Re: [lisp] John Scudder's No Objection on draft-ietf-lisp-6834bis-14: (with COMMENT)
Luigi Iannone <ggx@gigix.net> Mon, 27 June 2022 12:59 UTC
Return-Path: <ggx@gigix.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8D1BC14F72A for <lisp@ietfa.amsl.com>; Mon, 27 Jun 2022 05:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gigix-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqNm5IeLfNsa for <lisp@ietfa.amsl.com>; Mon, 27 Jun 2022 05:59:50 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF960C15A75D for <lisp@ietf.org>; Mon, 27 Jun 2022 05:59:49 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id w17so12948442wrg.7 for <lisp@ietf.org>; Mon, 27 Jun 2022 05:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gigix-net.20210112.gappssmtp.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FpirWxtgRENMNaj0sjxJ7WN+Jpd/TtwQpPlAb6fq1hw=; b=HSrsg01cewwNfzCaqLyqwKKv8WcX+ytFd9TWvAvhiFstHAadH/sxREem5Xl6ax0Km6 lMKxgFwdrFGjzZIs4WBg8m3dvUFnKnv0DmJSimk7bnAezdj6UVuOvkTGBCb/tgULdWmA XYZH2H6DXHVuaTB1GD9LjhhR7JapGbBgn+zpuXv0ATaAmFb/c+eK9AKEG3yqC5UkkQPp KlxXfTq7fyPVQ1MZ0oi4ldUGyg9/22UV3psE03z+Pm6/sfVPlrN7FbyFrmRuz3cJxnls dieXMm3pCKq+OywCn3P3sZy6GJonGqLz7oYKJmDToBtVp34DDJa6YtAIJuPOv9bYxjxv /Ebw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FpirWxtgRENMNaj0sjxJ7WN+Jpd/TtwQpPlAb6fq1hw=; b=0M0a6quFkHeJQVb8DgEG8AyOeMYg2sBeGOFVaRfGaz4aft2jDqabUY//VM6zm/jr2g zG+XcI+LjHj9UKAjnvrvysVPlRwyzavzD/pavhTw8/kafoVVM+DVuieij2ZKJeWNX8Ra RDaGG29274j3gC1Ukjm1eGMg0AJPFDZMXzAR/YrDtYMYiT4uqqy5khqJnN0HD4P2e+0W 0AArdtS1SDJU2BHLJRGUU9+GCtP+lO1P+K70HBvdfYzJ3c6FxciAWa/6RwyBKbzRfSF8 DmPC5kNxn7CsBYYGsZDr6doNzBzb1Df9Rmo7aGUebWPWO7HPKLyzkwUrmQlWfXuhTDYD SnIg==
X-Gm-Message-State: AJIora+T+MzoFw7OAc/db27l0wD5UEbYj0HlSPXfAadkve0mwMQO7bCs ID53i/dyytI4HggHp+SAZeJOvw==
X-Google-Smtp-Source: AGRyM1ukioXIkhiBFy/6TjonPxa6lZucjbTMcV/BjsFU7MC6SYYogNsxccltkEDTwgA9Rh+RgbdBsw==
X-Received: by 2002:a5d:4b04:0:b0:21b:8640:273f with SMTP id v4-20020a5d4b04000000b0021b8640273fmr12179647wrq.195.1656334787771; Mon, 27 Jun 2022 05:59:47 -0700 (PDT)
Received: from smtpclient.apple ([37.167.167.94]) by smtp.gmail.com with ESMTPSA id o42-20020a05600c512a00b0039c5cecf206sm13931235wms.4.2022.06.27.05.59.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Jun 2022 05:59:47 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Luigi Iannone <ggx@gigix.net>
In-Reply-To: <165610536126.20275.13817451965254420727@ietfa.amsl.com>
Date: Mon, 27 Jun 2022 14:59:45 +0200
Cc: The IESG <iesg@ietf.org>, draft-ietf-lisp-6834bis@ietf.org, lisp-chairs@ietf.org, lisp@ietf.org, Padma Pillay-Esnault <padma.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <147B734A-BD27-4D02-B460-D42F1141454B@gigix.net>
References: <165610536126.20275.13817451965254420727@ietfa.amsl.com>
To: John Scudder <jgs@juniper.net>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/3JUR7_EcU5WGKTFV7Nh4D4LNrTo>
Subject: Re: [lisp] John Scudder's No Objection on draft-ietf-lisp-6834bis-14: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 12:59:53 -0000
Thanks John, I’ll fix the nits. Ciao L. > On 24 Jun 2022, at 23:16, John Scudder via Datatracker <noreply@ietf.org> wrote: > > John Scudder has entered the following ballot position for > draft-ietf-lisp-6834bis-14: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-lisp-6834bis/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for the detailed discussion and the updates. I've cleared my DISCUSS. > I'm not going to reply to the various individual messages because the net of > the whole thing is "LGTM". > > A few small nits on -14: > > 1. §A.1: > > The ETR checks only the Dest Map-Version number, ignoring the Source > Map-Version number as specified in the final sentence of Section 7.2, > ignoring the Source Map-Version number. > > The source map-version number is getting double ignored, it must feel sad. :-) > Probably should be: > > The ETR checks only the Dest Map-Version number, ignoring the Source > Map-Version number as specified in the final sentence of Section 7.2. > > 2. §A.2: > > Map-Versioning is compatible with the LISP interworking between LISP > and non-LISP sites as defined in [RFC6832]. LISP interworking > defines three techniques to allow communication LISP sites and non- > > Insert "between" between "communication" and "LISP sites", so: > > Map-Versioning is compatible with the LISP interworking between LISP > and non-LISP sites as defined in [RFC6832]. LISP interworking > defines three techniques to allow communication between LISP sites and non- > > -- > > Original DISCUSS: > > This spec makes liberal use of the approach of dropping any packet received > with an unloved Map-Version number, for example (but not limited to) > > 2. The packet arrives with a Dest Map-Version number newer (as > defined in Section 6) than the one stored in the EID-to-RLOC > Database. Since the ETR is authoritative on the mapping, meaning > that the Map-Version number of its mapping is the correct one, > this implies that someone is not behaving correctly with respect > to the specifications. In this case, the packet carries a > version number that is not valid and packet MUST be silently > dropped. > > Isn’t it the case that by definition the packet has arrived at a valid ETR for > the mapping (since as the text says, “the ETR is authoritative”)? Isn’t the > map-version more in the nature of a hint than a critical-for-correctness field? > What bad behavior is being protected against by silently dropping this traffic, > that has arrived at a correct endpoint albeit with an incorrect hint? > > At various points in the document there's a kind of vague assertion that > incorrect map-versions could be an attack. While I don't deny that, the > assertion isn't supported or elaborated on anywhere that I saw, which is > worrying and also makes it less convincing. Shouldn't the Security > Considerations talk about this? I did also go have a look at the Security > Considerations in draft-ietf-lisp-rfc6833bis-31, which also didn't help me. RFC > 7835 §3.3 does touch on this, suggesting that maybe an attacker could use a > spoofed Map-Version to trigger a DoS attack. But this, too, is an unsatisfying > rationale, since as you take pains to point out, rate limiting of Map-Requests > and such is required. Furthermore, if triggering Map-Requests is the concern, > couldn't the packet still be delivered, without triggering a Map-Request? > > When this was an Experimental protocol this kind of thing was probably less > crucial to justify and explain, but I would have expected the experiment to > produce results that could be fed into this document. At the moment, the "drop > any packet that doesn't comply with expectations" design feels arbitrary and > potentially brittle. I would appreciate some discussion of this design choice, > thanks in advance. > > (I do acknowledge that security matters can be subtle, and I'm not a SEC AD > after all... but all the more reason for the document to be explicit about what > the security concerns are instead of just gesturing toward them and leaving the > reader to guess.) > > Original COMMENT: > > I support Roman Danyliw's DISCUSS position. > > I have a number of further questions and comments -- > > 1. In §6.1: > > If an ETR receives LISP-encapsulated packets with the V-bit > set, when the original mapping in the EID-to-RLOC Database has the > version number set to the Null Map-Version value, then those packets > MUST be silently dropped. > > What does “original” mean in this context? Couldn’t the mapping in the db once > have had a value but in a later revision, had its value changed to the null > value? Presumably in such a situation packets would be lost until the ITR > decided to issue a new map-request. > > 2. In §7.1 (3): > > According to rate > limitation policy defined in [I-D.ietf-lisp-rfc6833bis] for Map- > Request messages, after 10 retries Map-Requests are sent every 30 > seconds, if in the meantime the Dest Map-Version number in the > packets is not updated, the ETR SHOULD drop packets with a stale > Map-Version number. > > What exactly is “the meantime”? Does that mean “after 10 retries”? After 30 > seconds? Basically, what precisely is the grace period extended to the ITR have > to come into compliance before being blocked? This seems important to be clear > about -- even if the clarity is in the form of "it's implementation-dependent". > > 3. In §7.1, final paragraph: > > LISP-encapsulated packets cannot transport a Dest Map-Version number > equal to the Null Map-Version number, because in this case the ETR is > signaling that Map-Version numbers are not used for the mapping of > the destination EID (see Section 6.1). > > Considering that the Null Map-Version number is just the distinguished value 0, > the first clause is prima facie wrong -- it's possible to encode 0 in that > field. I think what you mean is something more along the lines of > > It is a protocol violation for LISP-encapsulated packets to contain a > Dest Map-Version number equal to the Null Map-Version number, see > Section 6.1. > > Please don't try to explain it again in-line as you've done, it just confuses > the reader (well, it confused me!). Instead, refer them back to the place where > you specified the rule. > > It does seem unfortunate that in this case, it's not possible to include a > Source Map-Version number, even if that would be helpful to do, since the V bit > is required to be set to 0 and covers both Source and Dest. > > 4. §7.1 (3), nit: s/The packets arrive/The packet arrives/ > > 5. In §7.1 and §7.2: > > A check on this version number SHOULD be > done, where the following cases can arise: > > and > > If the ETR has an entry in its EID-to-RLOC > Map-Cache for the source EID, then a check SHOULD be performed and > the following cases can arise: > > What are the cases under which the check can be omitted? Please consider adding > discussion about those cases. Alternately, consider making the SHOULD a MUST if > there are no such cases. > > 6. In §7.2: > > 3. The packet arrives with a Source Map-Version number smaller > (i.e., older) than the one stored in the local EID-to-RLOC Map- > Cache. Such a case is not valid with respect to the > specifications. > > The final sentence ("not valid") seems like it must be wrong: consider for > example the case of out-of-order packets. Other scenarios also exist, such as > transient non-synchronization between ETRs during convergence. I notice that §9 > talks about the lack of synchronization mechanisms in LISP, other than diligent > consistency of configuration. So, I guess there's a good chance that > "convergence" means "someone updating mapping configurations by hand" and so > version skew could exist for human-scale periods of time. Of greatest concern > is if "human-scale periods of time" means "hours or days" in the case where a > mistake with operational procedures leaves the hand-configured databases on two > ETRs out of sync with one another. > > I guess a minimum fix would be to simply cut the wrong sentence and slightly > re-word, e.g.: > > 3. The packet arrives with a Source Map-Version number smaller > (i.e., older) than the one stored in the local EID-to-RLOC Map- > Cache. Note that if the mapping is already present in the > EID-to-RLOC Map-Cache, this means that an explicit Map-Request > has been sent and a Map-Reply has been received from an > authoritative source. In this situation, the packet SHOULD be > silently dropped. Operators can configure exceptions to this > recommendation, which are outside the scope of this document. > > 7. In §7.2: > > If the ETR does not have an entry in the EID-to-RLOC Map-Cache for > the source EID, then the Source Map-Version number MUST be ignored. > > I think it would be nice to have an xref to §A.1, where the reason for this is > explained. Otherwise it seems rather arbitrary. > > 8. In §8: > > I see that in -12 you cut the text that in -11 used to say > > Map-Versioning MUST NOT be used over the public Internet and SHOULD > only be used in trusted and closed deployments. > > I note that the requirement continues to exist however, since normative > reference draft-ietf-lisp-rfc6830bis-38 §4.1 says > > Several of the mechanisms in this document are intended for > deployment in controlled, trusted environments, and are insecure for > use over the public Internet. In particular, on the public internet > xTRs: > ... > * MUST NOT use Gleaning or Locator-Status-Bits and Map-Versioning, > as described in Section 13 to update the EID-to-RLOC Mappings. > Instead relying solely on control-plane methods. > > Thus it still seems to me that the questions others raised about this > requirement may be relevant. > > So, I question whether cutting the text is the right way to fix the concerns. > It makes sense in an Experimental document, but perhaps not in a Standards > Track one. > > 9. In §9: > > LISP requires ETRs to provide the same mapping for the same EID- > Prefix to a requester. > > What does this mean? Same as what? I guess maybe what you mean here is "LISP > requires multiple ETRs within the same site to provide identical mappings for a > given EID-Prefix"? If so, please say that (or something else clearer than > what's there now). If not, please help? > > 10. In §A.1: > > The ETR checks only the Dest Map-Version number as described in > Section 7, ignoring the Source Map-Version number. > > I would rewrite as > > The ETR checks only the Dest Map-Version number, > ignoring the Source Map-Version number as specified in > the final sentence of Section 7,. > > 11. In §A.2: > > LISP interworking > defines three techniques to make LISP sites and non-LISP sites, > namely Proxy-ITR, LISP-NAT, and Proxy-ETR. > > This isn't a complete sentence. I guess what you mean is something like "LISP > interworking defines three techniques to allow communication between LISP and > non-LISP sites"? > > 12. In §A.2.1: > > With this setup, LISP Domain A is able to check whether the PITR is > using the latest mapping. > > First, how does Domain A check this? Second, the latest mapping for what? I > suppose you might mean something like "Domain A is able to check whether the > PITR is using the latest mapping for the destination EID, by inspecting the > Destination Map-Version as detailed in Section 7.1"? > > 13. In §A.2.3: > > With this setup, the Proxy-ETR, by looking at the Source Map-Version > Number, is able to check whether the mapping has changed. > > Again, what mapping, and how? I guess it must be the source EID. (The version > 12 text, which I've quoted here, makes that clearer, although it would still be > even clearer to write "... check whether the Source EID-to-RLOC mapping has > changed.") Why does the ETR care about that? I guess there's the assumption it > might be an ITR/ETR passing traffic bidirectionally, in which case the source > EID might be useful, but if that's the reason then some words to that effect > would help. > > >
- [lisp] John Scudder's No Objection on draft-ietf-… John Scudder via Datatracker
- Re: [lisp] John Scudder's No Objection on draft-i… Luigi Iannone