IETF Logo Mail Archive

Re: [lisp] Last Call SECDIR Review of draft-ietf-lisp-6834bis-11

Donald Eastlake <d3e3e3@gmail.com> Thu, 02 June 2022 02:49 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4A0EC15AAC2; Wed, 1 Jun 2022 19:49:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.856
X-Spam-Level:
X-Spam-Status: No, score=-1.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cF3iLRa32QUH; Wed, 1 Jun 2022 19:49:13 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AC07C15AAC1; Wed, 1 Jun 2022 19:49:13 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id y32so5691739lfa.6; Wed, 01 Jun 2022 19:49:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QPWQvl3Sx4xKShyvBFZsO3DvC8yj4DXFFsHHCb4/JeM=; b=WdZ3N1FqBiy6c8IOhGjoau5Y3JCUbOEJcj08RUm4SAJ82d2vMsxVW6IFxHe1VDBA4n VA9Xp5gzfEkN64PDT+PR63/1i9PpwJXMrQtrVU7lPBu+EMCb9zEESfXCz7g6DsoSapSg kKOpJeEZ1jvhsnH84QgOEztsR3huTrGXH/m+9qH1RUT4lsSdYU3WDI3P9fGgCR/YXe4h irJtQwXYaq9jye45z+ODOX9KXpDUNAzOe2CpzJWwetVrWlQnH13SVheQdX7DMvCo2o/8 NIEqDpfw+4/E8KFHoeufs1HQAeG1rlXEkm3sGLeROUkIM6uOl93ra0pev9cgVrvlUDkw P3zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QPWQvl3Sx4xKShyvBFZsO3DvC8yj4DXFFsHHCb4/JeM=; b=wdB0ddH9T6N9gVh3VD4FzfQnFY3mfOARFvF+36ZntdKTY/lNjA4HDwOTY43zRG/9k9 urnSsHs0s1o8Dw+55HvAm9qr0FcUTP5DYh3wA6chn4s7eV63Hyf7MnRHir+tdx/8GxeQ Tx2O6pQPxB5T/WwqNVKY5gPmYvMThZM4mbTQISiNx6Eh0ygi7dTIf6765yhIAZK4/gku VFC01E434aAQCA3j7HD496J3IzADXdsP5BOpQRYd+689ASg90scJ6qGyJDmxsVTl/uMx O6oNrbvHSwqBaufWsnBKumuMe9WOZ8FMySljiCUUwv3BcJFBw5dw4P10WJjPaImRgGV4 Eq+A==
X-Gm-Message-State: AOAM532tVYReFdEGSK91kFtOf0Rqp29JtvmM9DXamA2hP7vGDdKDSKx4 CTDXDXzvGAWivJ8kQE4aMSHYLBZ4h61L0xsaaXNaFwQmifA=
X-Google-Smtp-Source: ABdhPJz3kO+Iqq81JKluVz84Bp95lb4d7WoSHKk1Njw5kEGYtSY1Lv92WMa5qqWRTaK0G9Pc7gMvNl+9JySL8jQ7inU=
X-Received: by 2002:a05:6512:ea8:b0:479:8e3:df22 with SMTP id bi40-20020a0565120ea800b0047908e3df22mr1838615lfb.43.1654138151687; Wed, 01 Jun 2022 19:49:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAF4+nEE0UrAhSkUzbWbaoZKvHE_LFs6zmbda3nie=M-EN-XDeg@mail.gmail.com> <542A2E95-C536-43A3-B500-A85D76A62579@gigix.net> <CAF4+nEFHzKCgLBWMT2-WTO0T0vgxpYV1bndsz4HofNKvpYt-2w@mail.gmail.com> <D37B519F-D27B-4584-ADF9-3414968E657A@gigix.net> <B6EE0E97-7590-4355-9E66-28F22958B720@gigix.net>
In-Reply-To: <B6EE0E97-7590-4355-9E66-28F22958B720@gigix.net>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 01 Jun 2022 22:49:00 -0400
Message-ID: <CAF4+nEEHBpqoBxQT57MqykPunB7gjDOUsYQx4uxnXpPsyFzJkQ@mail.gmail.com>
To: Luigi Iannone <ggx@gigix.net>
Cc: "iesg@ietf.org" <iesg@ietf.org>, secdir <secdir@ietf.org>, Last Call <last-call@ietf.org>, draft-ietf-lisp-6834bis.all@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f0d98e05e06e0c1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/5HjTh_ZaOGiQMZTEbA9zmubwLp0>
Subject: Re: [lisp] Last Call SECDIR Review of draft-ietf-lisp-6834bis-11
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 02:49:15 -0000

Hi Luigi,

I think -12 is pretty good. The change suggested by Alvaro should be
included. And I think the last sentence in Section A.3 in -12 should
probably be a separate paragraph and the start should be "Note that ..."
rather than "To be noted that ...". With those changes, I am OK with the
draft.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com


On Wed, Jun 1, 2022 at 8:16 AM Luigi Iannone <ggx@gigix.net> wrote:

> Hi Donald,
>
> A new revision of the drafts has been submitted.
> Here is the link to the rfcdiff:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-lisp-6834bis-12.txt
>
> Let  me know if this revision does not address your concerns.
>
> Thanks
>
> Ciao
>
> L.
>
> On 1 Jun 2022, at 10:45, Luigi Iannone <ggx@gigix.net> wrote:
>
>
>
> On 1 Jun 2022, at 05:29, Donald Eastlake <d3e3e3@gmail.com> wrote:
>
> See below at <de>
>
> On Mon, May 30, 2022 at 9:32 AM Luigi Iannone <ggx@gigix.net> wrote:
>
>> Hi Donald,
>>
>> Thank you very much for your review.
>> I take this last updated review and provide some answers inline.
>>
>> On 30 May 2022, at 04:35, Donald Eastlake <d3e3e3@gmail.com> wrote:
>>
>> I have updated my review of the -10 version for -11 below.
>> Comments/suggestions that I do not comment on still apply.
>>
>> On Wed, May 25, 2022 at 3:41 PM Donald Eastlake <d3e3e3@gmail.com> wrote:
>>
>>
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the IESG.
>> Document editors and WG chairs should treat these comments just like any
>> other last call comments. Sorry this is a bit late.
>>
>>
>> The summary of the review is Ready with Issues.
>>
>>
>> Well, minor issues...
>>
>> ...
>>
>> SECURITY
>>
>> This draft appears to completely ignore the issue of Map Version Number
>> advancing so far so quickly that an old version number is encountered that
>> appears to be newer than or equal to the current version number. Why can't
>> this happen? Or if it can, why doesn't that hurt?
>>
>> This is more of an operational point. If you update a mapping, the best
>> would be to give sufficient time so that everybody updates and there is no
>> such a risk.
>> What about adding in section 7 “dealing with Map-Version Numbers” the
>> following sentence.
>>
>> It is an operational question to make sure that Map-Version numbers are
>> not updated so frequently as to create the risk that very old version
>> numbers appear newer (because of the circular space).
>>
>> Would that address your issue?
>>
>
> <de> Not really. (1) I think the document needs to say what happens if the
> numbers wrap around and overlap. (2) Assuming the answer to 1 is as bad as
> I think, then it is not "an operational question" to avoid this but rather
> "an operational requirement".  That is, there should be a statement
> something like "Map Version Number incrementing and TTL MUST be managed so
> that an old Version Numbers will not be confused as a new Version Number.
>
>
> This last sentence is great. I will put it in section 7.
>
>
>
> Section 8, last paragraph: Says Map-Versioning can only be used in
>> trusted, closed environments but Section 7.1 and 7.2 seem to talk about
>> what to do about the Map-Version field without any reference to this, but
>> mentioning private deployments for certain error conditions. For example,
>> Section 7.2 point 3 says to discard a packet on an erroneous Map-Version
>> value except perhaps in some private deployments. But if you MUST NOT use
>> Map-Versioning on the open internet, shouldn't it be required to discard
>> all LISP encapsulated packets with Map-Version numbering if received over
>> the public Internet?
>>
>> Actually section 7.1 reads:
>>
>> Operators can configure exceptions to this
>>        recommendation, which are outside the scope of this document.
>>
>>
>> We should have done the same for 7.2, will do in a revision.
>>
> <de> Well, adding that to Section 7.2 would help. But the problem is the
> following sentence in Section 8:
>
>    Map-Versioning MUST NOT be used over the public Internet and SHOULD
>    only be used in trusted and closed deployments.
>
>
> It seems to me that sentence says you can only use Map-Versioning in a
> private network and that private network SHOULD be trusted. So I guess it
> allows use in an untrusted private network... Is that what you want to say?
>
>
> This is similar to the comment made by Paul.
> His suggestion is to change the SHOULD in a MUST. Would this work for you
> as well?
>
>
>
>
>> Otherwise, the Security Considerations seem adequate although I think the
>> 1st and 2nd paragraphs of Section 8 should be swapped.
>>
>> Yes, it may read better. Will be swapped in the next revision.
>>
>> OTHER ISSUES
>>
>> Section 6, right after equation 3: Isn't "(69 + 4096) mod 4096" the same
>> as "69"? And isn't 69 equal to 69, not less than 69? Shouldn't it say
>> "Map-Version numbers in the range [69 + 2049; 68] are smaller than 69"? Or
>> actually "in the ranges [69 + 2049; 4095] and [1;68] are smaller than 69"?
>>
>> Wonderful catch. Should be
>> [69 +  2049; (69 + 4095) mod 4096]
>>
>>
>> Will fix.
>>
>> Section A.3: How is it possible to tell that no more traffic will be
>> received? Should this instead be something like wait the TTL of the
>> mappings to that RLOC plus estimated transit time and some margin for
>> safety?
>>
>> Absolutely right, the sentence should be:
>>
>>    Upon updating the mapping, the RLOC will receive the less and less
>>
>>    traffic because remote LISP sites will get the updated mapping.
>>
>>    At least one TTL after the mapping was updated, it could be
>>
>>    considered safe to shut down the RLOC gracefully, because all
>>
>>    sites actively using the mapping should have updated
>>
>>    it.
>>
>>
>> Sounds better?
>>
>
> <de> Yes, that's better. But I would suggest alternate wording such as the
> following:
>
>      "Upon updating the mapping, the RLOC will receive less and less
>
>    traffic because remote LISP sites will request the updated
>
>    mapping and see that it is disabled. At least one TTL, plus a
>
>    little time for traffic transit, after the mapping is updated,
>
>    it should be safe to shut down the RLOC gracefully, because
>
>    all sites actively using the mapping should have been updated."
>
>
> Thanks a lot, it reads much better.
>
>
> TYPOS/MINOR
>>
>> Should the document say anything about mapping changes possibly causing
>> re-ordering?
>>
>> Not sure what do you mean by “re-ordering”, can you articulate?
>>
>
> <de> I was thinking about adding one sentence somewhere something like the
> following:
> "A change in map version resulting in a change in ETR for a flow can
> result in the re-ordering of the packet in the flow just as any other
> routing change could cause re-ordering."
>
>
> Yes, that is again absolutely correct. I will add the sentence.
>
>
> Section 1: I think the following should end with "ITR": "If this is not
>> the case, the ETR can directly send a Map-Request containing the updated
>> mapping to the ETR,"
>>
>>
>> Above fixed in -11.
>>
>> Section 7.2, first sentence just after point 3: Suggest using "MAY" in
>> "may be more restrictive."
>>
>>
>> Will be changed in the next revision.
>>
>> Section A.2.3: "provider edge" pops up here with no other mention or
>> explanation anywhere in the draft.
>>
>>
>> Either drop the term or provide some sort of definition/explanation.
>>
>>
>> Provider edge should actually be just “domain"
>>
>
> <de> OK.
>
>> Section A.2.3: The last two sentences sound like they contradict each
>> other. I assume the last sentence is refering to change in the Source
>> mapping. Suggest "the mapping" -> "the Source mapping".
>>
>>
>> Yes, is
>>
>> With this setup, the Proxy-ETR, by looking at the Source Map-Version Number,
>>
>> is able to check whether the mapping has changed.
>>
>>
> <de> OK.
>
>> EDITORIAL
>>
>> Section 1: "This operation is two-fold." -> "This information has two
>> uses."
>>
>> New Section 6: "... MUST consist in an increment ..." -> "... MUST
>> consist of an increment ..."
>>
>> New Section A.2.3: "uRPF" is used only once so the acronym should be
>> dropped and only the expansion used.
>>
>> Will update as suggested in the next revision.
>>
>
> <de> OK.
>
>
> Thanks again for the feedback.
>
> Ciao
>
> L.
>
>
>
>
> <de> Thanks,
> Donald
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  2386 Panoramic Circle, Apopka, FL 32703 USA
>  d3e3e3@gmail.com
>
> Thanks again for the review.
>> Let me know if the proposed changes address your comments.
>>
>> Ciao
>>
>> L.
>>
>>
>>
>>
>>
>> Thanks,
>> Donald
>> ===============================
>> Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>> 2386 Panoramic Circle, Apopka, FL 32703 USA
>> d3e3e3@gmail.com
>>
>>
>

v2.23.0 | Report a Bug | By Email