Re: [Isis-wg] Genart last call review of draft-ietf-isis-auto-conf-04

"Alvaro Retana (aretana)" <aretana@cisco.com> Mon, 10 April 2017 17:32 UTC

Return-Path: <aretana@cisco.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B06FC1294EC; Mon, 10 Apr 2017 10:32:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ndt6fal-EbCI; Mon, 10 Apr 2017 10:32:32 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4ED012947E; Mon, 10 Apr 2017 10:32:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2094; q=dns/txt; s=iport; t=1491845549; x=1493055149; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ilKWlMmlgb0EuOMIUmF06s8jkmHQOgPCZo0Kx+dFWHw=; b=SXFt2KXtQrOv5pNVuc1/OssVYEsI9BT1wHprifpRpVxkb5ErG+ZVVtzF SKPNbj62jpge/AZrMjgWI1x6Izc//Z7lPSGKOA1qf2SaKk93XA/J/3kkX xigCLaClhA6jBqqvSDruGYo1yEYw+CH9klCmXGr1OZze8kLuiDs2d2+UU A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DEAQBiwOtY/49dJa1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1OBbAeDX4oTpx+CD4YkAhqDTT8YAQIBAQEBAQEBayiFFgYjEUU?= =?us-ascii?q?QAgEIGgImAgICMBUQAgQBDQWKD6kMgiaKfQEBAQEBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?R2BC4VFggWCa4dcLoIxAQSWIIZbAZJYkUGTfwEfOEo7WxVSAYZIdYhSgQ0BAQE?=
X-IronPort-AV: E=Sophos;i="5.37,182,1488844800"; d="scan'208";a="229072990"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Apr 2017 17:32:28 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v3AHWSsC029910 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 10 Apr 2017 17:32:28 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 10 Apr 2017 12:32:28 -0500
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Mon, 10 Apr 2017 12:32:28 -0500
From: "Alvaro Retana (aretana)" <aretana@cisco.com>
To: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>, "Liubing (Leo)" <leo.liubing@huawei.com>, Robert Sparks <rjsparks@nostrum.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "draft-ietf-isis-auto-conf.all@ietf.org" <draft-ietf-isis-auto-conf.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "isis-wg@ietf.org" <isis-wg@ietf.org>
Thread-Topic: Genart last call review of draft-ietf-isis-auto-conf-04
Thread-Index: AQHSr90HdNwrO1bKAUiTTjwvgN+2naG6trYAgAAGPoCAAANsAP//wPeAgABTw4CAA+NsAIAASqUA///utoA=
Date: Mon, 10 Apr 2017 17:32:27 +0000
Message-ID: <DC9299D1-F989-471C-A7AC-1A5E9C9288AB@cisco.com>
References: <149159669211.11107.3275242226580240988@ietfa.amsl.com> <814d03ced1c64f18b20d23c65e7cdf04@XCH-ALN-001.cisco.com> <8469f915-7e13-dead-7a4e-ab36506948da@nostrum.com> <1fd1507c9d5442d0a944e35da9b38b1d@XCH-ALN-001.cisco.com> <EDD33B73-CDF2-42AB-AE8A-96073F449997@cisco.com> <db59f122a2d84c28851944a50f1564a2@XCH-ALN-001.cisco.com> <8AE0F17B87264D4CAC7DE0AA6C406F45C2ED8506@nkgeml514-mbs.china.huawei.com> <c3a3a16110cb44c182413d993377de6d@XCH-ALN-001.cisco.com>
In-Reply-To: <c3a3a16110cb44c182413d993377de6d@XCH-ALN-001.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1f.0.170216
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.15.6]
Content-Type: text/plain; charset="utf-8"
Content-ID: <BCEC487E835CFC4387DBE1CB06065FF2@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/isis-wg/ztT0jnCbuKOG7yJW7NFnpw9Wivo>
Subject: Re: [Isis-wg] Genart last call review of draft-ietf-isis-auto-conf-04
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 17:32:34 -0000

Works for me!

Thanks!

Alvaro.





On 4/10/17, 10:34 AM, "Les Ginsberg (ginsberg)" <ginsberg@cisco.com> wrote:

Bing/Robert/Alvaro -

Here is the existing text of the Security Section:

  "In general, the use of authentication is incompatible with auto-
   configuration as it requires some manual configuration.

   For wired deployment, the wired connection itself could be considered
   as an implicit authentication in that unwanted routers are usually
   not able to connect (i.e. there is some kind of physical security in
   place preventing the connection of rogue devices); for wireless
   deployment, the authentication could be achieved at the lower
   wireless link layer."


Proposed revision:

"In the absence of cryptographic authentication it is possible for an attacker to inject  a PDU falsely indicating
there is a duplicate system-id. This may trigger automatic restart of the protocol using the duplicate-id
resolution procedures defined in this document. 

Note that the use of authentication is incompatible with auto-
configuration as it requires some manual configuration.

   For wired deployment, the wired connection itself could be considered
   as an implicit authentication in that unwanted routers are usually
   not able to connect (i.e. there is some kind of physical security in
   place preventing the connection of rogue devices); for wireless
   deployment, the authentication could be achieved at the lower
   wireless link layer."

???