[lisp] Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-26: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Tue, 31 December 2019 01:24 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: lisp@ietf.org
Delivered-To: lisp@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 45D0112002E; Mon, 30 Dec 2019 17:24:39 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-lisp-rfc6833bis@ietf.org, Luigi Iannone <ggx@gigix.net>, lisp-chairs@ietf.org, ggx@gigix.net, lisp@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.115.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <157775547927.4440.3647834701553763731.idtracker@ietfa.amsl.com>
Date: Mon, 30 Dec 2019 17:24:39 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/8yOZOSXbr9yUB3ywvh1aduc8d2A>
Subject: [lisp] Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-26: (with DISCUSS and COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 01:24:39 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-lisp-rfc6833bis-26: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lisp-rfc6833bis/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- It looks like an edit or two that was supposed to be in the -26 didn't make it by accident, so sorry for the repeat comments; hopefully the writing work in question will be easy to retrieve. Other than that we're down to just a few remaining points, two of which I believe should be trivial to resolve. In Section 5.6 we say that "implementations of this spsecification SHOULD include support for HMAC-SHA256-128+HKDF-SHA256 but section 9 says "implementation MUST support HMAC-SHA256-128+HKDF-SHA256", which is internally inconsistent; my understanding from a previous discussion with the authors was that HMAC-SHA256-128+HKDF-SHA256 would be a SHOULD and it was HMAC-SHA256-128 that was MUST. The condition for Map-Notify-Ack terminating Map-Notify retransmission seems incomplete. Specifically, we should only accept the Map-Notify-Ack to stop retransmission if the authentication data validates (and maybe that it uses the same Key-ID as the Map-Notify, though that might be overkill). So just "a Map-Notify-Ack is received by the Map-Server with the same nonce" is not quite enough; we'd want to say "an authenticated Map-Notify-Ack is received by the Map-Server with the same nonce". In Section 9: The LISP-SEC protocol defines a mechanism for providing origin authentication, integrity, anti-replay, protection, and prevention of 'man-in-the- middle' and 'prefix overclaiming' attacks on the Map-Request/Map- Reply exchange. [...] I think this document provides anti-replay protection for the Map-Request/Map-Reply exchange (by virtue of the single-use nonce), so we should remove "anti-replay" from the list of features LISP-SEC provides for the Map-Request/Map-Reply exchange. I think we need greater clarity on the 'E' and 'M' bits in the ECM format; are we perhaps defining them now in anticipation of future usage by other documents (e.g., ones that define specific mapping system implementations)? in particular (with quotes from my ballot position on the -24 for context): > E: This is the to-ETR bit. When set to 1, the Map-Server's > intention is to forward the ECM to an authoritative ETR. > > I think this needs to say more about which message flows this bit is > defined for. Presumably the ITR will never use it for sending an > encapsulated Map-Request to a Map-Resolver, but there seem to be plenty of > places where ECM wrapping is used. IIUC, the main ECM-wrapped messages we consider in this document are ITR-to-Map-Resolver Map-Requests and Map-Server-to-ETR Map-Requests. Is it an invariant that the ECM 'E' and 'M' bits can never be set at the same time (as they are only defined to have meaning for the different flows I list)? In an off-list discussion I got a clarification that "The ETR bit is used so the Map-Server knows that the entity registering is an xTR versus a SDN or other type of controller that is registering mappings but doesn’t have a full LISP protocol engine implementation and can’t send Map-Replies" which sounds like it applies to a Map-Register ("is registering mappings") but I didn't think that Map-Register was defined as a possible LCM to be in an ECM. (Maybe I'm just confused about that.) The main thing I still don't understand here is: what entity is going to interpret the E-bit and change behavior depending on its value? > > M: This is the to-MS bit. When set to 1, a Map-Request is being > sent to a co-located Map-Resolver and Map-Server where the > message can be processed directly by the Map-Server versus the > Map-Resolver using the LISP-DDT procedures in [RFC8111]. > > How does the sender know that its configured Map-Resolver is also a > Map-Server? It's unclear to me why this needs a bit in the message as > opposed to just happening based on the attributes of the receiving > Map-Server. It sounds like this is only useful when the ECM contains a Map-Request from ITR to Map-Resolver, but I don't know how an ITR would know to (not) set this bit or what entity is going to change behavior depending on the value of the bit. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- [moving from DISCUSS to COMMENT based on explanation of this usage being a common historical usage in the LISP community. It still seems needlessly ambiguous and confusing to me, though, but no response is required, as we've discussed this already quite a bit and I just want to stay "on the record" about it.] There are many instances (some noted in my Comment) where a bidirectional interaction between two xTRs is described, yet the peers are identified as "ITR" and "ETR". This is very confusing when the entity named as "ITR" is described as performing ETR functionality, or vice versa; pedagogically, it would be much better to use non-role-based names for the entities while describing these exchanges. [Also moving from DISCUSS to COMMENT] I'm still a little nervous about the strong dependencies on lisp-sec and 6834bis that are not yet at IESG evaluation, but perhaps they are sufficiently mature that I don't need to hold a Discuss point anymore to wait for them. I got a request for more clarification on my previous remark: % Section 8.1 says: % o A Negative Map-Reply, with action code of ""Natively-Forward"", from % a Map-Server that is authoritative for an EID-Prefix that matches % the requested EID but that does not have an actively registered, % more-specific ID-prefix. % This document provides no mechanism to establish that a Map-Server is % authoritative for a given EID-Prefix, so this entire case is % non-actionable. % [ed. I think there may have been some previous discussion on this (e.g., % that might render it moot) but couldn't find it quickly] I think that the "previous discussion" essentially entailed a LISP deployment including some configuration information about which sites were allowed/expected to have certain EID prefixes, so the "authoritative" here is just excluding sites that are known to not be candidates. That is, the deployment-specific "authoritative" nature is essentially coming from configuration, if I understand correctly. So I didn't think that any further clarification was needed. A few more other old comments with extra clarification as-needed; I'll trim most of the comments from the -25. Section 5.2 EID mask-len: This is the mask length for the EID-Prefix. I see this got changed to add "in decimal" as a result to my earlier comment, but I think my earlier comment was wrong and that change should be reverted. It doesn't make sense to measure a prefix length in bytes, and we have explicit examples of the mask length for when we need to limit to an exact IP (v4 or v6) address, which would allow the reader to figure it out anyway. Sorry for the extra churn (and noting that the same thing occurs in a later section). Section 5.6 Do you want to give a mnemonic for the 'I' bit? I don't propose changing its name, but if there was some extra word or two that would help someone remember why it is the 'I' bit (as opposed to, say, the 'Q' bit) that would be helpful. Section 5.7 A Map-Server sends an unsolicited Map-Notify message (one that is not used as an acknowledgment to a Map-Register message) that follows the Congestion Control And Relability Guideline sections of [RFC8085]. A This second clause ("that follows") is rather a non sequitur here; is the intent something like "sends unsolicited Map-Notify messages in only conformance with the guidelines from RFC 8085"? Section 5.8 An Encapsulated Control Message (ECM) is used to encapsulate control packets sent between xTRs and the mapping database system. Some of the flag bit descriptions appear to describe usages that are or can be entirely within the mapping system, so maybe tweak the wording to "between xTRs and the mapping database system or internal to the mapping database system"? Section 6.1 sender of an SMR-based Map-Request MUST be verified. If an ITR receives an SMR-based Map-Request and the source is not in the Locator-Set for the stored Map-Cache entry, then the responding Map- Request MUST be sent with an EID destination to the mapping database system. [...] Based on our offline discussion about which messages go in which direction between ITR and ETR, I think this would be more clear if it did s/SMR-based Map-Request/SMR message/ (both times).
- [lisp] Benjamin Kaduk's Discuss on draft-ietf-lis… Benjamin Kaduk via Datatracker