Re: [lisp] [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10

[mohamed.boucadair@orange.com]

Hi Magnus,

Thanks. The change will be in -11.

Authenticating subscription requests and ensuring their integrity protection build on 9301 and 9303. Specifically, spoofed Map-Requests (including tampering xTR-IDs) falls under this part from 9301:

   Deployments concerned about manipulations of Map-Request and Map-
   Reply messages and malicious ETR EID-Prefix overclaiming MUST drop
   LISP control plane messages that do not contain LISP-SEC material
   (S-bit, EID-AD, OTK-AD, PKT-AD).  See Section 3 of [RFC9303] for
   definitions of "EID-AD", "OTK-AD", and "PKT-AD".

   Mechanisms to encrypt, support privacy, and prevent eavesdropping and
   packet tampering for messages exchanged between xTRs, between xTRs
   and the Mapping System, and between nodes that make up the Mapping
   System SHOULD be deployed.  Examples of this are DTLS [RFC9147] or
   "lisp-crypto" [RFC8061].

In order to insist on the guard to avoid manipulating xTR-IDs, we made this change:

OLD:
  Generic security considerations related to LISP control messages are
   discussed in Section 9 of [RFC9301].

NEW:
  Generic security considerations related to LISP control messages are
   discussed in Section 9 of [RFC9301].  To prevent xTR-ID hijacking, it
   is RECOMMENDED to follow guidance from Section 9 of [RFC9301] to
   ensure integrity protection of Map-Request messages.

Cheers,
Med

De : Magnus Westerlund <magnus.westerlund@ericsson.com>
Envoyé : lundi 30 janvier 2023 09:42
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; tsv-art@ietf.org
Cc : draft-ietf-lisp-pubsub.all@ietf.org; last-call@ietf.org; lisp@ietf.org
Objet : Re: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10

Hi,

I think this is a good step forward in at least acknowledging the issue from an overload perspective that can just occur. I think this is likely solved, but I want to see how what are the conclusions on preventing spoofed registrations.

Cheers

Magnus

From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>
Date: Friday, 27 January 2023 at 18:02
To: Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>, tsv-art@ietf.org<mailto:tsv-art@ietf.org> <tsv-art@ietf.org<mailto:tsv-art@ietf.org>>
Cc: draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org> <draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>>, last-call@ietf.org<mailto:last-call@ietf.org> <last-call@ietf.org<mailto:last-call@ietf.org>>, lisp@ietf.org<mailto:lisp@ietf.org> <lisp@ietf.org<mailto:lisp@ietf.org>>
Subject: RE: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10
Re-,

Fully agree that dedicating a small fraction of resources (not only links capacity but also CPU) is a good advice, but I don't think we can use any normative language for this. I tweaked the proposed text as follows:

NEW:
   As a reminder, the initial transmission and retransmission of Map-
   Notify messages by a Map-Server follow the procedure specified in
   Section 5.7 of [RFC9301].  Some state changes may trigger an overload
   that would impact, e.g., the outbound capacity of a Map-Server.  A
   similar problem may be experienced when a large number of state were
   simultaneously updated.  To prevent such phenomena, Map-Servers
   SHOULD be configured with policies to control the maximum number of
   subscriptions and also the pace of Map-Notify messages.  For example,
   the Map-Server may be instructed to limit the resources dedicated
   to handling unsolicited Map-Notify messages to a small fraction
   (e.g., less than 10%) of its overall processing and forwarding
   capacity.  The exact details to characterize such policies are
   deployment and implementation specific.  Likewise, this document does
   not specify which notifications take precedence when these policies
   are enforced.

Hope this is better.

Cheers,
Med

De : Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>
Envoyé : vendredi 27 janvier 2023 17:21
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>; tsv-art@ietf.org<mailto:tsv-art@ietf.org>
Cc : draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>; lisp@ietf.org<mailto:lisp@ietf.org>
Objet : Re: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10

Hi,

That is a good start. The general problem for this type of problem is that one can reasonably calculate a pacing schedule based on target bit-rate at the outgoing interface. What one doesn't know is if what path the various message takes and if that is part of a traffic load causing congestion. The Map-Server will get some indication on potential congestion issue if it has to retransmit many messages as they aren't acked. I would think the most general thing I would say is to recommend that the pacing target a bit-rate that is no more than a small fraction of the expected bandwidth of the links to the xTRs.

That is likely preventing enough issues that there is no point in doing more advanced solution. But that is me assuming that the control plane will mostly run over links with Gbps+ capacity and that one configure this to not burst above like 1-5% of the link capacity one will not have any issues. But if there is more limited capacity or larger deployments maybe the completion time become an issue for each update.

Cheers

Magnus

From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>
Date: Friday, 27 January 2023 at 15:53
To: Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>, tsv-art@ietf.org<mailto:tsv-art@ietf.org> <tsv-art@ietf.org<mailto:tsv-art@ietf.org>>
Cc: draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org> <draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>>, last-call@ietf.org<mailto:last-call@ietf.org> <last-call@ietf.org<mailto:last-call@ietf.org>>, lisp@ietf.org<mailto:lisp@ietf.org> <lisp@ietf.org<mailto:lisp@ietf.org>>
Subject: RE: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10
Re-,

Thanks Magnus for clarifying.

I suggest to add the following in Section 6:

NEW:
   As a reminder, the initial transmission and retransmission of Map-
   Notify messages by a Map-Server follow the procedure specified in
   Section 5.7 of [RFC9301].  Some state changes may trigger an overload
   that would impact, e.g., the outbound capacity of a Map-Server.  A
   similar problem may be experienced when a large number of state were
   simultaneously updated.  To prevent such phenomena, Map-Servers
   SHOULD be configured with policies to control the maximum number of
   subscriptions and also the pace of Map-Notify messages.  The exact
   details to characterize such policies are deployment and
   implementation specific.  Likewise, this document does not specify
   which notifications take precedence when these policies are enforced.

Do we need to say more without going too much into implementation territory?

Cheers,
Med

De : Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>
Envoyé : vendredi 27 janvier 2023 11:39
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>; tsv-art@ietf.org<mailto:tsv-art@ietf.org>
Cc : draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>; lisp@ietf.org<mailto:lisp@ietf.org>
Objet : Re: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10

Hi Med,

Overall, the spec leverages the mechanisms in both RFC9301 and RFC9303. I don't know if you checked those when performing your review.

MW: Yes, I looked at those, and as you cite some of it I can explain why I think this isn't sufficient for this specification.

> -----Message d'origine-----
> De : last-call <last-call-bounces@ietf.org<mailto:last-call-bounces@ietf.org>> De la part de Magnus
> Westerlund via Datatracker
> Envoyé : mardi 24 janvier 2023 14:20
> À : tsv-art@ietf.org<mailto:tsv-art@ietf.org>
> Cc : draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>;
> lisp@ietf.org<mailto:lisp@ietf.org>
> Objet : [Last-Call] Tsvart last call review of draft-ietf-lisp-
> pubsub-10
>
> Reviewer: Magnus Westerlund
> Review result: Not Ready
>
> This document has been reviewed as part of the transport area
> review team's ongoing effort to review key IETF documents. These
> comments were written primarily for the transport area directors,
> but are copied to the document's authors and WG to allow them to
> address any issues raised and also to the IETF discussion list for
> information.
>
> When done at the time of IETF Last Call, the authors should
> consider this review as part of the last-call comments they
> receive. Please always CC tsv-art@ietf.org<mailto:tsv-art@ietf.org> if you reply to or
> forward this review.
>
> My review comments are:
>
>
> C.      When a Map-Notify is to be sent there are no discussion in
> regards to
> congestion control of the transmission of the Map-Notify.


_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.