IETF Logo Mail Archive

Re: [Isis-wg] WG LC draft-ietf-isis-purge-tlv-03.txt

Tony Li <tony.li@tony.li> Thu, 12 August 2010 19:30 UTC

Return-Path: <tony.li@tony.li>
X-Original-To: isis-wg@core3.amsl.com
Delivered-To: isis-wg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BF443A6852 for <isis-wg@core3.amsl.com>; Thu, 12 Aug 2010 12:30:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.389
X-Spam-Level:
X-Spam-Status: No, score=-102.389 tagged_above=-999 required=5 tests=[AWL=0.210, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjyc6BTSQoqn for <isis-wg@core3.amsl.com>; Thu, 12 Aug 2010 12:30:05 -0700 (PDT)
Received: from qmta06.westchester.pa.mail.comcast.net (qmta06.westchester.pa.mail.comcast.net [76.96.62.56]) by core3.amsl.com (Postfix) with ESMTP id A269E3A67C3 for <isis-wg@ietf.org>; Thu, 12 Aug 2010 12:29:57 -0700 (PDT)
Received: from omta01.westchester.pa.mail.comcast.net ([76.96.62.11]) by qmta06.westchester.pa.mail.comcast.net with comcast id tUSz1e0070EZKEL56X6GTp; Thu, 12 Aug 2010 19:06:16 +0000
Received: from dhcp-171-70-245-18.cisco.com ([171.70.245.18]) by omta01.westchester.pa.mail.comcast.net with comcast id tX5q1e0050QYXBf3MX5up2; Thu, 12 Aug 2010 19:06:14 +0000
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: Tony Li <tony.li@tony.li>
In-Reply-To: <AE36820147909644AD2A7CA014B1FB520BA229FE@xmb-sjc-222.amer.cisco.com>
Date: Thu, 12 Aug 2010 12:05:48 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <41DC55BA-D42E-47CE-96B5-28978F031E50@tony.li>
References: <8E27D05D-D541-4DEC-9800-E22E1927CBC3@juniper.net><05542EC42316164383B5180707A489EE1D6B285AB3@EMBX02-HQ.jnpr.net> <C436ED4D-8956-4385-909F-178C753D6EC0@tony.li> <AE36820147909644AD2A7CA014B1FB520BA229FE@xmb-sjc-222.amer.cisco.com>
To: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
X-Mailer: Apple Mail (2.1081)
Cc: isis mailing list <isis-wg@ietf.org>, weifang@chinamobile.com, Adrian Farrel <Adrian.Farrel@huawei.com>, "Chris Hopps (chopps)" <chopps@cisco.com>, ??? <lizhenqiang@chinamobile.com>, qinyue@chinamobile.com
Subject: Re: [Isis-wg] WG LC draft-ietf-isis-purge-tlv-03.txt
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Aug 2010 19:30:06 -0000

Hi Les,

> The companion text to this in RFC 5304 is:
> 
> "ISes (routers) that implement HMAC-MD5 authentication and initiate LSP
>   purges MUST remove the body of the LSP and add the authentication
>   TLV."
> 
> Clearly the combination of the two leaves no wiggle room as the behavior
> of both the purge initiator and the purge receiver is strictly
> specified.
> 
> One does wonder however whether all implementations were this strict in
> their receiving code. It is conceivable that an implementation could
> apply the authentication logic to a received purged LSP in the same
> manner that it would to a non-purged LSP - in which case it would simply
> apply authentication to the body (if it exists). This would be in
> violation of the above provisions in RFC 5304 - but might reasonably be
> done in the spirit of being "strict in what you send but generous in
> what you receive".


True, but there is rationale behind the text in 5304.  If implementations are relaxed about the purges that they accept, then an attacker can simply take any LSP, set the remaining lifetime to zero, and flood it, complete with authentication.

The whole point of the text is that to authenticate a purge, the IS initiating the purge MUST remove the body of the LSP (or somehow change it) and then re-authenticate it.

So there is method to the madness.


> In any case what is deployed is beyond our ability to change, so perhaps
> the best we can say is:
> 
> "Use of the extensions defined here with authentication as defined in
> RFC5304 or RFC5310 will result in the discarding of purges by legacy
> systems which are in strict conformance with either of those RFCs. This
> may compromise the correctness/consistency of the routing database
> unless all ISs in the network support these extensions. In cases where
> the purge is initiated by owner of the LSP the problem may be avoided by
> first generating a non-purged version of the LSP with no body."
> 
> ???


Yes, we could say that, but in fact 2002 says pretty much the opposite:

   7.3.4.6 If an LSP becomes empty, because all of the adjacencies reported 
   in that LSP no longer exist, it is recommended that an IS purge that LSP. 
   An IS may alternatively choose to reissue it as an empty LSP (i.e. with no 
   options), although purging is preferable. An IS should not allow the LSP to age 
   out as this results in having incorrect routing information in all of the LSP 
   databases.

[Aside: as a matter of protocol design, it probably would have been better to consistently issue empty LSPs and subsequently have them age out rather than to create the independent purge mechanism.  Fewer mechanisms and less room for abuse.]

Tony

v2.23.0 | Report a Bug | By Email