[lisp] Benjamin Kaduk's No Objection on draft-ietf-lisp-rfc6830bis-32: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Thu, 09 July 2020 04:20 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: lisp@ietf.org
Delivered-To: lisp@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D45793A00B3; Wed, 8 Jul 2020 21:20:01 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-lisp-rfc6830bis@ietf.org, lisp-chairs@ietf.org, lisp@ietf.org, Luigi Iannone <ggx@gigix.net>, ggx@gigix.net
X-Test-IDTracker: no
X-IETF-IDTracker: 7.7.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <159426840139.19571.383901486766616745@ietfa.amsl.com>
Date: Wed, 08 Jul 2020 21:20:01 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/E2qryf-nKrEy2cWJCQ7meiC-Ejc>
Subject: [lisp] Benjamin Kaduk's No Objection on draft-ietf-lisp-rfc6830bis-32: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2020 04:20:02 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-lisp-rfc6830bis-32: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lisp-rfc6830bis/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for addressing my previous Discuss points. I have some notes locally for an analysis of the security considerations at the boundaries of the various components in the ecosystem, and hope to have some text soon. That said, I'm balloting No Objection now anyway, to make my other comments (from a fresh reread of the document) available now. Section 1 LISP is an overlay protocol that separates control from Data-Plane, this document specifies the Data-Plane as well as how LISP-capable routers (Tunnel Routers) exchange packets by encapsulating them to the appropriate location. [...] nit: comma splice Section 3 EID-Prefix: An EID-Prefix is a power-of-two block of EIDs that are allocated to a site by an address allocation authority. EID- Prefixes are associated with a set of RLOC addresses. EID-Prefix allocations can be broken up into smaller blocks when an RLOC set is to be associated with the larger EID-Prefix block. nit(?): this definition might be artifically narrow. E.g., there might be other cases when a prefix can be broken up, including when different RLOC sets are to be assigned to sub-blocks of the larger EID-Prefix. End-System: An end-system is an IPv4 or IPv6 device that originates packets with a single IPv4 or IPv6 header. The end-system supplies an EID value for the destination address field of the IP header when communicating outside of its routing domain. An end- Just to check: when would an end-system supply a destination address that is not an EID (i.e., what requires the "when communicating outside of its routing domain" caveat)? (This is in a mindset that assumes for non-LISP systems the EID and RLOC collapse to the same value usable as either EID or RLOC depending on context.) Routing Locator (RLOC): An RLOC is an IPv4 [RFC0791] or IPv6 [RFC8200] address of an Egress Tunnel Router (ETR). An RLOC is the output of an EID-to-RLOC mapping lookup. An EID maps to zero or more RLOCs. Typically, RLOCs are numbered from blocks that are assigned to a site at each point to which it attaches to the underlay network; where the topology is defined by the connectivity of provider networks. Multiple RLOCs can be assigned nit: the bit after the semicolon is not a complete sentence; probably just replacing it with a comma is best. Section 4 when re-routing of the path for a packet is desired. A potential use-case for this would be an ISP router that needs to perform Traffic Engineering for packets flowing through its network. In such a situation, termed "Recursive Tunneling", an ISP transit acts as an additional ITR, and the destination RLOC it uses for the new nit: "Recursive Tunneling" is a defined term now, so we don't need quite as much of an in-band definition. Perhaps "in such a Recursive Tunneling situation". Section 4.1 Request for that EID. Both the ITR and the ETR MAY also influence the decision the other makes in selecting an RLOC. It might be worth a bit more detail on how the one xTR influences the decision of the other. Section 5.3 LISP Locator-Status-Bits (LSBs): When the L-bit is also set, the 'Locator-Status-Bits' field in the LISP header is set by an ITR to nit: s/also// ? Section 6 The Map-Cache is a local cache of mappings, entries are expired based on the associated Time to live. [...] nit: comma splice Section 7.1 When the 'DF' field of the IP header is set to 1, or the packet is an IPv6 packet originated by the source host, the ITR will drop the This seems to be the only indication that the mechanism described in this subsection is an IPv4-only mechanism; it's probably worth being a little more clear and up-front about that. Section 9 corresponding to the EID's topological location. Each RLOC in the Locator-Set is associated with a 'Priority' and 'Weight', this information is used to select the RLOC to encapsulate. nit: comma splice. Section 10 1. An ETR MAY examine the Locator-Status-Bits in the LISP header of an encapsulated data packet received from an ITR. If the ETR is also acting as an ITR and has traffic to return to the original ITR site, it can use this status information to help select an RLOC. Since we said earlier that LSBs are "a hint to convey up/down router status and not path reachability status", so I'd suggest rephrasing this in terms of "use this status information to avoid selecting routers that are down". When determining Locator up/down reachability by examining the Locator-Status-Bits from the LISP-encapsulated data packet, an ETR will receive up-to-date status from an encapsulating ITR about reachability for all ETRs at the site. CE-based ITRs at the source site can determine reachability relative to each other using the site IGP as follows: Similarly, we might clarify that this "reachability for all ETRs at the site" reflects local reachability from the ITR in question, and may not be indicative of reachability from the ETR receiving the LSBs. When ITRs at the site are not deployed in CE routers, the IGP can still be used to determine the reachability of Locators, provided they are injected into the IGP. This is typically done when a /32 address is configured on a loopback interface. "/32 address" seems IPv4-specific. RLOCs listed in a Map-Reply are numbered with ordinals 0 to n-1. The Locator-Status-Bits in a LISP-encapsulated packet are numbered from 0 to n-1 starting with the least significant bit. For example, if an RLOC listed in the 3rd position of the Map-Reply goes down (ordinal value 2), then all ITRs at the site will clear the 3rd least significant bit (xxxx x0xx) of the 'Locator-Status-Bits' field for the packets they encapsulate. It might be worth a forward-reference to § 13.2 to mention that, in line with map versioning, the ITRs at the site already need to know the Map-Reply contents and to also note that, per Section 5.5 of 6833bis, the list of locators is sorted in a specific order. Section 10.1 When data flows bidirectionally between Locators from different sites, a Data-Plane mechanism called "nonce echoing" can be used to determine reachability between an ITR and ETR. When an ITR wants to solicit a nonce echo, it sets the N- and E-bits and places a 24-bit nonce [RFC4086] in the LISP header of the next encapsulated data packet. I do note the title of RFC 4086 and the resulting implication, but since a generic "nonce" is just a "number used once" and can in such cases be a simple counter, I think we really need to say "random nonce" (or "selected from a uniform random distribution" or similar), since we do rely on the unpredictability inherent in a random nonce. For reference, 6833bis says "[t]he nonce MUST be generated by a properly seeded pseudo-random source, see as an example [RFC4086]." The ITR will set the E-bit and N-bit for every packet it sends while in the echo-nonce-request state. The time the ITR waits to process the echoed nonce before it determines the path is unreachable is variable and is a choice left for the implementation. draft-ietf-tcpm-rto-consider, also on this week's telechat, might be an interesting reference here. The echo-nonce algorithm is bilateral. That is, if one side sets the E-bit and the other side is not enabled for echo-noncing, then the echoing of the nonce does not occur and the requesting side may erroneously consider the Locator unreachable. An ITR SHOULD set the E-bit in an encapsulated data packet when it knows the ETR is enabled for echo-noncing. This is conveyed by the E-bit in the Map-Reply message. Do we want a corresponding "SHOULD NOT set the E-bit when [...]" here? Also, this could be a good place to note that the Map-Reply E-bit is spoofable in the absence of LISP-SEC. Many implementations default to not advertising they are echo-nonce capable in Map-Reply messages and so RLOC-probing tends to be used for RLOC reachability. Do we want to hedge this with an "at the time of this writing" in case it ages badly? Section 13 which ITRs requested its mappings. For scalability reasons, it is desirable to maintain this approach but need to provide a way for ETRs to change their mappings and inform the sites that are currently communicating with the ETR site using such mappings. nit: missing word (maybe s/need/there remains a need/?) Section 13.1 or down). The specific value for the 'use-LSB' timer depends on the LISP deployment, the 'use-LSB' timer needs to be large enough for the destination xTR to retreive the updated EID-to-RLOC mappings. A nit: comma splice. Section 16 For example of such attacks, an off-path attacker can exploit the echo-nonce mechanism by sending data packets to an ITR with a random nonce from an ETR's spoofed RLOC. Note the attacker must guess a valid nonce the ITR is requesting to be echoed within a small window of time. [...] I suggest noting that "the nonce echoing mechanism defined in this document has only a 24-bit nonce, which is small enough that randomly guessing a nonce will succeed with some regularity". That would also give an opportunity to mention the idea, introduced in lisp-gpe, that a dedicated shim header could be used to provide a longer nonce that is strong enough to be reliable for route-returnability checks (though I concede it's a bit far afield since it's a reference to a reference to future work). Map-Versioning is a Data-Plane mechanism used to signal a peering xTR that a local EID-to-RLOC mapping has been updated, so that the peering xTR uses LISP Control-Plane signaling message to retrieve a fresh mapping. This can be used by an attacker to forge the map- versioning field of a LISP encapsulated header and force an excessive amount of signaling between xTRs that may overload them. I'd suggest adding at the end ", or prevent updates from being processed". LISP implementations and deployments which permit outer header fragments of IPv6 LISP encapsulated packets as a means of dealing with MTU issues should also use implementation techniques in ETRs to prevent this from being a DoS attack vector. Limits on the number of fragments awaiting reassembly at an ETR, RTR, or PETR, and the rate of admitting such fragments may be used. I note that draft-ietf-intarea-frag-fragile might be a relevant reference (and is in the RFC Editor's queue). Section 20.1 How can RFC 6830 be a normative reference when this document Obsoletes it? It's not really clear that RFCs 6831 or 8378 need to be normative; we mostly just mention that they exist but don't require implementing or using them. Section 20.2 In addition to what idnits picked up, I note that RFC 1918 is only referenced from the changelog entry saying that it's not referenced anymore :) I could see an argument that RFC 6936 should be normative, but defer to my TSV-area colleagues. I'm slightly surprised to see that Mirja did not insist upon RFC 8085 being a normative reference.
- [lisp] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker