Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-27: (with DISCUSS and COMMENT)
Albert Cabellos <albert.cabellos@gmail.com> Tue, 29 September 2020 23:31 UTC
Return-Path: <albert.cabellos@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B69563A13BF; Tue, 29 Sep 2020 16:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZXGU1lCZikz; Tue, 29 Sep 2020 16:31:56 -0700 (PDT)
Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com [IPv6:2a00:1450:4864:20::642]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A48E43A1192; Tue, 29 Sep 2020 16:31:55 -0700 (PDT)
Received: by mail-ej1-x642.google.com with SMTP id nw23so40580ejb.4; Tue, 29 Sep 2020 16:31:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=VT9wJzdpeXpbtnsvb6m4iaB4vjfxvpkIIdVPdaly14I=; b=KpRQiVeoh7x8/QsGkQoAfkoGm5XkzSB9ccpdqUW2JtCPE/bY7TXHqtIVtSDqyG5jZk 15VPoadiTRaQ7k2jnqk9xIyfWmA77Ik2pkvC2o3Ehln+kbWKCP7E479/2o3PAlysVJRz T9nzQGz7pNXjZ2l3Z6rhS2GE4n3hYjdAPqIHWRHpR7yw+R5vOJept3NgaXDeRdJkXV/y rozSvCxwVjZTZc7/JORhgKh4viv4KJP/sy/aI1mfP4rAik9f5/6hE3vcDmLPu0q5aMQI 9SnIgM8QIEqD2XFBsBFFpd4bcVN539do4oeOom49BanfQAhW4lIuyazppacTT8LeyeqY Yu1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=VT9wJzdpeXpbtnsvb6m4iaB4vjfxvpkIIdVPdaly14I=; b=lOEEajxc/kYjEeEJ6x/43+a2yz517qoKA8mMgi6T/ue7SDK2zCPH81xljfwyib+RMq dnTbya4t/nFBH76AmmplLgE39mgP8+ZLETPUnzm5fFXm0DgxFJ9KdCFQ27CkJAsoC5O3 Eg99jmLgZsSKLpjFcZwc50kclInyXxzsCaOjmxl+6Y2D+uxfQil/s3EYtNuv1H9IjTMw 4cJJjb5jcXDqH0+kBJRW6oxKwnuXXDtP/CgT2Sabt7qjYIwfX/MQiYMZ/5LZboIjZxhu INoZw5FJNR0QBF+hhQFx3H4cdjPEcznP2XHL5On21w50JE8eREuwmFmI6wgJLBUjbOD/ N1Jg==
X-Gm-Message-State: AOAM533G/cgXrsxKln8Q3nLiHA6W+SwiO68vYhUnqApVCH5SNcqV+ZRp 0MMhqX+wh42XCbG9AqiZcb5HzAoO+XZXXsykPoyFFwRHQuhKyA==
X-Google-Smtp-Source: ABdhPJyNZJAA1wnEbbEYVZ17pdX5FyAYkW8dlIjBTrsfJgnA7EUF+toJ/S3KwpdowvbqsF8Wna72kGeD5A8ZLcsfeJU=
X-Received: by 2002:a17:906:1fc8:: with SMTP id e8mr47582ejt.280.1601422313083; Tue, 29 Sep 2020 16:31:53 -0700 (PDT)
MIME-Version: 1.0
References: <159426875528.23772.1139572762754451391@ietfa.amsl.com>
In-Reply-To: <159426875528.23772.1139572762754451391@ietfa.amsl.com>
From: Albert Cabellos <albert.cabellos@gmail.com>
Date: Wed, 30 Sep 2020 01:31:42 +0200
Message-ID: <CAGE_Qew85wSDpuWkpPfUOAsr2q1a56E024bO6jad11r427wcLw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, lisp-chairs@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>, draft-ietf-lisp-rfc6833bis@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/Y3myJ8AqmhyUkNkb_X09kRYvt0Y>
Subject: Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-27: (with DISCUSS and COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 23:32:00 -0000
Hi I´ve posted -29 following your comments, please find inline specific responses: On Thu, Jul 9, 2020 at 6:26 AM Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-lisp-rfc6833bis-27: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-lisp-rfc6833bis/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > (1) The -27 brought back the "MUST" for HMAC-SHA256-128 in Section 5.6 per > my ballot on the -26, but left unchanged section 9, so we still have a > SHOULD vs. MUST inconsistency w.r.t. implementing > HMAC-SHA256-128+HKDF-SHA256. (I would of course prefer the same > resolution of the inconsistency that Roman does, but have forgotten to > what extent we have to defer to the deployed reality.) > >From a deployment reality perspective, I think that this makes sense: Implementations of this specification MUST implement HMAC-SHA-256-128 and SHOULD implement HMAC-SHA256-128+HKDF-SHA256 Now it is consistent across the document. Please let me know your view on this. > > (2) It looks like the update in Section 5.7 is attempting to address my > point about only terminating Map-Notify retransmission when the > authentication data of the Map-Notify-Ack validates, but the added text > is either misplaced or malformed. Perhaps > > CURRENT: > The Map-Notify-Ack message has the same contents as a Map-Notify > message. It is used to acknowledge the receipt of a Map-Notify and > for the sender to stop retransmitting a Map-Notify with the same > nonce and the authentication data validates. [...] > > NEW: > The Map-Notify-Ack message has the same contents as a Map-Notify > message. It is used to acknowledge the receipt of a Map-Notify and, > once the the authentication data is validated, allows for the > Map-Notify sender to stop retransmitting a Map-Notify with the same > nonce. [...] > Changed, thanks. > (3) I think that Eric Rescorla's concern about a misbehaving ETR being > able to prevent an ITR from learning that the ETR is no longer the > appropriate ETR for a given prefix remains unaddressed. I wrote up a > longer description at > https://mailarchive.ietf.org/arch/msg/lisp/O2ycn4CkWsPhFyqrZuB4ZJBNnl0/ > but in short, we only require the ITR to send its Map-Request through > the mapping system (vs. directly to the ETR) when SMR is sent from an > address not in the current mapping data for that prefix -- if the SMR is > sent from an address in the current mapping data, we allow sending > Map-Request directly to the ETR, outside the mapping system. I don't > see a mechanism that guarantees that such a "revocation" event is > noticed by the ITR. > Updated the section, now all SMR-invoked Map-Requests MUST be sent through the Mapping System (This is what deployments are doing): An SMR message is simply a bit set in a Map-Request message. An ITR or PITR will send a Map-Request (SMR-invoked Map-Request) when they receive an SMR message. While the SMR message is sent through the data-plane, the SMR-invoked Map-Request MUST be sent through the Mapping System (not directly). > (4) The specification of the MAC+KDF algorithms doesn't seem detailed > enough to be implementable. RFC 4868 is attempted to be used as a > reference for both HMAC-SHA256-128 (er, and the one-character-off > HMAC-SHA-256-128) and HKDF-SHA2562 (note spurious final '2'), but I > think it can only work as a reference for the MAC algorithm. Presumably > we need RFC 5869 or such for the KDF part > Fixed, thanks. > (5) This is probably my fault, but we're missing a step with how we > describe the Map-Notify/Map-Notify-Ack per-message authentication. > Specifically, while we do say that the authentication data needs to be > recomputed each time, we don't clearly state that this is because the > correct per-message key is different, because we are using a different > 's' input to the KDF function for the different messages. In line with > the "Map-Register Authentication" used for Map-Register, this would > presumably be "Map-Notify Authentication" and "Map-Notify-Ack > Authentication", but neither of those strings appear in this document. > We might be able to localize the change to Section 5.6, akin to > > OLD: > 4: The derived per-message key is computed as: per-msg- > key=KDF(nonce+s+PSK[Key ID]). Where the nonce is the value in > the Nonce field of the Map-Register and 's' is a string equal > to "Map-Register Authentication". [...] > > NEW: > 4: The derived per-message key is computed as: per-msg- > key=KDF(nonce+s+PSK[Key ID]). Where the nonce is the value in > the Nonce field of the Map-Register and 's' is a string that > corresponds to the message type being authenticated. For > Map-Register messages, it is equal to "Map-Register > Authentication". Similarly, for Map-Notify and Map-Notify-Ack > messages, it is "Map-Notify Authentication" and > "Map-Notify-Ack Authentication", respectively. > Fixed. > However, I think the rhetoric would be more robust if we also modified > Section 5.7 to mention the existence of the different 's' values (or, > rather, the different per-message key) when we say that the > authentication data is recomputed. Perhaps, s/is recomputed/is > recomputed using the corresponding per-message key/ (twice). > > Fixed, thanks. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Abstract > > database designs. Since these devices implement the "edge" of the > LISP Control-Plane infrastructure, connecting EID addressable nodes > of a LISP site, their implementation and operational complexity > reduces the overall cost and effort of deploying LISP. > > I think there might be a "simplifying" or "reducing" missing here > (w.r.t. "their implementation and operational complexity"). > Fixed. > Section 1 > > Conceptually, LISP Map-Servers share some of the same basic > configuration and maintenance properties as Domain Name System (DNS) > [RFC1035] servers; likewise, Map-Resolvers are conceptually similar > > I suggest adding "authoritative" to the DNS servers of the analogy. > Fixed. > Section 3 > > Map-Resolver: A network infrastructure component that accepts LISP > Encapsulated (ECM) Map-Requests, typically from an ITR, and > determines whether or not the destination IP address is part of > the EID namespace; if it is not, a Negative Map-Reply is returned. > Otherwise, the Map-Resolver finds the appropriate EID-to-RLOC > mapping by consulting a mapping database system. > > This could perhaps be misread as implying that the Map-Resolver returns > the appropriate EID-to-RLOC mapping to the requestor directly, whereas > IIRC the reply is sent directly from the ETR/Map-Server. > Fixed. > Section 4 > > A Map-Server is a device that publishes EID-Prefixes in a LISP > mapping database on behalf of a set of ETRs. When it receives a Map > Request (typically from an ITR), it consults the mapping database to > > I feel like I said this already but forgot the answer; sorry for the > duplication: the Map-Server is not getting the request directly from the > ITR, but rather from the mapping system or a Map-Resolver. Do we want > to say something like "originating from an ITR" to clarify? > Fixed. > Section 5.2 > > A: This is an authoritative bit, which is set to 0 for UDP-based Map- > Requests sent by an ITR. It is set to 1 when an ITR wants the > destination site to return the Map-Reply rather than the mapping > database system returning a Map-Reply. > > I'm not sure this paints a clear picture of when the bit is/isn't set. > Are Map-Requests sent by an ITR that want the destination site to reply > (rather than the mapping database) sent over some non-UDP-based scheme? > Do ECM messages count as UDP-based? > (I would make this a Discuss for lack of clarity but that would be > double-jeopardy.) > Reworded to: <t hangText="A:"> This is an authoritative bit, it is set to 1 when an ITR wants the destination site to return the Map-Reply rather than the mapping database system returning a Map-Reply, and set to 0 otherwise. for clarification. > p: This is the PITR bit. This bit is set to 1 when a PITR sends a > Map-Request. > > It might be worth saying something about what the recipient would do > with the knowledge that the Map-Request was PITR-generated (rather than > ITR-generated?). > Added “the use of this bit is deployment-specific”. > L: This is the local-xtr bit. It is used by an xTR in a LISP site to > tell other xTRs in the same site that it is part of the RLOC-set > for the LISP site. The L-bit is set to 1 when the RLOC is the > sender's IP address. > > I'm not sure which RLOC is "the" RLOC -- the message format seems to > allow multiple ITR-RLOC entries. > This is used when multiple XTR serve the same EID on the same LISP-site. > D: This is the dont-map-reply bit. It is used in the SMR procedure > described in Section 6.1. When an xTR sends an SMR Map-Request > message, it doesn't need a Map-Reply returned. When this bit is > > Should this get s/SMR Map-Request message/SMR message/ as was done > elsewhere in response to my comments on a previous version? > Agreed, changed > EID-Prefix: This prefix address length is 4 octets for an IPv4 > address family and 16 octets for an IPv6 address family when the > EID-Prefix-AFI is 1 or 2, respectively. For other AFIs [AFI], the > address length varies and for the LCAF AFI the format is defined > in [RFC8060]. [...] > > Just to check: if I get a Map-Request that uses an AFI I don't > recognize, I have to abort parsing the packet since I don't know how > many bytes to skip? It seems like this might negatively affect the > ability to introduce new AFIs. > Good catch, added this sentence: LISP control-plane messages that include an unrecognized AFI MUST be dropped and the event MUST be logged. > Map-Reply Record: When the M-bit is set, this field is the size of a > single "Record" in the Map-Reply format. This Map-Reply record > contains the EID-to-RLOC mapping entry associated with the Source > EID. This allows the ETR that will receive this Map-Request to > cache the data if it chooses to do so. > > We could perhaps mention something about whether the ETR believes the > message is trustworthy, too, since it does not have the benefit of > having gone through mapping system validation. > Added “It is important to note that this mapping has not been validated by the Mapping System.” > Section 5.3 > > Map-Requests MUST be rate-limited to 1 per second per EID-prefix. > After 10 retransmits without receiving the corresponding Map-Reply > must wait 30 seconds. > > nit: incomplete sentence. > Added “… the sender...” > a Map-Cache entry. If the ETR (when it is an xTR co-located as an > ITR) has a Map-Cache entry that matches the "piggybacked" EID and the > RLOC is in the Locator-Set for the cached entry, then it MAY send the > "verifying Map-Request" directly to the originating Map-Request > source. If the RLOC is not in the Locator-Set, then the ETR MUST > send the "verifying Map-Request" to the "piggybacked" EID. Doing > this forces the "verifying Map-Request" to go through the mapping > database system to reach the authoritative source of information > about that EID, guarding against RLOC-spoofing in the "piggybacked" > mapping data. > > side note: Does it make much practical difference to send the > Map-Request to the EID as the destination address vs. just consulting > the mapping system to look up that EID? It seems like the former is > strictly more work, and I'm not sure what additional benefit is gained > from that additional work. I guess, reachability information for the > EID in question. > Updated to: An ITR that is configured with mapping database information (i.e., it is also an ETR) MAY optionally include those mappings in a Map-Request. When an ETR configured to accept and verify such "piggybacked" mapping data receives such a Map-Request and it does not have this mapping in the Map-Cache, it MUST originate a "verifying Map-Request" through the mapping database to validate the "piggybacked" mapping data. > Section 5.4 > > P: This is the probe-bit, which indicates that the Map-Reply is in > response to a Locator reachability probe Map-Request. The 'Nonce' > field MUST contain a copy of the nonce value from the original > Map-Request. [...] > > The description of the nonce field says that it's always copied from the > Map-Request; is this MUST adding any additional requirements? > Updated to “must” > Record Count: This is the number of records in this reply message. > A record is comprised of that portion of the packet labeled > 'Record' above and occurs the number of times equal to Record > Count. > > We say earlier that the record count in a Map-Request is (artificially) > limited to 1 for this document; we might note here that the reply count > can be larger than the request count, e.g., when there's a need to > return more-specifics that are carved out from the best match to the > requested EID. > Changed. > Locator Count: This is the number of Locator entries in the given > Record. A Locator entry comprises what is labeled above as 'Loc'. > The Locator count can be 0, indicating that there are no Locators > for the EID-Prefix. > > Do we want to say "also known as a negative Map-Reply"? > There are other reasons for a 0 locator count. > (0) No-Action: The Map-Cache is kept alive, and no packet > encapsulation occurs. > > (1) Natively-Forward: The packet is not encapsulated or dropped > but natively forwarded. > > It might be worth a few words about how these two differ, as the "no > encapsulation" part is superficially similar. > > A: The Authoritative bit MAY only be set to 1 by an ETR. A Map- > Server generating Map-Reply messages as a proxy MUST NOT set the > A-bit to 1 by an ETR, and not a Map-Server generating Map-Reply > messages as a proxy. This bit indicates to requesting ITRs that > > nit: looks like a botched edit, with the "and not a Map-Server > generating Map-Reply messages as a proxy" sticking around when it should > have been removed. > Fixed, thanks. > the Map-Reply was not originated by a LISP node managed at the > site that owns the EID-Prefix. > > Please confirm that the "not" is correct, here. > Typo, thanks. Changed to: This bit indicates to the requesting ITRs if the Map-Reply was originated by a LISP node managed at the site that owns the EID-Prefix. > 12.5% of the traffic. If all Weights for a Locator-Set are equal, > the receiver of the Map-Reply will decide how to load-split the > traffic. See RLOC-hashing [I-D.ietf-lisp-rfc6830bis] for a > > "equal" or "equal to zero"? Just "equal" seems like it needlessly > overloads the semantics for uniform balancing. (Similarly for the > multicast weight.) > “equal” seems correct to me. > R: This is set when the sender of a Map-Reply has a route to the > Locator in the Locator data record. This receiver may find this > useful to know if the Locator is up but not necessarily reachable > from the receiver's point of view. See also EID-Reachability > Section 7.1 for another way the R-bit may be used. > > I'm not finding mention of the R-bit in Section 7.1; am I missing > something? > correct, removed reference to section 7.1 This was a leftover from previous edits. > The Record format, as defined here, is used both in the Map-Reply and > Map-Register messages, this includes all the field definitions. > > (We also mentioend in the previous section that a single record in this > format can be present in the Map-Request.) > > Section 5.5 > > either from the destination field of an IP header of a Data-Probe or > the EID record of a Map-Request. The RLOCs in the Map-Reply are > > nit(?): "EID of a record of a Map-Request"? > You are right, updated. > invoking the reply. The source address of the Map-Reply is one of > the local IP addresses chosen, to allow Unicast Reverse Path > > Something seems amiss here. It might just be that the comma is > misplaced (after chosen vs. before it), but that hinges on the nature of > the choice in question. > > Section 5.6 > > E: This is the Map-Register EID-notify bit. This is used by a First- > Hop-Router (FHR) which discovers a dynamic-EID. This EID-notify > based Map-Register is sent by the FHR to the same site xTR that > propogates the Map-Register to the mapping system. The site xTR > > nit(???): I think maybe s/the same site/a same-site/, though that > nominally changes the meaning. > You are right, updated. > 4: The derived per-message key is computed as: per-msg- > key=KDF(nonce+s+PSK[Key ID]). Where the nonce is the value in > > There's some notational quirks to handle here, since a KDF() function is > typically represented as taking two inputs, an input key material and a > salt, and depending on context an output length as well. (Though > resolving this may depend on how discuss point (4) is resolved.) > > We should probably also say that '+' is used to represent concatenation. > Updated to, please let me know if this is correct: The derived per-message key is computed as: per-msg-key=KDF(nonce+PSK[Key ID],s). Where the nonce is the value in the Nonce field of the Map-Register, '+' denotes concatenation and 's' (the salt) is a string that corresponds to the message type being authenticated. For Map-Register messages, it is equal to "Map-Register Authentication". Similarly, for Map-Notify and Map-Notify-Ack messages, it is "Map-Notify Authentication" and "Map-Notify-Ack Authentication", respectively. For those Algorithm IDs defined in <xref target="KEYS"/> that specify a 'none' KDF, the per-message key is computed as: per-msg-key = PSK[Key ID]. This means that the same key is used across multiple protocol messages. > Section 5.7 > > procedure defined in the previous section. For an unsolicited Map- > Notify, the fields of a Map-Notify used for publish/subscribe are > specified in [I-D.ietf-lisp-pubsub]. > > We probably want to tweak how we make this reference to avoid a > perceived need to make pubsub a normative reference. Perhaps something > like "the Map-Notify message can also used, outside the scope of this > specification, in an unsolicited manner, such as is specified in > [pubsub]". Also, there are other ways to get an unsolicited Map-Notify, > right? This text doesn't really make that clear. > Right, updated. > A Map-Server sends an unsolicited Map-Notify message (one that is not > used as an acknowledgment to a Map-Register message) in only > > nit: s/in only/only in/ (my fault, sorry) > > conformance the Congestion Control And Relability Guideline sections > of [RFC8085]. A Map-Notify is retransmitted until a Map-Notify-Ack > > nit: s/conformance/conformance with/ > Fixed both typos, thanks. > Upon reception of Map-Register, Map-Notify or Map-Notifiy-Ack, the > receiver verifies the authentication data. > > I suggest adding "If the authentication data fails to validate, the > message is dropped without further processing". > Added > Section 5.8 > > LISP: Type 8 is defined to be a "LISP Encapsulated Control Message", > and what follows is either an IPv4 or IPv6 header as encoded by > the first 4 bits after the 'Reserved' field. > [...] > S: This is the Security bit. When set to 1, the field following > the 'Reserved' field will have the following Authentication > Data format and follow the procedures from [I-D.ietf-lisp-sec]. > > So is it the IP version or the authentication data that follows the > Reserved field? > Correct, updated to: <t hangText="LISP:">Type 8 is defined to be a "LISP Encapsulated Control Message", and what follows is either an IPv4 or IPv6 header as encoded by the first 4 bits after the 'Reserved' field, or the Authentication Data field <xref target="I-D.ietf-lisp-sec"/> if the S-bit (see below) is set.</t> > Section 6.1 > > mapping data. Please note that this procedure does not result in > cryptographic or strongly authenticated verification. > > "in the absence of [LISP-SEC]". > This text has already changed per another edit. > When an ITR receives an SMR-based Map-Request for which it does not > > One more s/SMR-based Map-Request/SMR message/, I think (I missed it in > my review of the -26). > Updated in a previous edit. > Section 7 > > 4. An ITR may receive a Map-Reply from an ETR in response to a > previously sent Map-Request. The RLOC source of the Map-Reply is > likely up, since the ETR was able to send the Map-Reply to the > ITR. > > I note that in the analogous text in 6830bis (Section 10), we have a > furthe statement "Please note that in some scenarios the RLOC [from the > outer header] can be an spoofable field." > Added. > When ITRs receive ICMP Network Unreachable or Host Unreachable > messages as a method to determine unreachability, they will refrain > from using Locators that are described in Locator lists of Map- > Replies. However, using this approach is unreliable because many > network operators turn off generation of ICMP Destination Unreachable > messages. > > I think there is also some level of unreliability in the other direction > -- even when following draft-ietf-opsec-icmp-filtering and validating > the echoed contents, the contents could in some cases be sufficiently > predictable that an attacker could spoof them. Having random > nonces/ports be in use helps, of course, but the ICMP message could be > generated in response to arbitrary traffic, not all of which will > necessarily have all of those. > > The ITR can test the reachability of the unreachable Locator by > sending periodic Requests. Both Requests and Replies MUST be rate- > > nit: I think we haven't been using the bare forms of "Requests" and > "Replies" (in favor of the "Map-" prefixed forms). > Agreed, updated. > Section 8.1 > > o A Negative Map-Reply, with action code of "Natively-Forward", from > a Map-Server that is authoritative (within the LISP deployment > Section 1.1) for an EID-Prefix that matches the requested EID but > that does not have an actively registered, more-specific EID- > prefix. In this case, the requested EID is said to match a "hole" > > Presumably the more-specific prefix still needs to match the requested > EID? > It has a less-specific matching the EID, and a more-specific ‘hole’ (not registered) matching the EID. > Section 9 > > 3. LISP-SEC [I-D.ietf-lisp-sec] MUST be implemented. Network > operartors should carefully weight how the LISP-SEC threat model > > nit: s/operartors/operators > Fixed in a previous edit. > The Map-Request/Map-Reply message exchange to inject forged mappings > directly in the ITR EID-to-RLOC map-cache. This can lead to traffic > > nit: the grammar's a bit off, maybe s/to inject/can inject/? > Added “…can also be exploited…” > attacks. In this case, attackers can claim to own an EID-prefix that > is larger than the prefix owned by the ETR. Such attacks can be > > I'd consider adding ", since the Map-Reply is sent directly from ETR to > ITR without a chance for validation by the mapping system". > > addressed by using LISP-SEC [I-D.ietf-lisp-sec]. The LISP-SEC > protocol defines a mechanism for providing origin authentication, > integrity, protection, and prevention of 'man-in-the-middle' and > > nit: s/integrity,/integrity/ (spurious comma) > Removed comma. > replay attacks by a man-in-the-middle. However, a compromised ETR > can overclaim the prefix it owns and successfully register it on its > corresponding Map-Server. To mitigate this and as noted in > > The "can overclaim" is a little weird since we go on to describe the > mandatory mitigation against this attack. Maybe something with "could" > or a more drastic rewording to "there is a potential attack where a > compromised ETR could"? > Updated. > Section 11 > > [I did not attempt to double-check that the listed changes match the > actual differences between RFC 6833 and this document, but do note that > it looks like the authors did so at some point since my initial review.] > > o This document is incorporating the codepoint for the Map-Referral > message from the LISP-DDT specification [RFC8111] to indicate that > a Map-Server must send the final Map-Referral message when it > participates in the LISP-DDT mapping system procedures. > > It's pretty hard to claim that RFC 8111 is only an informative reference > in light of statements like this that a Map-Server needs to do something > from it when a flag bit defined by this document is set. > > Section 12.3 > > New ACT values can be allocated through IETF review or IESG approval. > Four values have already been allocated by [RFC6830], IANA is > requested to replace the [RFC6830] reference for this registry with > the RFC number assigned to this document and the [RFC6830]. Action > > nit: comma splice. Updated. > > values references with the RFC number assigned to this document. > > nit: incomplete sentence (lingering remnants of a previous edit that > should just get removed?) > Fixed. > Section 12.4 > > The IANA registry "LISP Canonical Address Format (LCAF) Types" is > used for LCAF types. The registry for LCAF types use the > Specification Required policy [RFC8126]. Initial values for the > > "Specification Required" includes review by designated experts. Do we > want to give any guidance to the experts for reviewing new submissions? > (Similarly for other registries; I note that the LISP Bit Flags section > doesn't use the "Specification Required" keyword.) > > Section 13.1 > > We don't currently cite RFC 6347 in a way that requires a normative > reference. Though I for one wouldn't mind if we made DTLS mandatory > somewhere :) > > Section 13.2 > > We nominally have a "MUST" for behavior from RFC 1071, that would make > it a normative reference, but this is pretty foundational so it seems a > bit like overkill. > > > > _______________________________________________ > lisp mailing list > lisp@ietf.org > https://www.ietf.org/mailman/listinfo/lisp
- [lisp] Benjamin Kaduk's Discuss on draft-ietf-lis… Benjamin Kaduk via Datatracker
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Albert Cabellos
- Re: [lisp] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk