IETF Logo Mail Archive

Re: [lisp] John Scudder's Discuss on draft-ietf-lisp-6834bis-12: (with DISCUSS and COMMENT)

John Scudder <jgs@juniper.net> Thu, 02 June 2022 21:35 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67685C157B36; Thu, 2 Jun 2022 14:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.854
X-Spam-Level:
X-Spam-Status: No, score=-2.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=Pwum5mPQ; dkim=pass (1024-bit key) header.d=juniper.net header.b=AP9frHUh
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WrbznnMUyiKM; Thu, 2 Jun 2022 14:35:53 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A67C3C14F73E; Thu, 2 Jun 2022 14:35:48 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 252I0QFL005086; Thu, 2 Jun 2022 14:35:45 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=Sl2LZhvxifvXAZlIQjH2ASFFs06ToHG4LgpxUXr0jEg=; b=Pwum5mPQHOv6vBtDJOqtU+I3mBxzcnNlV/qo6wjgsuXMtvMlsPazT8s+cT7EDGgCLwsx FtJHhHQjfHxw8Xt2VGlddx5alnIknhOqKABUGk/SgiBErjblaGJYyT+GFFOiZnyYYyIX QhUM1BJpZ85tKc20GgCABSnqELJPRryL0s/U5e5cg2Us2n0xva+qQU03l3w5qgY0lZmE v0O+AvqehnKsBreVMpFhbfjI6V8OTiqteqpuzo1nl7cmY/U5bM+h6Msoh3CKIyMvEnZy 4zzzK1bMTLZoKPt7+Ln0t6FS7iddYoaIafJpBEL+qpbYJyIpk7+bl5Gz34VZvlVVVsEZ 2w==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2109.outbound.protection.outlook.com [104.47.55.109]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3geryb1pj1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Jun 2022 14:35:45 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IozGRYDpyNgUxgy3bBbetF7eKdXt5G7Rcqvc8JnK3DRAXZ7zKJXGVlB+biE7zBCjEjk4goz04fnnVJ3vig1RjdYnIR3VIb6zsR1LrpJUmvcK1kEAokzpMtVO5hItuCCDPhrp4ayFbxSvPtoDOLF2bA+M/vlky4hroyVEVze7mGiTQ4Z1G/93v1JOMSSTwdQZbiFHS5ecq9wQ2Eukicr87NQuDbnQz2lbPvtd7yLc3O7RRyldoluPyd95dXtPVTOqzQxoXscpdePNuhn1fdOiybREIv03JaxRNvy/de5H7Xbd7EgL9PxxiW8WYA4YzFXAEceG4eW4Jx5HJFzDHa04/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Sl2LZhvxifvXAZlIQjH2ASFFs06ToHG4LgpxUXr0jEg=; b=ma4BDBf5Ubo+7cQXY94nuq67BYYgkJE7X3IRcekZ79kD0Uhp9+3ftmQkehGX6Tf78T0rLx1+G8Qbj51uchxgBgBPDgon4YkTtkh1FbbHO9CnO0ykEFID14dJq60rx13ByHAnQpJIGhoKHTQl2XxZ8S1FCoSvdOn7yMXmdaS578HL7v5AuVTeF240ZkIpqPwTCljPTDz38ph3pHYuJEptoGYExyxxYQz7ZiZJ/ARdMjCTyf72F0uG96Tk1bY4IzvXnEd0spc7VpcZTQcOi9d0r8iASgN2W7Grle5Rdrnmo7KyvfZ/rj+Mj+EJLrU9aTOwr+EE00lNmprI/TQ9T95hvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Sl2LZhvxifvXAZlIQjH2ASFFs06ToHG4LgpxUXr0jEg=; b=AP9frHUhUb9KgPzrVvxb35/JhqMMTYFSMlrsv2kIK11uHxr8VfjDtJ4+GCmQfScSP53uW27FK+UWiDFqlIJ0cLboIFufRNpEfiXVAxqUaKMShY8uhFMmPuizvlxKE5Rie9l1CNZAWPL6FJF9Tt9+pXWwENydR3UHnDBf5wvVs3c=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by SN4PR0501MB3839.namprd05.prod.outlook.com (2603:10b6:803:4f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.4; Thu, 2 Jun 2022 21:35:42 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::94e1:7be5:fc83:a725]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::94e1:7be5:fc83:a725%7]) with mapi id 15.20.5332.004; Thu, 2 Jun 2022 21:35:42 +0000
From: John Scudder <jgs@juniper.net>
To: Luigi Iannone <ggx@gigix.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-lisp-6834bis@ietf.org" <draft-ietf-lisp-6834bis@ietf.org>, "lisp-chairs@ietf.org" <lisp-chairs@ietf.org>, "lisp@ietf.org" <lisp@ietf.org>, Padma Pillay-Esnault <padma.ietf@gmail.com>
Thread-Topic: John Scudder's Discuss on draft-ietf-lisp-6834bis-12: (with DISCUSS and COMMENT)
Thread-Index: AQHYdfFCD2WHkc/FrU6fJi+bjq7kC608DPyAgACYi4A=
Date: Thu, 02 Jun 2022 21:35:41 +0000
Message-ID: <A77AE04E-1258-444C-B204-865A8EA20DB6@juniper.net>
References: <165411318509.23504.13233598973370234352@ietfa.amsl.com> <1D126FD8-B83A-48D0-B473-F9B13306DAEE@gigix.net>
In-Reply-To: <1D126FD8-B83A-48D0-B473-F9B13306DAEE@gigix.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.100.31)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d462081d-1c5e-4894-8e4d-08da44dfd814
x-ms-traffictypediagnostic: SN4PR0501MB3839:EE_
x-microsoft-antispam-prvs: <SN4PR0501MB3839CDA2B44A5134A4110BE5AADE9@SN4PR0501MB3839.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4AsIjMIlKaLMYa6HMIUrb3pPnGsL8m4Y3+lcQUvVUv9EpY4uJvxN8rJhGn6uSq3MEaFL24ksv/1Ev267Dq79UhRU7cVfwa/CpZv89zFonKzQhsUHtmH3w5X3A2tb9jwknJB2qF3iGC99BnQIF/k8M220W5wzDKaf/qLJVuaUQFKlrINVuswWQ3d3HzvNk+mr/FhnzY8STru+lGb6j13FReWJ6LlQBp+kl2Q3entX7/Ifu9t1L09pSsbfUSP0Zyti4T9ugyUC9F3GCcO8MRx+8D7CDUjQo84JmghbLerUi/XvduXM1qihqJYx/jsf1EnmfP7L1YwFBBatrnPpeXvnxNLJIRPJfyGOJ429rLXHLVeKgJMBZJXGvfcD1OiEKJPOKUJKRDsbUQUEQoiScyGIw0mryiPylOLsRIyBuoTRvH5fQdn4vaUzFaq+bOxrQNyYPliwEIhP8CMLcNQ6ZsBJDUPt5B9qM6cuY32pXXa4zTBbr6GBDJqBvFG2w3+2BQojCFExFXQTgix8PbgNY6AgObeP8ScYYeFtDjP/z7P9dMT9IaWcfHwNA0wDlKigoIrtMVA2K+CA80pci64spB+d03LuryqlNCfblv/K7X4ba2Rxbac6PhZV0+w8v78nh26H/dvUMRA7L+FunLRfdXZxJjA1X0k9GfUa+SAGAMW/yw+KaFs812uJfQqkUNLAJ+JILE5V+kRRZXbA2skOR2RSu17kSONjEATe+YcpQU3rr9aZVUXS24WHXBQ8GxLZBW2X
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(66946007)(66446008)(64756008)(76116006)(4326008)(8676002)(5660300002)(66476007)(186003)(66556008)(91956017)(38100700002)(8936002)(83380400001)(2616005)(6512007)(122000001)(2906002)(26005)(6506007)(38070700005)(33656002)(86362001)(71200400001)(508600001)(6486002)(6916009)(53546011)(54906003)(316002)(36756003)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: R5no5QHzS7wOk7+nlhohygS5BPht9PX6LvtxzALAGhjTOeuGQAcuDOt4QRnM4Z1kX3Msip+G8cQf7GdZ7RNx6docAqS8zgEw/Zf1i9hxJyRrWFQBjiJdogvvTQOqwyyq687s4q3fMnE/KfgGeHwdgtTJ1MM9/LorO0IpbBJC0UYLmnZwWe8+CbUr1Dgpu4+SVJiahgRPlGvBSNJ4yTblZH++QM7/V54qpRNsP6M8aYdnBzi4ODhdSD6VuG7/DTmhfpdWapK9vVm+ib5bLIuT9FlOQPfAi618ytRNp1sf5hCSmjHoZQQ9w8k2iOYcaK9zx4e9vlH1rXysvZHPjDn6UafrbZNKWkAZ1/RiBnk5VBLiWSz/H1E//V01kmlccjVcXV3vP7pvZcYE+hpz9VppFyume/+K827kmWk3DkPJErV33sRIDWyLuLZ/5g0hBdkPGerODINDCwFNd21fHaboTtyHlBVKX4JyVTodUBTmHcuXMXlgZ2vnIcNlQGKJ59f0YHInS5L2TpRGMosV9FSZLVBIIf83LGFlFBZEdlvWCIXRbdYJ6JB2ir8GvQxek5YhNbGwk774EAvLdkL7fZdLKys3obr1Lu3dIH6/sBWJkGo5kBaFW//IE1QsyhILHohnERzDaWsDlXiGJkqpPPeil1zdkyM3aSd2qk9QTW2Z0TBt6istOlDW4zg72cADsQgkTqll04JTXfnwTBXEn22nXxhdAYotcv+gNE1AgcS3M+TQ4XXFxoz65VQvCQHEG+QLCPWLJ6QVi8yBgPwiBiPvUhXai/B7wZkYho9q8zYRjNOeH09X2p/24CW4N9vGteeijnbqCkImCiIglQkKt8paWqP5WXxZdZ3+aVghzb5EV/Hdgfjf+e0gRilXVNl8dQiG3U9y+0D1SGd1mk3PP+VtoD5p+EQlessoED4sbq8aDP8nyd3NYxW6TFOtbz0DJwFoPYUQddkzTLGAVmrNcEyMOH0O4R+eJ85eaTAwiLbseSEB+Vs4HLY/bl3Qkpbl3dCCv3SEk2GFLj71oj+nnzxWuwL7ZOLMUWsuFkeSLAmzJJv5YmvYs5K6i3PivMb3FUxDnAKjIUopk1kclBuzrmmbtZ/ZGUvBDgyvvkd3MhY0sNRP5DGJFKqMzN/2sGO4NGWVszKfhnHT0bqPrX9+0aA6EZTKsarIVPJkpW1mxjUJrLHRZEYDEkxTk7i660ZWxAEr4I7jIgBZ5h9YFV/MANjTEcjM1bQlrqPmXbNOoT9aCd64w7QtcnDqIA+rSyBzqE60VBYJOvREbxEcc2hTFyXKx1CB6aAOOTkw/reCv/uOP8CsXTarWrExECYdMNJuIcoFFxeFz1tNkcbHN+VB9nFPtchmFMqE2kDX2vI2AFb/7MEUB2v6hnaoZRVAd29U+ckrIAfX3IIvOmT/ZOEMFfWHb6Bce91qh9yMUJu1aBlFYalhY5EVDECa9AhVDgOyppE+l/OoIhFI1nfPhbOSITvsE8JkAU0Nas7Fd8TsDzTdi2ebRE0C2/nrNaJDtBt8hUwVT72/UuQa9qieum0tUK6AQxBTsRNGFWzbHgd5qqnjYnEC55EPN+hD+nihMI6FFKDKS3u668Fm3nHZj5VFS2WJpIKqIZFC8QWag8f4LavI3EZFyQMIPv+1ZYJMseF6HnUBsJpjWBiEsnk7LrkNzYNxCAUacfnOAu813ZhAM1sVosFZ0h+S5Zh+ZL3e93OuvRnOkWLOH2sES3tUmanwE169L2I3ieeJl9SQCLucRMKtlMM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <FEA1C647B0D33D40ACA9654041FBB033@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d462081d-1c5e-4894-8e4d-08da44dfd814
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2022 21:35:41.9499 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tWN7hVyV16S4LmXxG+HOihPtek0tPzWi897sGpkBJE6+My/1959qnrHOkKw8Vyg4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR0501MB3839
X-Proofpoint-GUID: sSJjK3XmKWENLvL8rBGVLBcBCZtGgIFm
X-Proofpoint-ORIG-GUID: sSJjK3XmKWENLvL8rBGVLBcBCZtGgIFm
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-02_05,2022-06-02_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 phishscore=0 mlxscore=0 lowpriorityscore=0 suspectscore=0 mlxlogscore=999 clxscore=1011 adultscore=0 bulkscore=0 malwarescore=0 impostorscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206020090
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/O_jkgJbquyWXsH1QFLRQKdcQiRY>
Subject: Re: [lisp] John Scudder's Discuss on draft-ietf-lisp-6834bis-12: (with DISCUSS and COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 21:35:58 -0000

Hi Luigi,

Thanks for your reply. My comments are in line below.

> On Jun 2, 2022, at 8:29 AM, Luigi Iannone <ggx@gigix.net> wrote:
...
>> On 1 Jun 2022, at 21:53, John Scudder via Datatracker <noreply@ietf.org> wrote:
...
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>> 
>> This spec makes liberal use of the approach of dropping any packet received
>> with an unloved Map-Version number, for example (but not limited to)
>> 
>>  2.  The packet arrives with a Dest Map-Version number newer (as
>>      defined in Section 6) than the one stored in the EID-to-RLOC
>>      Database.  Since the ETR is authoritative on the mapping, meaning
>>      that the Map-Version number of its mapping is the correct one,
>>      this implies that someone is not behaving correctly with respect
>>      to the specifications.  In this case, the packet carries a
>>      version number that is not valid and packet MUST be silently
>>      dropped.
>> 
>> Isn’t it the case that by definition the packet has arrived at a valid ETR for
>> the mapping (since as the text says, “the ETR is authoritative”)? Isn’t the
>> map-version more in the nature of a hint than a critical-for-correctness field?
>> What bad behavior is being protected against by silently dropping this traffic,
>> that has arrived at a correct endpoint albeit with an incorrect hint?
> 
> The packet did not necessarily arrive at the correct ETR.
> We can take for instance the scenario depicted in Section A.3, where you want to shutdown an RLOC.
> Map-Versioning allows to trigger Map-Requests to make sure everybody uses the lates mapping, which in the example in Section A.3 means not using an ETR anymore. If the ETR continues to accept traffic and the IRT ignore the messages hinting at updating the mapping this will create problems.

I get that if the ITR ignores the hint it’s problematic, because after all you want to dry out the ETR prior to shutting it down (or shutting down the mapping). I’m not arguing that any of these cases is a *good* case, although I have argued that there are corner cases you’ve neglected. Rather, I’m advocating for the robustness principle — appropriately enough, there’s a vigorous debate going on over on arch-d right now about whether the robustness principle is a terrible idea or a good one. There are principled arguments both ways.

I don’t get why it will create problems for the ETR to continue to forward traffic for as long as the mapping exists, though. Obviously, when the mapping goes away, then it *can’t* forward the traffic. That’s a different case from what the document talks about though.

> We may want to consider “Do we really need to drop in each and every case?"
> May be not, but it is hard to define exactly when dropping is too much.

I agree that thinking through the cases is hard and saying “just drop the traffic” is easy, and probably safe. (Only “probably” because I haven’t thought through whether there’s any way for an attacker to trick me into throwing away packets I shouldn’t, thereby completing the attack for them.)

> Incidentally, the MUST was previously a SHOULD, but we were unable to give a good definition of when the packets should not be dropped.
> 
>> 
>> At various points in the document there's a kind of vague assertion that
>> incorrect map-versions could be an attack. While I don't deny that, the
>> assertion isn't supported or elaborated on anywhere that I saw, which is
>> worrying and also makes it less convincing. Shouldn't the Security
>> Considerations talk about this?
> 
> The risk of attack is mentioned only twice in the document.

OK. I apologize for overstating the pervasiveness. To be more specific about places I found (by searching for “drop”) that are unconvincing/unspecific as to the rationale, I see:

"Such a case is not valid with respect to the
       specifications."

"someone is not behaving correctly with respect
       to the specifications”

"or (worse)
       it might be some form of attack”

"either someone has not
   respected the Record TTL or it is a form of spoof/attack”

To be candid, if these bits of editorializing hadn’t been in the document, I might not have started thinking about the question of why you’re dropping the traffic to begin with. 

> Yes, in a general way, because can be  DDoS, spoofing, or amplification.
> These are discussed in RFC 7835.

Are you referring to RFC 7835 Section 3.3? I did check that (and I mention it a few lines down). Or is there some other relevant analysis in that RFC?

> Security consideration has a whole paragraph about DDoS.
> I am unsure on what exactly you consider as missing.

Consideration about the tradeoffs between collateral damage to legitimate traffic, manageability of the system (how is the operator supposed to figure out why their traffic is being silently discarded?), and protection against attack. It’s a multidimensional space with costs and benefits on each dimension.

>> I did also go have a look at the Security
>> Considerations in draft-ietf-lisp-rfc6833bis-31, which also didn't help me. RFC
>> 7835 §3.3 does touch on this, suggesting that maybe an attacker could use a
>> spoofed Map-Version to trigger a DoS attack. But this, too, is an unsatisfying
>> rationale, since as you take pains to point out, rate limiting of Map-Requests
>> and such is required.
> 
> Which allows not to flood the network but can itself be attacked. If a create a lot of false packets triggering Map-Requests trigger a lot of Map-Requests that will fill up the rate limit. This is just another form of DoS.

Your point being that a naive shared-queue rate-limiter will allow attack traffic to starve out legitimate Map-Requests? Fair enough, although it seems likely that a modestly more sophisticated design would mitigate that risk. It would be fair to point out that by applying the mitigation as close to the attack as possible, you let the rest of your system be kept simple — I just want to explore the question of whether the cost of that simplicity is worth the benefit.

>> Furthermore, if triggering Map-Requests is the concern,
>> couldn't the packet still be delivered, without triggering a Map-Request?
> 
> Yes, you disable Map-Versioning ;-)

Sorry, I don’t follow your point. (Maybe it’s just a joke that evaded my sense of humor, you don’t have to explain if it’s not relevant.)

> More seriously, not every packet will cause sending a  Map-Request because of the rate limitation.
> I do not see other implementable mechanisms to make a more fine grained decision.
> Or do you have something specific in mind?

I thought it was clear but let me restate. I’ll use an example since the first attempt wasn’t clear.

- Suppose an ETR E gets packet P, which dest map-version N. 
- Suppose N is “greater than” the current map-version at the ETR.
- According to the spec, E silently discards P.
- I’m wondering if E could forward P according to its local mapping.
- Note that E would not generate a SMR.

Benefits: 
+ user traffic gets delivered.

Drawbacks: 
- lack of delivery can be a (very crude!) signal to the user that something is wrong, so maybe the problem would be less likely to be fixed.
- ?

>> When this was an Experimental protocol this kind of thing was probably less
>> crucial to justify and explain, but I would have expected the experiment to
>> produce results that could be fed into this document. At the moment, the "drop
>> any packet that doesn't comply with expectations" design feels arbitrary and
>> potentially brittle. I would appreciate some discussion of this design choice,
>> thanks in advance.
> 
> We had long discussions about security in the bis documents with Ben Kaduk (former Security AD) and my impression was that is better to be a bit conservative. But I am not a security expert either.

OK.

> I am not sure the above explanation are sufficient.
> Revision -13 has only some fixes for the IESG telecast.
> We can certainly discuss more your concerns and better identify what is missing afterwards.

Thanks. Discussion is what it’s all about. :-) In the end, if the WG has made an informed decision that erring on the side of caution is better, given the costs, I’m comfortable with that. I wasn’t confident, from reading the document, that the costs had been considered, so that’s why we’re having this discussion. 

> I will anyway issue a -14 revision to fix the comments below

Thanks, I’ll look forward to having a look at that.

Regards,

—John

v2.23.0 | Report a Bug | By Email