potential constraints.  If a PCE is 
> used, it MUST explicitly
>
> describe a forwarding tree as described in _Section 6.1_.  Either a 
> single PCE or multiple
>
> PCEs determine explicit trees for a domain.  Even if there are 
> multiple PCEs in a domain,
>
> each explicit tree MUST be determined only by one PCE, which is 
> referred to as the owner
>
> PCE of that tree.  PCEs and IS-IS PCR can  be used in combination with 
> IS-IS shortest path
>
> bridging.
>
> “The remainder of this section, and subsequent sections, are written 
> assuming PCE use.”
>
> A few minor points (reflected in the above re-wording):
>
> -“MUST be only determined by one PCE” is awkward (implies everything 
> else has to be done by
>
> another PCE).
>
> -“SPB shortest path routing” is either redundant or incorrect.
>
> -It would  be very difficult to re-write the section to avoid 
> dependence on PCE, but I suspect a
>
> statement to the effect that PCE is assumed will allow it to be read 
> without loss of generality.
>
> -I left out the bit about not being required to follow shortest path 
> as this seems obvious.
>
I agree with the wording you propose.
I will update the text according to your proposal if there are no 
further comments on it.


> I am not sure how the second paragraph in the security considerations 
> section is related to security, as
>
> it is currently worded.
>
> As I understand it, the issue that the paragraph aims to address has 
> to do with a vulnerability that may
>
> exist when multiple PCEs are used and may be independently managed.  
> In particular, the */importance/*
>
> parameter could be used maliciously by one PCE to ensure that it gets 
> reservations.
>
> This is simply one variation of a general PCE issue; an independently 
> managed, non-cooperating PCE is
>
> indistinguishable from a */PCE impersonation/* (in the sense used in 
> the Security Considerations section of
>
> RFC 4655).
>
I agree with your points.
I agree that referring to PCE security considerations of RFC 4655 is 
missing; and adding it makes the security considerations more generic 
and thus covering the particular case pointed on in the current version.

> We may want to consider replacing the current second paragraph with 
> the following two paragraphs.
>
> Any mechanism that chooses forwarding paths, and allocates resources 
> to those paths, is potentially
>
> vulnerable to attack.  The security considerations section of RFC 4655 
> describes the risks associated
>
> with the use of PCE for this purpose and should be referred to. Use of 
> any other means to determine
>
> paths should only be used after considering similar concerns.
>
> Because the mechanism assumed for distributing tree information relies 
> on IS-IS routing, IS-IS routing
>
> security considerations (Section 6, RFC 1195) and mechanisms (e.g. – 
> RFC 5310)  used to authenticate
>
> peer advertisements apply.
>
I will replace the second paragraph with these ones you suggested if 
there are no further comments.

Thank you and regards,
Janos


> --
>
> Eric
>
> *Subject: *
>
> 	
>
> [Isis-wg] WG Last Call for for draft-ietf-isis-pcr
>
> *Date: *
>
> 	
>
> Mon, 24 Aug 2015 09:54:27 -0400
>
> *From: *
>
> 	
>
> Christian Hopps <chopps@chopps.org> <mailto:chopps@chopps.org>
>
> *To: *
>
> 	
>
> ISIS-WG <isis-wg@ietf.org> <mailto:isis-wg@ietf.org>
>
> *CC: *
>
> 	
>
> Hannes Gredler <hannes@gredler.at> <mailto:hannes@gredler.at>
>
> Hi Folks,
>   
> We are starting a WG Last Call on the following draft.
>   
> “IS-IS Path Computation and Reservation”
> https://datatracker.ietf.org/doc/draft-ietf-isis-pcr/
>   
> The LC is set to expire 3 weeks from now (allowing for common vacation
> time) on Monday, September 14, 2015.
>   
> Thanks,
> Chris & Hannes.
>   
> _______________________________________________
> Isis-wg mailing list
> Isis-wg@ietf.org  <mailto:Isis-wg@ietf.org>
> https://www.ietf.org/mailman/listinfo/isis-wg
>