IETF Logo Mail Archive

Re: [lisp] John Scudder's Discuss on draft-ietf-lisp-sec-26: (with DISCUSS)

John Scudder <jgs@juniper.net> Wed, 15 June 2022 15:22 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 441F6C157B36; Wed, 15 Jun 2022 08:22:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.854
X-Spam-Level:
X-Spam-Status: No, score=-2.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=W9i0cCiU; dkim=pass (1024-bit key) header.d=juniper.net header.b=fB3Qnjz7
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7IP8PuBUKUv; Wed, 15 Jun 2022 08:22:00 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46A42C157B37; Wed, 15 Jun 2022 08:21:58 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25FD0EvZ003406; Wed, 15 Jun 2022 08:21:55 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=UUTRBu6lMmKSslLhiN4fKFmPw80+ymmDg0YS9/y/fUE=; b=W9i0cCiUeeSQKDOyySpYhVXmfjqM1fHbWm0aSRbA0zRw5gcLl8d8oFpl5gI6lGM/fdwf 3od6XZFnH8WdyISQ68LhkRt5/Rd6pjwjMRNjJ5/84hDdC7+NgcTbnmJwS5vtVTxbM2Qf 4VUrK4M+pWI8SMDzH5maz1LbBvsIu30FFLLWYGowSDRhpYxQ473xonB8pR3X62+SKbop 5pbJ1nWSDQPVgRNPWQsQY5I1ZeEjEPytEyVuBxs3r0Z5o661XhVQQhQGdxhvwY+NAYr4 3WFwmICWQ0Iz6hIsLmm14cRKrNCGOYIUXZ6adfFtrQuyUmz8WF9qFDERiLV/g5UjiuhL xQ==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2048.outbound.protection.outlook.com [104.47.66.48]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3gqfbk8ax5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 15 Jun 2022 08:21:55 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KL7c+XNgM7FjlfRiz7x4WbYFuc6PgvCIoSXwCcTT1ule+iBJiV0BA9akaV+xlAdihKX+ZKJ5E+cngcKsLE9cZARFi9XHWBweB/jG3BqEeNVIfwEGBFzGt6TxDM50JrtKzEi7Dk7DNFHNoSyYmGRjlEy8H8Sgf7QqbZWF9aad6LF6gaGrUPgv0ILvZXcM/Fstt943ZvyE3j9j8UvxOAEpExDRBnFEURpGwcTYQdv/KECi4O4vf1OGsmXCzvE/lg/i2CoXP8Me8oUICowYz5LPBh/O2OfNyVdgd4VxoiC2udvwZJvWb59MrymCIUg2364Oz1fPQaK+TgqwXgC7Tk+9Vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UUTRBu6lMmKSslLhiN4fKFmPw80+ymmDg0YS9/y/fUE=; b=IqAzEdhKbASrwP5Yi3lPA4/4WxupJqfnt8oxqEeHSvrT9/soTBGWvq09u9CNvu+LnlyjnXq4VgPku/tGOOnSkjJIgiY8ZnPeU7slVC5/f+mDkCbHiROSzOE5cBBi3FpFZfiu8K8DNMOYLAlAd3lFEf59/IPZHOa6DKaRbfChwvjy9J1jnIKMR0jYiSjfck914XBZLGPfqot85RvkdL67e96rw4yOutVpywEE8FDAaEEke/mhYrdWWo6MK8+lwbPzEU+dmJViNoABKGnfAP9XSqo2cvPrpc0Ergs64yZxpE7Vgp/nt5SUihaCGJgZ2ZbBwSoc2rK9AqYrYv5mFB16+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UUTRBu6lMmKSslLhiN4fKFmPw80+ymmDg0YS9/y/fUE=; b=fB3Qnjz79d7SvfRlBzJDVS7Po0Ec2zNm2J2w6CxVPCD90NoxQCy+RMzqehx4zgj/2QmC6LB8RQblXnSYsf7MDWkVGAEuxKpAZrLDFparuKuCwFnxPaLz2KhafYegIRUE5QjXcNvWBHe6xpzCZTihcFcGt6HNnx8HV6nvPxNK3Jk=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by MWHPR0501MB3913.namprd05.prod.outlook.com (2603:10b6:301:7f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.6; Wed, 15 Jun 2022 15:21:49 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::4881:fca5:fcdb:72ad]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::4881:fca5:fcdb:72ad%6]) with mapi id 15.20.5353.014; Wed, 15 Jun 2022 15:21:49 +0000
From: John Scudder <jgs@juniper.net>
To: Luigi Iannone <ggx@gigix.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-lisp-sec@ietf.org" <draft-ietf-lisp-sec@ietf.org>, "lisp-chairs@ietf.org" <lisp-chairs@ietf.org>, "lisp@ietf.org" <lisp@ietf.org>
Thread-Topic: John Scudder's Discuss on draft-ietf-lisp-sec-26: (with DISCUSS)
Thread-Index: AQHYgF4bFdXb3EgaYki1y13RoGf+7q1QM/yAgABKvYCAABIPgIAABb+A
Date: Wed, 15 Jun 2022 15:21:49 +0000
Message-ID: <9C8DF544-3F68-42EC-9D52-40DEAA9B579D@juniper.net>
References: <165525946025.9886.1713011288499892827@ietfa.amsl.com> <94A5FB19-1DD3-4122-B96D-8CD020136D67@gigix.net> <D2D80E5E-0512-49B8-BD6E-5ED023F95437@juniper.net> <43943229-AF01-41E6-B5A4-195A00B4F904@gigix.net>
In-Reply-To: <43943229-AF01-41E6-B5A4-195A00B4F904@gigix.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.100.31)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9bb93f8c-c6f6-483f-dfec-08da4ee2c4b6
x-ms-traffictypediagnostic: MWHPR0501MB3913:EE_
x-microsoft-antispam-prvs: <MWHPR0501MB391303B34A2955FAFA0C6CECAAAD9@MWHPR0501MB3913.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IjKsk4OInbHRR4cQl/GQKPiJwAfPHwjGhypKzp0aIOU/a9gT2MpdLvjckpUAOKKuRNEtCyOOoB360PsVO2Zv9N6whf6Wb1KY1yRGp8N4K3hFfgw8asuK1xEQq5W2AGZm4y1Av4F5YEx+aROmZauZUAc2C64qXjlEyaDNAHOGplL959sb/oyv6yTPladj3dxtMHJp4cRrDcllHBGVMCwC6LxVpOK4l93PtzMoNuAgSibU+h98oERFL/1s7L3bDf5SpNcwUrduCXnG662L3Keaj1UNjwqgy/fEy1WgBJMBRwojp8Hgem9lW8o7rhN93TYv2EKgZyqi41E/gwetURvlNEZ8hRS3ICGrd5f6dYgoM1VFMPVGYhFg25BfS4S7+OCXlltOQg9iOiC9yZORmYZ2Fz4w24r2keCljDaskvV6t8o4CVJOL83josTUtpCAJQYuX+i+p8DYEbErLA066wrtHj0wGjdl52RIBFEvOElIO6popPswfmlZRGUzRgBJ6dT8WrVgh7yaow8goj6YgqRmEeUuUhsGwE36PQRIhW8mE0wQACi4qZl83e4K22hwt78H+AJnjs1of4nQFgEISTZOdn9Jq6J1atAig8DnpmYYYWUL3F32yEgfHcLQvfUijaGF1les9Aall/vPSPEIytZt+6cHfEPOG8ko/TkD+IhX7RkQ4OIVktcNNi2sMf5sPG7Lc5+F8lWoQqqeDdkCESUJgKK9/VFFb2ln0WwGIbKs9gDGu6+pGEXoqNkAckZWkG9Q
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(6486002)(4326008)(8676002)(38070700005)(54906003)(508600001)(6506007)(83380400001)(91956017)(6512007)(86362001)(71200400001)(36756003)(53546011)(6916009)(26005)(316002)(2906002)(76116006)(122000001)(186003)(2616005)(38100700002)(33656002)(8936002)(64756008)(66556008)(66476007)(5660300002)(66946007)(66446008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gGnBnPTZ7qi2fo2qJD/L7V6Ny+EaPNiK+/vVKQaNEZejf6yzMKvc+bNeXhxZ1jdprEx9ZxmnNWL5mhZyb3CuaIjdj5u52LBRL6eYyaVbbgPVk44ETWT+aiVXOtlELBpY6ctuc8Ih7gzBJ8+iZF0I0oYFusbgCrOmC+rcymndK/lRbJO95LW6Vg9isXEaScf6q3hUyuZiehGTCZgGDuORr4DkWUSW2sWTVYrXysf55+H6cSSGSJ+eVLxBi6A7K8+1/V1yUvv+6PRHmui/FMmNYUwxTOIR4Vm9kUBmAHy78Y+6pipEmt/ZPgp5HcqZLov8X3KLWPJsdfBxgE8ED85GaX8cS0ZHIWxAJMxYfS7TdpXXrgLW+f7WwZnOxTIJtEQ4/yr20gfGgXdQpwzdbIPvJU9dN68iMC3h+8XqeW/taZMPBK7VoIKUn9UjWNkU3YTfu/4Xz/lQM5qaroArpHCd77R9ICgyY23T3ygSTkmP8CUGrPs5oJk7px/dFWaY2mhE/fhF3wa1Dv1b1R4hoCSC3j6wq6/sAabJ28ypAOyzfHe6A3oggYEhgY0e9t5bVBMgd38MU0CEBWOsFFth7t0awFDo6lCHEs+8vI9S0iTnhjz4EF8q4s/xMDQqlB/PBzCrJ5izvquqK4RB9wkN9FnLbdenRyOn4lduYFzm7VVN6Z9oJ2fd2h/CshwWaYsVs1KZ/B3LnyiKx2xtDgPJcTusUNkHeLceIZlROq55brT1I+E5L+TaOxZ89CbyvFNbsogGagmvVCnu5xcu9MZWgZHzhFm81v5pTiNhF6ce1KxJrl0liLY4Ykq1azHPaI5wk1Z8566ivnhqiceikLzODvIxNKzhRtCDHd4sIVw1iApcJNyJvCcHIKbBujGi9cHgM1fCmuymYg0bbAQapILr2TduKJKUUnuIMH6JqrRwfkOHM3MRZ1DUNqV3/rcGiWVLLAzwkJ8CB4NoRH49lezaQXO66eYVWk5C13B77P8rdhcYcN+oHGMHmjkfQwYqwUjyrCmwjY5vqhUtRxqZCyjE68VAsQMoTDK/wqvHIrm1aG/arRbqgvQFb4GPqV3kkLvul3XIcxYpYmQ6jKRfvT4HjIve4lfQ8GlugBF7RVC5Tk2a1t3ifqXuxJgBDdQLiR77S7HE6vbbWlbhhhy+F9jyRknxzJCoy064qECxXebHQmQ15cCClAoozafa/j8DCZRnNnEdzzxMQyYnbA/gQ0xGGKnXVIO/ESSxCcaoeuR8AKNBCXFyw48BJuRyev/5bpib2dRx2wmA2pUeBz+zomQLXBFWejImaRmtCXWqr3S1dt4fMxEc84ZjW6A6i3ZR25PhFYanPHrZjimiToGZfCfHwU2UGbjmwR1Yp7hQwDYPEdldnqgCUEpHi4ckNyhh51eFLAZTPUtdpYBaMhMJmTMj5QDjqYUIVrJ5vxof043lCKDFlvawLXktayvAbc01Cx32BHuCw/5wz995nIQJv1/CDP47qh1uZJA6IAf26zN647xKSbWTqmQ/woSRnfeiSnLUCsiDuYdnGJ1rtCOqTl88Cqgs9vrL5PD0cWGd+53ri9Oiaa5ZbWLuUieKG6kq1le/MEu6/nZ5CGs3CUyqMbbgCk7WlzUnMYfUasIRf1o2gSW+EVBr5oacR3JJQUb/UCqgF4k/mD6VQ5xg2pNLHLoVhGfRU1+zLkdo6ZOQnkfuCCFsczvksMsl/bCeoh2EmGfdZDB9b8tkYCX2uiP/QjvoFCFtdg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <E484250AF4E539429091EB22CAD0E762@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9bb93f8c-c6f6-483f-dfec-08da4ee2c4b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2022 15:21:49.5616 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wvG0xPNol2dPP9Y7t1BVFNyJ798hZIhOcMDQCroZZNQIaiSFfjJw8ipiEcPSv/SN
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0501MB3913
X-Proofpoint-ORIG-GUID: SH5MySVIgJxNLdLfZY6AXY3DoixPTwjI
X-Proofpoint-GUID: SH5MySVIgJxNLdLfZY6AXY3DoixPTwjI
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-15_14,2022-06-15_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 priorityscore=1501 clxscore=1015 bulkscore=0 adultscore=0 spamscore=0 lowpriorityscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206150059
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/yc-jbYxTL61pPil0psZlRl4U-nU>
Subject: Re: [lisp] John Scudder's Discuss on draft-ietf-lisp-sec-26: (with DISCUSS)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 15:22:05 -0000

Hi Luigi,

I’m going to update my ballot and clear the DISCUSS, thanks for the conversation. You can reply to the below comments if you like, but I don’t insist, I take the point that the WG has taken an informed decision to build a solution with suboptimal performance for compatibility reasons. You didn’t say this, but possibly the WG is assuming configuration will almost always prevent these cases from happening because deployments will be homogenous (or at least under a common, and competent, administration).

> On Jun 15, 2022, at 11:01 AM, Luigi Iannone <ggx@gigix.net> wrote:
...
> Yes, but …
> 
> There are two scenarios to consider:
> 1. The Map-Server is acting as proxy for the requested mapping.
> 2. The Map-Server does not act as proxy for the requested server.
> 
> Case 1.
> 
> If the Map-Server is acting as proxy, then it is entitled to reply with a Map-Reply on behalf of the ETRs registering the mapping. In this case it could (as you suggests) send back a Map-Reply proposing a different KDF ID, this is already in the specs.
> The next question IMO is what do you put in the reply itself? According to specifications if the mapping exists you send it back. In LISP there is no message “please ask again”. This is the part that generates overhead.

Again, since the ITR is going to throw the message away anyway, the answer could be “who cares what you put in there”. I mean, presumably you’d put in whatever the minimal set of bytes is to make the reply not be considered malformed in some other way, but beyond that, it doesn’t matter.

> Case 2.
> 
> This is similar, just that now is the ETR that is replying. Same question as in previous case, what to put in the reply? Beside, the ETR is not aware that the Map-Server changed the KDF-ID, because there is no trace in the packet.

Is there something in the protocol (other than perhaps some MUSTs in a spec document, that could be updated by a new spec document, such as the current one) that would prevent the Map-Server from proxying back the reply (your Case 1) even in the case where it hasn’t been properly designated as a proxy? The logic would go something like:

If the Map-Server is changing the KDF ID, proxy back a bare-bones message as in Case 1,
Else
	If the Map-Server is a proxy, do the proxy thing,
	Else forward to ETR

Assuming the protocol doesn’t have some feature that prevents this, the rationale behind the Map-Server doing this is pretty easy: it knows a priori that the work the ETR is going to do will all be wasted and the only field that the ITR will act on is the one the Map-Server is inserting.

> Your suggestion is basically to send back something else. The LISP-SEC-ECM is a wrapper, it has to encapsulate a LISP Control Message, so you in order to work you need to define a new message or just put the Map-Reply.

As discussed above my speculation is that you could shove in a minimal (probably predefined) string of bytes as the so-called “LISP Control Message”, since you know a priori those bytes will never be used or even inspected (at least, that’s what “MUST discard” means to me).

> The current draft uses the second option.
> 
> I am not arguing which solution is better, I am just trying to clarify the design choice that has been made by the authors and the WG.
> (As an input for your telecast tomorrow)

I appreciate your taking the time.

—John

v2.23.0 | Report a Bug | By Email