Re: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

[Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>]

Les,
RFC 3787 is about IS-IS (at least this is what its title says). And Section 10 you mention explicitly refers to RFC 1195 (i.e., IS-IS).

In the case of OSPFv2 IP addressing definitely affects forming the adjacencies for LAN interfaces.

Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com

From: Les Ginsberg (ginsberg) [mailto:ginsberg@cisco.com]
Sent: Thursday, May 04, 2017 6:30 PM
To: Acee Lindem (acee) <acee@cisco.com>; Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>
Cc: alex.zinin@alcatel-lucent.com; isis-wg@ietf.org; db3546@att.com; chopps@chopps.org; RFC Errata System <rfc-editor@rfc-editor.org>; OSPF WG List <ospf@ietf.org>
Subject: RE: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

Acee -

From: Acee Lindem (acee)
Sent: Thursday, May 04, 2017 8:20 AM
To: Les Ginsberg (ginsberg); Alexander Vainshtein
Cc: alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; isis-wg@ietf.org<mailto:isis-wg@ietf.org>; db3546@att.com<mailto:db3546@att.com>; chopps@chopps.org<mailto:chopps@chopps.org>; RFC Errata System; OSPF WG List
Subject: Re: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

Hi Les,

From: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com<mailto:ginsberg@cisco.com>>
Date: Thursday, May 4, 2017 at 11:07 AM
To: Acee Lindem <acee@cisco.com<mailto:acee@cisco.com>>, Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Cc: "alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>" <alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>>, "isis-wg@ietf.org<mailto:isis-wg@ietf.org>" <isis-wg@ietf.org<mailto:isis-wg@ietf.org>>, Deborah Brungard <db3546@att.com<mailto:db3546@att.com>>, Christian Hopps <chopps@chopps.org<mailto:chopps@chopps.org>>, RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>, OSPF WG List <ospf@ietf.org<mailto:ospf@ietf.org>>
Subject: RE: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

Acee –

Any ARP issues which might occur for numbered interfaces where neighbors do not have matching subnets will occur independent of P2P mode. I therefore see no reason why RFC 5309 should address this issue.

You may not be aware that subnet checking on numbered P2P links (which is enforced by many router implementations) is not standard. In fact, BSD implementations (which were very popular in the pre-Linux era), model a P2P link as simply a connection between two endpoints as opposed to a subnet.

[Les:] I am well aware. I am also aware that even on LANs some implementations enforce matching subnet checking and some don’t. Please read the previously mention RFC 3787 Section 10.


If you feel this needs to be addressed (I don’t – but YMMV) then I think errata should be against RFC 2328.

This statement in RFC 5309 is respect to ARP – not OSPF. After several decades, we’re certainly not going to change OSPF to enforce subnet checking on P2P links.

[Les:] I never suggested that (and I don’t think Sasha did either). The errata  is suggesting the following new text:

“For the ARP implementation (which checks that the subnet of the source address of the ARP request matches the local interface address), this check needs to be relaxed for the p2p-over-lan circuits (both numbered and unnumbered).”

I am pointing out that this issue is not specific to P2P operation on a LAN.
Naiming has also pointed out that in P2P mode you are less likely to have problems because ARP will always respond to requests for the local address. If there is going to be a problem it is more likely to occur in multi-access mode when an ARP request for a non-local address might be received.

   Les




Note that in the case of IS-IS we have RFC 3787 Section 10 – which concludes by saying:

“…The  network administrator should ensure that there is a common IP subnet
   assigned to links with numbered interfaces, and that all routers on
   each link have a IP Interface Addresses belonging to the assigned
   subnet.”

OSPF supports both models of P2P link. OSPF has been widely deployed on hosts as well as routers. See this excerpt from RFC 2328 and note Option 1:


            12.4.1.1.  Describing point-to-point interfaces



                For point-to-point interfaces, one or more link

                descriptions are added to the router-LSA as follows:



                o   If the neighboring router is fully adjacent, add a

                    Type 1 link (point-to-point). The Link ID should be

                    set to the Router ID of the neighboring router. For

                    numbered point-to-point networks, the Link Data

                    should specify the IP interface address. For

                    unnumbered point-to-point networks, the Link Data

                    field should specify the interface's MIB-II [Ref8]

                    ifIndex value. The cost should be set to the output

                    cost of the point-to-point interface.



                o   In addition, as long as the state of the interface

                    is "Point-to-Point" (and regardless of the

                    neighboring router state), a Type 3 link (stub

                    network) should be added. There are two forms that

                    this stub link can take:



                    Option 1

                        Assuming that the neighboring router's IP

                        address is known, set the Link ID of the Type 3

                        link to the neighbor's IP address, the Link Data

                        to the mask 0xffffffff (indicating a host

                        route), and the cost to the interface's

                        configured output cost.[15]



                    Option 2

                        If a subnet has been assigned to the point-to-

                        point link, set the Link ID of the Type 3 link

                        to the subnet's IP address, the Link Data to the

                        subnet's mask, and the cost to the interface's

                        configured output cost.[16]

Thanks,
Acee



   Les


From: Acee Lindem (acee)
Sent: Thursday, May 04, 2017 7:20 AM
To: Alexander Vainshtein; Les Ginsberg (ginsberg)
Cc: alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; isis-wg@ietf.org<mailto:isis-wg@ietf.org>; db3546@att.com<mailto:db3546@att.com>; chopps@chopps.org<mailto:chopps@chopps.org>; RFC Errata System; OSPF WG List
Subject: Re: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

+ospf-wg list

While very implementation specific, P2P over LAN isn’t described anywhere other than RFC 5309. The point Sasha is making is that OSPF doesn’t enforce subnet match checking on P2P links (which is true) and the ARP must do the same. Hence, I would agree with the errata.

Original Text
-------------
For the ARP implementation (which checks that the subnet of the source address of the ARP request matches the local interface address), this check needs to be relaxed for the unnumbered p2p-over-lan circuits.

Corrected Text
--------------
For the ARP implementation (which checks that the subnet of the source address of the ARP request matches the local interface address), this check needs to be relaxed for the p2p-over-lan circuits (both numbered and unnumbered).

Let’s go forward with this and not spend any more time debating it.

Thanks,
Acee



From: Isis-wg <isis-wg-bounces@ietf.org<mailto:isis-wg-bounces@ietf.org>> on behalf of Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Date: Thursday, May 4, 2017 at 6:03 AM
To: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com<mailto:ginsberg@cisco.com>>
Cc: "alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>" <alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>>, "isis-wg@ietf.org<mailto:isis-wg@ietf.org>" <isis-wg@ietf.org<mailto:isis-wg@ietf.org>>, Deborah Brungard <db3546@att.com<mailto:db3546@att.com>>, Christian Hopps <chopps@chopps.org<mailto:chopps@chopps.org>>, RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>
Subject: Re: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

Les,
Lots of thanks for a detailed response. It seems that we are now in sync regarding the problem.

Doing nothing with this problem is of course one of the possible options☺.
I wonder how should we reach consensus regarding its handling.

Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>

From: Les Ginsberg (ginsberg) [mailto:ginsberg@cisco.com]
Sent: Monday, May 01, 2017 6:04 PM
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Cc: isis-wg@ietf.org<mailto:isis-wg@ietf.org>; RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>; Naiming Shen (naiming) <naiming@cisco.com<mailto:naiming@cisco.com>>; alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana) <aretana@cisco.com<mailto:aretana@cisco.com>>; chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>
Subject: RE: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

Sasha -

From: Alexander Vainshtein [mailto:Alexander.Vainshtein@ecitele.com]
Sent: Monday, May 01, 2017 12:50 AM
To: Les Ginsberg (ginsberg)
Cc: isis-wg@ietf.org<mailto:isis-wg@ietf.org>; RFC Errata System; Naiming Shen (naiming); alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana); chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>
Subject: RE: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

Les,
Lots of thanks for the clarification.
I fully agree with you that configuring a pair of interfaces across a P2P link with IP addresses from different subnets should not be encouraged even if these interfaces operate as P2P from the POV of the routing protocol.

[Les:] This is not what I said. I said:

“allowing an adjacency to be formed on a numbered LAN with mismatched subnets is neither introduced nor altered by these RFCs .”

The problem is that the scenario I’ve described is quite real, and, AFAIK,  no standard explicitly says that it is not supported.

[Les:] Yes – it is real. But as RFC 5309 did not introduce or alter this behavior it is not the appropriate place to comment on it.

I also do not fully  understand  your usage of plural (“these RFCs”) – I have been only asking about a correction in a single RFC -5309.

[Les:] My mistake – I was thinking there was a separate RFC for OSPF/IS-IS – but RFC 5309 cobvers both.

I see several ways to resolve the problem:

1.       Recognize the erratum and hold it for the update of 5309

2.       Explicitly state that numbered P2P-over-LAN interfaces must still configure the terminating interfaces of the LAN link with IPv4 addresses from the same subnet (could be another sort of update for 5309).

What would you suggest?

[Les:] I suggest we do no nothing.

   Les

Regard, and lots of thanks in advance,
Sasha



Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>

From: Les Ginsberg (ginsberg) [mailto:ginsberg@cisco.com]
Sent: Sunday, April 30, 2017 10:44 PM
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Cc: isis-wg@ietf.org<mailto:isis-wg@ietf.org>; RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>; Naiming Shen (naiming) <naiming@cisco.com<mailto:naiming@cisco.com>>; alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana) <aretana@cisco.com<mailto:aretana@cisco.com>>; chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>
Subject: RE: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

Sasha –

The language you are asking to be changed is in regards to ARP. I am saying allowing an adjacency to be formed on a numbered LAN with mismatched subnets is neither introduced nor altered by these RFCs .
What is introduced is the possibility of operating on an unnumbered LAN – which is why the RFCs speak to that.

If you want to ask that protocol base specifications discuss ARP issues when mismatched subnets are allowed (which I am NOT encouraging you to do) then you will be directing your comments at the correct documents.
Asking that of these RFCs is inappropriate.

   Les


From: Alexander Vainshtein [mailto:Alexander.Vainshtein@ecitele.com]
Sent: Sunday, April 30, 2017 8:51 AM
To: Les Ginsberg (ginsberg)
Cc: isis-wg@ietf.org<mailto:isis-wg@ietf.org>; RFC Errata System; Naiming Shen (naiming); alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana); chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>
Subject: RE: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)


Les,

Lots of thanks for a prompt response.



As I see it, the difference between the P2P and LAN modes is essential for OSPF:

- If an OSPF interface is a LAN (broadcast) interface, there is a check of the same subnet for received Hello packets. If the received Hello packets do not pass this check, they are discarded and an error is reported via SNMP.

- However, if an OSPF interface is a P2P interface, then the subnet check on the Hello packets is bypassed  by design as defined in Section 10.5 of RFC 2328:



                     The generic input processing of OSPF packets will

        have checked the validity of the IP header and the OSPF packet

        header.  Next, the values of the Network Mask, HelloInterval,

        and RouterDeadInterval fields in the received Hello packet must

        be checked against the values configured for the receiving

        interface.  Any mismatch causes processing to stop and the

        packet to be dropped.  In other words, the above fields are

        really describing the attached network's configuration. However,

        there is one exception to the above rule: on point-to-point

        networks and on virtual links, the Network Mask in the received

        Hello Packet should be ignored.



I.e., having different subnets on two ends of a PPP link would not cause any problems for OSPF - the adjacency would be successfully recognized, it would progress to its FULL state, and unicast traffic would cross such a link without any problem.



But if we have a P2P-over-LAN link (which is the case for RFC 5309), the result would be quite different - unless the ARP implementations go beyond what 5309 says and relax the check for all such links, be they numbered or unnumbered.



Do I miss something substantial here?







Regards,

Sasha



Office: +972-39266302

Cell:      +972-549266302

Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>





-----Original Message-----
From: Les Ginsberg (ginsberg) [mailto:ginsberg@cisco.com]
Sent: Sunday, April 30, 2017 5:19 PM
To: RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>; Naiming Shen (naiming) <naiming@cisco.com<mailto:naiming@cisco.com>>; alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana) <aretana@cisco.com<mailto:aretana@cisco.com>>; chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>
Cc: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>; isis-wg@ietf.org<mailto:isis-wg@ietf.org>
Subject: RE: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)



Alexander -



I am not speaking for the RFC authors, but regarding your point:



> o          Are assigned with IP addresses and subnet masks yielding different

> subnets



I fail to see why this issue is unique to (or associated with) running in P2P mode.



The unnumbered case is specifically mentioned because in such a case it can be expected that the next hop address will be a loopback address and therefore there will be no common subnet.

But in the numbered case whether you have one neighbor in P2P mode or many neighbors in multi-access mode the msimatched subnet issue is the same. Therefore I see no reason why these RFCs should discuss it.



???



   Les





> -----Original Message-----

> From: Isis-wg [mailto:isis-wg-bounces@ietf.org] On Behalf Of RFC

> Errata System

> Sent: Sunday, April 30, 2017 1:16 AM

> To: Naiming Shen (naiming); alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>;

> akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana);

> chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>

> Cc: Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>; isis-wg@ietf.org<mailto:isis-wg@ietf.org>;

> rfc-editor@rfc- editor.org

> Subject: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

>

> The following errata report has been submitted for RFC5309,

> "Point-to-Point Operation over LAN in Link State Routing Protocols".

>

> --------------------------------------

> You may review the report below and at:

> http://www.rfc-editor.org/errata_search.php?rfc=5309&eid=5007

>

> --------------------------------------

> Type: Technical

> Reported by: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>

>

> Section: 4.3

>

> Original Text

> -------------

> For the ARP implementation (which checks that the subnet of the source

> address of the ARP request matches the local interface address), this

> check needs to be relaxed for the unnumbered p2p-over-lan circuits.

>

> Corrected Text

> --------------

> For the ARP implementation (which checks that the subnet of the source

> address of the ARP request matches the local interface address), this

> check needs to be relaxed for the p2p-over-lan circuits (both numbered

> and unnumbered).

>

> Notes

> -----

> Consider the following situation:

> 1.         Two routers, R1 and R2, are connected by a physical P2P  Ethernet

> link

> 2.         OSPFv2 is enabled on the interfaces representing the endpoints of

> this link.

> 3.      From the OSPF POV these interfaces:

> o          Are configured as P2P

> o          Belong to the same area

> o          Are assigned with IP addresses and subnet masks yielding different

> subnets

> 4.    ARP check mentioned in the problematic text is not relaxed.

>

> Under this conditions:

> -Both R1 and R2 will accept Hello messages sent by the other router

> (becase it ignores subnet in Hello messages received via P2P

> interfaces)

> - Adjacency between R1 and R2 will progress to FULL state (because all

> OSPFv2 messages will be sent with AllSPFRouters multicast IPv4

> address)

> - Unicast traffic sent by R1 to R2 (and vice versa) will be blackholed

> because ARP will not resolve addresses assigned to the corresponding interfaces.

>

> Instructions:

> -------------

> This erratum is currently posted as "Reported". If necessary, please

> use "Reply All" to discuss whether it should be verified or rejected.

> When a decision is reached, the verifying party can log in to change

> the status and edit the report, if necessary.

>

> --------------------------------------

> RFC5309 (draft-ietf-isis-igp-p2p-over-lan-06)

> --------------------------------------

> Title               : Point-to-Point Operation over LAN in Link State Routing

> Protocols

> Publication Date    : October 2008

> Author(s)           : N. Shen, Ed., A. Zinin, Ed.

> Category            : INFORMATIONAL

> Source              : IS-IS for IP Internets

> Area                : Routing

> Stream              : IETF

> Verifying Party     : IESG

>

> _______________________________________________

> Isis-wg mailing list

> Isis-wg@ietf.org<mailto:Isis-wg@ietf.org>

> https://www.ietf.org/mailman/listinfo/isis-wg

___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________

___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________

___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________

___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is 
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this 
transmission in error, please inform us by e-mail, phone or fax, and then delete the original 
and all copies thereof.
___________________________________________________________________________