IETF Logo Mail Archive

Re: [lisp] Last Call SECDIR Review of draft-ietf-lisp-6834bis-11

Donald Eastlake <d3e3e3@gmail.com> Wed, 01 June 2022 03:30 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03F09C15C0B4; Tue, 31 May 2022 20:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWiL1imGkssO; Tue, 31 May 2022 20:30:05 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04449C15C0A6; Tue, 31 May 2022 20:30:04 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id u23so663716lfc.1; Tue, 31 May 2022 20:30:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ouw42GUqWc6XXMnnn3V4/Oi3Ajt5kP45TlF7gzydeYQ=; b=TtBawwDUfmUMAl7CieClX2GQJ4FpG1OfcWcKdey5QlAyTIgJ0K4e0pealsG9n4LBlL EyXhgTRHMAqWplrmKIM5pDLIHwk27KgOzQR5UfX/K1IXNpDT0QRc123RedyHm+oYI/30 9y68pIxkRkgzgtKFXZNxGW2dZopo+SJotGkUehMhdAIstMQ1/1fxmtYTAr1D1kdQvDqn Z4yVsN3+tG6vOqwqAnLuuet9X1o4u1od286Rb2firnorK3kba5vxl6xv8kKwXcFM+FRX JTqJNWI49Op677eRAgANslZFrjfA0nDI5Oj+7M66DOZetMwff3Vu8/kKj5f/VyUhAhVz GTqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ouw42GUqWc6XXMnnn3V4/Oi3Ajt5kP45TlF7gzydeYQ=; b=RNvylHIZD9FZnqhwUC6NHXqvuYViL/uMq7zVUGD6zwEPLWBsfTJ2aejEaKDbkbWxdC MfSKl523KE0p19DIIKxhCSh+dfC0icjpzGcA7y8csXv5K6Z6k8k5Xtj3Y4Sx2hga8wCd nJCVxnB4oXGH3gtXHYWfl1hanZz+8c9xw+bxfc2ExO3im5kOEf+fTIR23j+xzWuyC3TC 4HgMEoLYDjfJMs++/LwqQicnrAR08aY8atfSTKFstrWHA0FFFPPsdh8oJ758fuBiNFsE BAt8pMzGFhtZAveaxqQxYf/SNAeK4ct4e1S8NpBXiUivu4EsDi6fhpG1bbbjT3cYWqro hY3A==
X-Gm-Message-State: AOAM532+2GHldI56a8RlfNUt/4tvmLp3XKxQiDYcaNZdAdH9CbuNyHLO 0zXNZI7gcKIr6A6dHKUF8Ns3bxqOwndxrkt0VbzACP+WlBg=
X-Google-Smtp-Source: ABdhPJylz0Po9ttucYZW6je9RFkepKVsIMWmHotR1bQbrQ2diP7Q0+cKYLs/9P4EuE8Vxo1AO/SY0YSRvnrErA46w3U=
X-Received: by 2002:a05:6512:1148:b0:478:98b7:c86e with SMTP id m8-20020a056512114800b0047898b7c86emr26611314lfg.338.1654054202601; Tue, 31 May 2022 20:30:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAF4+nEE0UrAhSkUzbWbaoZKvHE_LFs6zmbda3nie=M-EN-XDeg@mail.gmail.com> <542A2E95-C536-43A3-B500-A85D76A62579@gigix.net>
In-Reply-To: <542A2E95-C536-43A3-B500-A85D76A62579@gigix.net>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 31 May 2022 23:29:51 -0400
Message-ID: <CAF4+nEFHzKCgLBWMT2-WTO0T0vgxpYV1bndsz4HofNKvpYt-2w@mail.gmail.com>
To: Luigi Iannone <ggx@gigix.net>
Cc: "iesg@ietf.org" <iesg@ietf.org>, secdir <secdir@ietf.org>, Last Call <last-call@ietf.org>, draft-ietf-lisp-6834bis.all@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002f759d05e05a81c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/FnhBvyYPIn63Bj9Yppg13PZoMqc>
Subject: Re: [lisp] Last Call SECDIR Review of draft-ietf-lisp-6834bis-11
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2022 03:30:07 -0000

See below at <de>

On Mon, May 30, 2022 at 9:32 AM Luigi Iannone <ggx@gigix.net> wrote:

> Hi Donald,
>
> Thank you very much for your review.
> I take this last updated review and provide some answers inline.
>
> On 30 May 2022, at 04:35, Donald Eastlake <d3e3e3@gmail.com> wrote:
>
> I have updated my review of the -10 version for -11 below.
> Comments/suggestions that I do not comment on still apply.
>
> On Wed, May 25, 2022 at 3:41 PM Donald Eastlake <d3e3e3@gmail.com> wrote:
>
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> Document editors and WG chairs should treat these comments just like any
> other last call comments. Sorry this is a bit late.
>
>
> The summary of the review is Ready with Issues.
>
>
> Well, minor issues...
>
> ...
>
> SECURITY
>
> This draft appears to completely ignore the issue of Map Version Number
> advancing so far so quickly that an old version number is encountered that
> appears to be newer than or equal to the current version number. Why can't
> this happen? Or if it can, why doesn't that hurt?
>
> This is more of an operational point. If you update a mapping, the best
> would be to give sufficient time so that everybody updates and there is no
> such a risk.
> What about adding in section 7 “dealing with Map-Version Numbers” the
> following sentence.
>
> It is an operational question to make sure that Map-Version numbers are
> not updated so frequently as to create the risk that very old version
> numbers appear newer (because of the circular space).
>
> Would that address your issue?
>

<de> Not really. (1) I think the document needs to say what happens if the
numbers wrap around and overlap. (2) Assuming the answer to 1 is as bad as
I think, then it is not "an operational question" to avoid this but rather
"an operational requirement".  That is, there should be a statement
something like "Map Version Number incrementing and TTL MUST be managed so
that an old Version Numbers will not be confused as a new Version Number.

> Section 8, last paragraph: Says Map-Versioning can only be used in
> trusted, closed environments but Section 7.1 and 7.2 seem to talk about
> what to do about the Map-Version field without any reference to this, but
> mentioning private deployments for certain error conditions. For example,
> Section 7.2 point 3 says to discard a packet on an erroneous Map-Version
> value except perhaps in some private deployments. But if you MUST NOT use
> Map-Versioning on the open internet, shouldn't it be required to discard
> all LISP encapsulated packets with Map-Version numbering if received over
> the public Internet?
>
> Actually section 7.1 reads:
>
> Operators can configure exceptions to this
>        recommendation, which are outside the scope of this document.
>
>
> We should have done the same for 7.2, will do in a revision.
>
<de> Well, adding that to Section 7.2 would help. But the problem is the
following sentence in Section 8:

   Map-Versioning MUST NOT be used over the public Internet and SHOULD
   only be used in trusted and closed deployments.


It seems to me that sentence says you can only use Map-Versioning in a
private network and that private network SHOULD be trusted. So I guess it
allows use in an untrusted private network... Is that what you want to say?


> Otherwise, the Security Considerations seem adequate although I think the
> 1st and 2nd paragraphs of Section 8 should be swapped.
>
> Yes, it may read better. Will be swapped in the next revision.
>
> OTHER ISSUES
>
> Section 6, right after equation 3: Isn't "(69 + 4096) mod 4096" the same
> as "69"? And isn't 69 equal to 69, not less than 69? Shouldn't it say
> "Map-Version numbers in the range [69 + 2049; 68] are smaller than 69"? Or
> actually "in the ranges [69 + 2049; 4095] and [1;68] are smaller than 69"?
>
> Wonderful catch. Should be
> [69 +  2049; (69 + 4095) mod 4096]
>
>
> Will fix.
>
> Section A.3: How is it possible to tell that no more traffic will be
> received? Should this instead be something like wait the TTL of the
> mappings to that RLOC plus estimated transit time and some margin for
> safety?
>
> Absolutely right, the sentence should be:
>
>    Upon updating the mapping, the RLOC will receive the less and less
>
>    traffic because remote LISP sites will get the updated mapping.
>
>    At least one TTL after the mapping was updated, it could be
>
>    considered safe to shut down the RLOC gracefully, because all
>
>    sites actively using the mapping should have updated
>
>    it.
>
>
> Sounds better?
>

<de> Yes, that's better. But I would suggest alternate wording such as the
following:

     "Upon updating the mapping, the RLOC will receive less and less

   traffic because remote LISP sites will request the updated

   mapping and see that it is disabled. At least one TTL, plus a

   little time for traffic transit, after the mapping is updated,

   it should be safe to shut down the RLOC gracefully, because

   all sites actively using the mapping should have been updated."

TYPOS/MINOR
>
> Should the document say anything about mapping changes possibly causing
> re-ordering?
>
> Not sure what do you mean by “re-ordering”, can you articulate?
>

<de> I was thinking about adding one sentence somewhere something like the
following:
"A change in map version resulting in a change in ETR for a flow can result
in the re-ordering of the packet in the flow just as any other routing
change could cause re-ordering."

> Section 1: I think the following should end with "ITR": "If this is not
> the case, the ETR can directly send a Map-Request containing the updated
> mapping to the ETR,"
>
>
> Above fixed in -11.
>
> Section 7.2, first sentence just after point 3: Suggest using "MAY" in
> "may be more restrictive."
>
>
> Will be changed in the next revision.
>
> Section A.2.3: "provider edge" pops up here with no other mention or
> explanation anywhere in the draft.
>
>
> Either drop the term or provide some sort of definition/explanation.
>
>
> Provider edge should actually be just “domain"
>

<de> OK.

> Section A.2.3: The last two sentences sound like they contradict each
> other. I assume the last sentence is refering to change in the Source
> mapping. Suggest "the mapping" -> "the Source mapping".
>
>
> Yes, is
>
> With this setup, the Proxy-ETR, by looking at the Source Map-Version Number,
>
> is able to check whether the mapping has changed.
>
>
<de> OK.

> EDITORIAL
>
> Section 1: "This operation is two-fold." -> "This information has two
> uses."
>
> New Section 6: "... MUST consist in an increment ..." -> "... MUST
> consist of an increment ..."
>
> New Section A.2.3: "uRPF" is used only once so the acronym should be
> dropped and only the expansion used.
>
> Will update as suggested in the next revision.
>

<de> OK.

<de> Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com

Thanks again for the review.
> Let me know if the proposed changes address your comments.
>
> Ciao
>
> L.
>
>
>
>
>
> Thanks,
> Donald
> ===============================
> Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
> 2386 Panoramic Circle, Apopka, FL 32703 USA
> d3e3e3@gmail.com
>
>
>

v2.23.0 | Report a Bug | By Email