Re: [lisp] John Scudder's No Objection on draft-ietf-lisp-6834bis-14: (with COMMENT)

Luigi Iannone <ggx@gigix.net> Mon, 27 June 2022 12:59 UTC

Return-Path: <ggx@gigix.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8D1BC14F72A for <lisp@ietfa.amsl.com>; Mon, 27 Jun 2022 05:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gigix-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqNm5IeLfNsa for <lisp@ietfa.amsl.com>; Mon, 27 Jun 2022 05:59:50 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF960C15A75D for <lisp@ietf.org>; Mon, 27 Jun 2022 05:59:49 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id w17so12948442wrg.7 for <lisp@ietf.org>; Mon, 27 Jun 2022 05:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gigix-net.20210112.gappssmtp.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FpirWxtgRENMNaj0sjxJ7WN+Jpd/TtwQpPlAb6fq1hw=; b=HSrsg01cewwNfzCaqLyqwKKv8WcX+ytFd9TWvAvhiFstHAadH/sxREem5Xl6ax0Km6 lMKxgFwdrFGjzZIs4WBg8m3dvUFnKnv0DmJSimk7bnAezdj6UVuOvkTGBCb/tgULdWmA XYZH2H6DXHVuaTB1GD9LjhhR7JapGbBgn+zpuXv0ATaAmFb/c+eK9AKEG3yqC5UkkQPp KlxXfTq7fyPVQ1MZ0oi4ldUGyg9/22UV3psE03z+Pm6/sfVPlrN7FbyFrmRuz3cJxnls dieXMm3pCKq+OywCn3P3sZy6GJonGqLz7oYKJmDToBtVp34DDJa6YtAIJuPOv9bYxjxv /Ebw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FpirWxtgRENMNaj0sjxJ7WN+Jpd/TtwQpPlAb6fq1hw=; b=0M0a6quFkHeJQVb8DgEG8AyOeMYg2sBeGOFVaRfGaz4aft2jDqabUY//VM6zm/jr2g zG+XcI+LjHj9UKAjnvrvysVPlRwyzavzD/pavhTw8/kafoVVM+DVuieij2ZKJeWNX8Ra RDaGG29274j3gC1Ukjm1eGMg0AJPFDZMXzAR/YrDtYMYiT4uqqy5khqJnN0HD4P2e+0W 0AArdtS1SDJU2BHLJRGUU9+GCtP+lO1P+K70HBvdfYzJ3c6FxciAWa/6RwyBKbzRfSF8 DmPC5kNxn7CsBYYGsZDr6doNzBzb1Df9Rmo7aGUebWPWO7HPKLyzkwUrmQlWfXuhTDYD SnIg==
X-Gm-Message-State: AJIora+T+MzoFw7OAc/db27l0wD5UEbYj0HlSPXfAadkve0mwMQO7bCs ID53i/dyytI4HggHp+SAZeJOvw==
X-Google-Smtp-Source: AGRyM1ukioXIkhiBFy/6TjonPxa6lZucjbTMcV/BjsFU7MC6SYYogNsxccltkEDTwgA9Rh+RgbdBsw==
X-Received: by 2002:a5d:4b04:0:b0:21b:8640:273f with SMTP id v4-20020a5d4b04000000b0021b8640273fmr12179647wrq.195.1656334787771; Mon, 27 Jun 2022 05:59:47 -0700 (PDT)
Received: from smtpclient.apple ([37.167.167.94]) by smtp.gmail.com with ESMTPSA id o42-20020a05600c512a00b0039c5cecf206sm13931235wms.4.2022.06.27.05.59.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Jun 2022 05:59:47 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Luigi Iannone <ggx@gigix.net>
In-Reply-To: <165610536126.20275.13817451965254420727@ietfa.amsl.com>
Date: Mon, 27 Jun 2022 14:59:45 +0200
Cc: The IESG <iesg@ietf.org>, draft-ietf-lisp-6834bis@ietf.org, lisp-chairs@ietf.org, lisp@ietf.org, Padma Pillay-Esnault <padma.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <147B734A-BD27-4D02-B460-D42F1141454B@gigix.net>
References: <165610536126.20275.13817451965254420727@ietfa.amsl.com>
To: John Scudder <jgs@juniper.net>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/3JUR7_EcU5WGKTFV7Nh4D4LNrTo>
Subject: Re: [lisp] John Scudder's No Objection on draft-ietf-lisp-6834bis-14: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 12:59:53 -0000

Thanks John,

I’ll fix the nits.

Ciao

L.


> On 24 Jun 2022, at 23:16, John Scudder via Datatracker <noreply@ietf.org> wrote:
> 
> John Scudder has entered the following ballot position for
> draft-ietf-lisp-6834bis-14: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
> for more information about how to handle DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-lisp-6834bis/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for the detailed discussion and the updates. I've cleared my DISCUSS.
> I'm not going to reply to the various individual messages because the net of
> the whole thing is "LGTM".
> 
> A few small nits on -14:
> 
> 1. §A.1:
> 
>   The ETR checks only the Dest Map-Version number, ignoring the Source
>   Map-Version number as specified in the final sentence of Section 7.2,
>   ignoring the Source Map-Version number.
> 
> The source map-version number is getting double ignored, it must feel sad. :-)
> Probably should be:
> 
>   The ETR checks only the Dest Map-Version number, ignoring the Source
>   Map-Version number as specified in the final sentence of Section 7.2.
> 
> 2. §A.2:
> 
>   Map-Versioning is compatible with the LISP interworking between LISP
>   and non-LISP sites as defined in [RFC6832].  LISP interworking
>   defines three techniques to allow communication LISP sites and non-
> 
> Insert "between" between "communication" and "LISP sites", so:
> 
>   Map-Versioning is compatible with the LISP interworking between LISP
>   and non-LISP sites as defined in [RFC6832].  LISP interworking
>   defines three techniques to allow communication between LISP sites and non-
> 
> --
> 
> Original DISCUSS:
> 
> This spec makes liberal use of the approach of dropping any packet received
> with an unloved Map-Version number, for example (but not limited to)
> 
>   2.  The packet arrives with a Dest Map-Version number newer (as
>       defined in Section 6) than the one stored in the EID-to-RLOC
>       Database.  Since the ETR is authoritative on the mapping, meaning
>       that the Map-Version number of its mapping is the correct one,
>       this implies that someone is not behaving correctly with respect
>       to the specifications.  In this case, the packet carries a
>       version number that is not valid and packet MUST be silently
>       dropped.
> 
> Isn’t it the case that by definition the packet has arrived at a valid ETR for
> the mapping (since as the text says, “the ETR is authoritative”)? Isn’t the
> map-version more in the nature of a hint than a critical-for-correctness field?
> What bad behavior is being protected against by silently dropping this traffic,
> that has arrived at a correct endpoint albeit with an incorrect hint?
> 
> At various points in the document there's a kind of vague assertion that
> incorrect map-versions could be an attack. While I don't deny that, the
> assertion isn't supported or elaborated on anywhere that I saw, which is
> worrying and also makes it less convincing. Shouldn't the Security
> Considerations talk about this? I did also go have a look at the Security
> Considerations in draft-ietf-lisp-rfc6833bis-31, which also didn't help me. RFC
> 7835 §3.3 does touch on this, suggesting that maybe an attacker could use a
> spoofed Map-Version to trigger a DoS attack. But this, too, is an unsatisfying
> rationale, since as you take pains to point out, rate limiting of Map-Requests
> and such is required. Furthermore, if triggering Map-Requests is the concern,
> couldn't the packet still be delivered, without triggering a Map-Request?
> 
> When this was an Experimental protocol this kind of thing was probably less
> crucial to justify and explain, but I would have expected the experiment to
> produce results that could be fed into this document. At the moment, the "drop
> any packet that doesn't comply with expectations" design feels arbitrary and
> potentially brittle. I would appreciate some discussion of this design choice,
> thanks in advance.
> 
> (I do acknowledge that security matters can be subtle, and I'm not a SEC AD
> after all... but all the more reason for the document to be explicit about what
> the security concerns are instead of just gesturing toward them and leaving the
> reader to guess.)
> 
> Original COMMENT:
> 
> I support Roman Danyliw's DISCUSS position.
> 
> I have a number of further questions and comments --
> 
> 1. In §6.1:
> 
>           If an ETR receives LISP-encapsulated packets with the V-bit
>   set, when the original mapping in the EID-to-RLOC Database has the
>   version number set to the Null Map-Version value, then those packets
>   MUST be silently dropped.
> 
> What does “original” mean in this context? Couldn’t the mapping in the db once
> have had a value but in a later revision, had its value changed to the null
> value? Presumably in such a situation packets would be lost until the ITR
> decided to issue a new map-request.
> 
> 2. In §7.1 (3):
> 
>                                                    According to rate
>       limitation policy defined in [I-D.ietf-lisp-rfc6833bis] for Map-
>       Request messages, after 10 retries Map-Requests are sent every 30
>       seconds, if in the meantime the Dest Map-Version number in the
>       packets is not updated, the ETR SHOULD drop packets with a stale
>       Map-Version number.
> 
> What exactly is “the meantime”? Does that mean “after 10 retries”? After 30
> seconds? Basically, what precisely is the grace period extended to the ITR have
> to come into compliance before being blocked? This seems important to be clear
> about -- even if the clarity is in the form of "it's implementation-dependent".
> 
> 3. In §7.1, final paragraph:
> 
>   LISP-encapsulated packets cannot transport a Dest Map-Version number
>   equal to the Null Map-Version number, because in this case the ETR is
>   signaling that Map-Version numbers are not used for the mapping of
>   the destination EID (see Section 6.1).
> 
> Considering that the Null Map-Version number is just the distinguished value 0,
> the first clause is prima facie wrong -- it's possible to encode 0 in that
> field. I think what you mean is something more along the lines of
> 
>   It is a protocol violation for LISP-encapsulated packets to contain a
>   Dest Map-Version number equal to the Null Map-Version number, see
>   Section 6.1.
> 
> Please don't try to explain it again in-line as you've done, it just confuses
> the reader (well, it confused me!). Instead, refer them back to the place where
> you specified the rule.
> 
> It does seem unfortunate that in this case, it's not possible to include a
> Source Map-Version number, even if that would be helpful to do, since the V bit
> is required to be set to 0 and covers both Source and Dest.
> 
> 4. §7.1 (3), nit: s/The packets arrive/The packet arrives/
> 
> 5. In §7.1 and §7.2:
> 
>                             A check on this version number SHOULD be
>   done, where the following cases can arise:
> 
> and
> 
>                             If the ETR has an entry in its EID-to-RLOC
>   Map-Cache for the source EID, then a check SHOULD be performed and
>   the following cases can arise:
> 
> What are the cases under which the check can be omitted? Please consider adding
> discussion about those cases. Alternately, consider making the SHOULD a MUST if
> there are no such cases.
> 
> 6. In §7.2:
> 
>   3.  The packet arrives with a Source Map-Version number smaller
>       (i.e., older) than the one stored in the local EID-to-RLOC Map-
>       Cache.  Such a case is not valid with respect to the
>       specifications.
> 
> The final sentence ("not valid") seems like it must be wrong: consider for
> example the case of out-of-order packets. Other scenarios also exist, such as
> transient non-synchronization between ETRs during convergence. I notice that §9
> talks about the lack of synchronization mechanisms in LISP, other than diligent
> consistency of configuration. So, I guess there's a good chance that
> "convergence" means "someone updating mapping configurations by hand" and so
> version skew could exist for human-scale periods of time. Of greatest concern
> is if "human-scale periods of time" means "hours or days" in the case where a
> mistake with operational procedures leaves the hand-configured databases on two
> ETRs out of sync with one another.
> 
> I guess a minimum fix would be to simply cut the wrong sentence and slightly
> re-word, e.g.:
> 
>   3.  The packet arrives with a Source Map-Version number smaller
>       (i.e., older) than the one stored in the local EID-to-RLOC Map-
>       Cache.  Note that if the mapping is already present in the
>       EID-to-RLOC Map-Cache, this means that an explicit Map-Request
>       has been sent and a Map-Reply has been received from an
>       authoritative source.  In this situation, the packet SHOULD be
>       silently dropped.  Operators can configure exceptions to this
>       recommendation, which are outside the scope of this document.
> 
> 7. In §7.2:
> 
>   If the ETR does not have an entry in the EID-to-RLOC Map-Cache for
>   the source EID, then the Source Map-Version number MUST be ignored.
> 
> I think it would be nice to have an xref to §A.1, where the reason for this is
> explained. Otherwise it seems rather arbitrary.
> 
> 8. In §8:
> 
> I see that in -12 you cut the text that in -11 used to say
> 
>   Map-Versioning MUST NOT be used over the public Internet and SHOULD
>   only be used in trusted and closed deployments.
> 
> I note that the requirement continues to exist however, since normative
> reference draft-ietf-lisp-rfc6830bis-38 §4.1 says
> 
>   Several of the mechanisms in this document are intended for
>   deployment in controlled, trusted environments, and are insecure for
>   use over the public Internet.  In particular, on the public internet
>   xTRs:
> ...
>   *  MUST NOT use Gleaning or Locator-Status-Bits and Map-Versioning,
>      as described in Section 13 to update the EID-to-RLOC Mappings.
>      Instead relying solely on control-plane methods.
> 
> Thus it still seems to me that the questions others raised about this
> requirement may be relevant.
> 
> So, I question whether cutting the text is the right way to fix the concerns.
> It makes sense in an Experimental document, but perhaps not in a Standards
> Track one.
> 
> 9. In §9:
> 
>   LISP requires ETRs to provide the same mapping for the same EID-
>   Prefix to a requester.
> 
> What does this mean? Same as what? I guess maybe what you mean here is "LISP
> requires multiple ETRs within the same site to provide identical mappings for a
> given EID-Prefix"? If so, please say that (or something else clearer than
> what's there now). If not, please help?
> 
> 10. In §A.1:
> 
>   The ETR checks only the Dest Map-Version number as described in
>   Section 7, ignoring the Source Map-Version number.
> 
> I would rewrite as
> 
>   The ETR checks only the Dest Map-Version number,
>   ignoring the Source Map-Version number as specified in
>   the final sentence of Section 7,.
> 
> 11. In §A.2:
> 
>                                                LISP interworking
>   defines three techniques to make LISP sites and non-LISP sites,
>   namely Proxy-ITR, LISP-NAT, and Proxy-ETR.
> 
> This isn't a complete sentence. I guess what you mean is something like "LISP
> interworking defines three techniques to allow communication between LISP and
> non-LISP sites"?
> 
> 12. In §A.2.1:
> 
>   With this setup, LISP Domain A is able to check whether the PITR is
>   using the latest mapping.
> 
> First, how does Domain A check this? Second, the latest mapping for what? I
> suppose you might mean something like "Domain A is able to check whether the
> PITR is using the latest mapping for the destination EID, by inspecting the
> Destination Map-Version as detailed in Section 7.1"?
> 
> 13. In §A.2.3:
> 
>   With this setup, the Proxy-ETR, by looking at the Source Map-Version
>   Number, is able to check whether the mapping has changed.
> 
> Again, what mapping, and how? I guess it must be the source EID. (The version
> 12 text, which I've quoted here, makes that clearer, although it would still be
> even clearer to write "... check whether the Source EID-to-RLOC mapping has
> changed.") Why does the ETR care about that? I guess there's the assumption it
> might be an ITR/ETR passing traffic bidirectionally, in which case the source
> EID might be useful, but if that's the reason then some words to that effect
> would help.
> 
> 
>