Re: [Isis-wg] Fingerprint generation issue-//FW: ISIS-autoconf-04 submitted //FW: New Version Notification for draft-liu-isis-auto-conf-04.txt

"Les Ginsberg (ginsberg)" <> Sun, 19 July 2015 20:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 76C991B2C36 for <>; Sun, 19 Jul 2015 13:52:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8n8wsB6sviSz for <>; Sun, 19 Jul 2015 13:52:38 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 722321B2C35 for <>; Sun, 19 Jul 2015 13:52:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=4091; q=dns/txt; s=iport; t=1437339158; x=1438548758; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ydzmo53+LYi0Ubzl6T5A5aSrnBKil25tbU2qNqIh28Y=; b=cz7BrFER2oLbShRAIJe1rLObbtcJqSuuDp9ILelseBvSvCOUha4Bzz3c DM/Qc6C5k3OnYN3qIkajNF8OjPRlCUiDOCEBu28fmTHkL0vfpXqiO8Dfs tUBqkYF7nnPMzUIvlXv0zIHAhg4EHabxrBy8SZTo+8b9W8qAcsebwD0Hx M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.15,504,1432598400"; d="scan'208";a="170113194"
Received: from ([]) by with ESMTP; 19 Jul 2015 20:52:37 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id t6JKqbvA007788 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 19 Jul 2015 20:52:37 GMT
Received: from ([]) by ([]) with mapi id 14.03.0195.001; Sun, 19 Jul 2015 15:52:37 -0500
From: "Les Ginsberg (ginsberg)" <>
To: "Liubing (Leo)" <>, " list" <>
Thread-Topic: Fingerprint generation issue-//FW: ISIS-autoconf-04 submitted //FW: New Version Notification for draft-liu-isis-auto-conf-04.txt
Thread-Index: AQHQmsUvhOb/9lHMUk2S32rA0gaCAZ2+NYzwgBSD/NCACOMe8IACA39ggAHj7oCABAbZ0A==
Date: Sun, 19 Jul 2015 20:52:36 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: Martin Winter <>, David Lamparter <>
Subject: Re: [Isis-wg] Fingerprint generation issue-//FW: ISIS-autoconf-04 submitted //FW: New Version Notification for draft-liu-isis-auto-conf-04.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF IS-IS working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Jul 2015 20:52:40 -0000

Bing -

Understood that a device can only advertise things that it knows. If it does not have access to serial # (for example) then it cannot use that as part of the fingerprint. But this section "should" be meant to define suggested behavior. The suggested behavior SHOULD be to advertise a fingerprint that is unlikely to be duplicated. The suggestion to use some randomly generated number in such cases is good.

It is Section 3.3.4 that concerns me. When a box restarts it is quite likely that it will receive copies of its LSPs from its previous incarnation. This will appear to be "double duplication" when in fact it is not. If it is NOT double duplication then - as you discuss - when the restarting router generates a new version of its LSP with a higher sequence number the false indication of double duplication will be resolved. It is only when double duplication persists that it can be considered as real. In such cases, using LSP sequence # as a fingerprint extension is not the best choice as if the double duplication is real both of the sytems are quite likely to choose the same new sequence #. Generating a different pseudo-random # in such a case is better.

I think the intent of this section is good - but some clarification is still needed.


> -----Original Message-----
> From: Isis-wg [] On Behalf Of Liubing (Leo)
> Sent: Friday, July 17, 2015 12:28 AM
> To: list
> Cc: Les Ginsberg (ginsberg); Martin Winter; David Lamparter
> Subject: [Isis-wg] Fingerprint generation issue-//FW: ISIS-autoconf-04
> submitted //FW: New Version Notification for draft-liu-isis-auto-conf-04.txt
> Hi Dear all,
> As discussed with Les as below, let me elaborate a bit more on the
> Fingerprint generation issue.
> In section 3.3.3 in the draft, it lists some resources for generating
> distinguishers:
> o  MAC address(es)
> o  Configured IP address(es)
> o  Hardware IDs (e.g.  CPU ID)
> o  Device serial number(s)
> o  System clock at a certain specific time o  Arbitrary received packet
> However, due to the feedback from the implementation team (as CCed), for
> small CPE boxes, at the initial stage only MAC address is available most of the
> time.
> So, it's reasonable to use MAC address as the Sys-id. For Fingerprint, it's
> tricky to generate high quality random numbers due to the lack of entropy.
> For this reason, we defined a "Double-Duplication" resolution mechanism in
> the 04 version draft. At the time Double-Duplication is detected, the devices
> have been booted for some time, and there should be enough entropy to
> tiebreak the double-duplication.
> Best regards,
> Bing
> -----Original Message-----
> From: Liubing (Leo)
> Sent: Friday, July 17, 2015 2:41 PM
> To: 'Les Ginsberg (ginsberg)'; list
> Subject: RE: ISIS-autoconf-04 submitted //FW: New Version Notification for
> draft-liu-isis-auto-conf-04.txt
> > > [Bing] The logic is this:
> > > 1. At the initial stage, there is not much entropy for generating a
> > > high quality Fingerprint. (This is the feedback from the
> > > implementation team.) 2. Then, very unfortunately, the sys-id and
> > Fingerprint both duplicated.
> > > 3. At the time the Double-Duplication is detected, there should be
> > > enough entropy (e.g. lots of random packets, LSP num etc.) to make
> > > tiebreaker of the duplication.
> > > Does this sound reasonable for you?
> >
> > [Les:] I would prefer that we define a robust fingerprint. This is not
> > that difficult.  If there are concerns about the difficulties please
> > make them public.
> [Bing] It's not difficult to "define" one, but for small devices, there is some
> practical difficulties.
> I'll initiate another thread to discuss this issue.
> _______________________________________________
> Isis-wg mailing list