Re: [Lsr] Alvaro Retana's Discuss on draft-ietf-lsr-flex-algo-24: (with DISCUSS)
Peter Psenak <ppsenak@cisco.com> Wed, 05 October 2022 16:02 UTC
Return-Path: <ppsenak@cisco.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CB4BC14F723; Wed, 5 Oct 2022 09:02:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.179
X-Spam-Level:
X-Spam-Status: No, score=-15.179 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ofb8FscmMiV9; Wed, 5 Oct 2022 09:02:33 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15A01C14F6EC; Wed, 5 Oct 2022 09:02:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5597; q=dns/txt; s=iport; t=1664985752; x=1666195352; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=QyKsqbVgAzjDxRW77zDj67FME/oyaJDjn7rBB45bekk=; b=iI3LfHPo35/Q2IxlnBEC/c5JafpAGXd7RthjtLh5EvoDP0+tyiO/DaFO /93l4Iep8ZpHpgTUTa6+kLKx9/g3U3B664u5yOVJ4Xrjq/e6xOMncWO/y YWA6m33btTn8INn/akOV/JWjtkxAuzD2x+h7VFhE2a0xQwsMOCqu70Jkd o=;
X-IronPort-AV: E=Sophos;i="5.95,161,1661817600"; d="scan'208";a="4248430"
Received: from aer-iport-nat.cisco.com (HELO aer-core-9.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Oct 2022 16:02:30 +0000
Received: from [10.147.24.54] ([10.147.24.54]) by aer-core-9.cisco.com (8.15.2/8.15.2) with ESMTP id 295G2TMk065935; Wed, 5 Oct 2022 16:02:29 GMT
Message-ID: <5cf76c12-c928-ad9f-fa82-1776abbe2ad2@cisco.com>
Date: Wed, 05 Oct 2022 18:02:29 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.1
Content-Language: en-US
To: Alvaro Retana <aretana.ietf@gmail.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-lsr-flex-algo@ietf.org, lsr-chairs@ietf.org, lsr@ietf.org, Christian Hopps <chopps@chopps.org>, acee@cisco.com, jgs@juniper.net
References: <166497948643.39691.5083450220590558021@ietfa.amsl.com>
From: Peter Psenak <ppsenak@cisco.com>
In-Reply-To: <166497948643.39691.5083450220590558021@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Outbound-SMTP-Client: 10.147.24.54, [10.147.24.54]
X-Outbound-Node: aer-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/15pohu4kFc8jpk0ALSBMwlKHk8w>
Subject: Re: [Lsr] Alvaro Retana's Discuss on draft-ietf-lsr-flex-algo-24: (with DISCUSS)
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2022 16:02:37 -0000
Hi Alvaro, please see inline (##PP): On 05/10/2022 16:18, Alvaro Retana via Datatracker wrote: > Alvaro Retana has entered the following ballot position for > draft-ietf-lsr-flex-algo-24: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-lsr-flex-algo/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I am balloting DISCUSS because I believe that operational and security > considerations need to be addressed or at least mentioned. > > I believe these points should be easy to address with some additional text. > > (1) When is a router's participation in a particular Flex-Algorithm advertised? > > It seems to me that there might be a "chicken-and-egg" problem that should at > least be mentioned in the Operational Considerations. Let me explain: > > §11: > > When a router is configured to support a particular Flex-Algorithm, > we say it is participating in that Flex-Algorithm. > > §5: > > To guarantee loop-free forwarding for paths computed for a particular > Flex-Algorithm, all routers that (a) are configured to participate in > a particular Flex-Algorithm, and (b) are in the same Flex-Algorithm > definition advertisement scope MUST agree on the definition of the > Flex-Algorithm. The following procedures ensure this condition is > fulfilled. > > These statements make it look like support for a particular Flex-Algorithm is > advertised when the routing process is enabled -- because the router is > "configured to support/participate". However, at this point, the router may > not have received a FAD for the Flex-Algorithm it is advertising support for. ##PP that is correct. Participation of the node in flex-algo is independent of the FAD availability. > > Besides the number of the Flex-Algorithm, the participation advertisement > implies support for a specific Metric-Type and Calc-Type. But, again, nodes > may be advertising this support blindly if the FAD is not known yet. ##PP nodes do not advertise support for particular metric type or calculation type. All that data is part of the FAD and if the winning FAD includes anything that the participating node does not support, it MUST stop participating in such flex-algo. > > Presumably, the operator configures support for a specific Flex-Algorithm with > a FAD in mind. IOW, there should be no surprises. However, I would like to > see the relationship between the support/participation configuration and the > FAD components explicitly called out. ##PP Section 5.3 says: "If a node is configured to participate in a particular Flexible- Algorithm, but there is no valid Flex-Algorithm definition available for it, or the selected Flex-Algorithm definition includes calculation-type, metric-type, constraint, flag, or Sub-TLV that is not supported by the node, it MUST stop participating in such Flexible-Algorithm. That implies that it MUST NOT announce participation for such Flexible-Algorithm as specified in Section 11 and it MUST remove any forwarding state associated with it." Is there anything more that you have in mind? > > Note that this issue is related to the ability of an attacker to hijack a > particular Flex-Algorithm, but oriented at the ability of the operator to cause > harm to their network. ##PP to hijack the FAD for an algo, one would need to be able to originate a LSP that includes the FAD. This is no different then introducing any other bogus information and can be avoided using the standard methods like LSP authenitication. > > (2) Related to the point above. > > What should a node configured to advertise support for a specific > Flex-Algorithm do if it receives a FAD that it cannot support? For example, if > the calc-type is unknown or unsupported. ##PP please see the end of the section 5.3. > > [§13 already addresses the case of an unsupported metric-type.] ##PP not really, section 13 is talking about the specific case of inter-area metric. > > (3) The Security Considerations section says that the attacks listed can be > addressed through authentication. However, it fails to consider what a rogue > node (one that is authenticated and taken over by an attacker) can do. ##PP if someone gets hold of the node that is authenticated it can advertise all sorts of bogus data that results in network becoming non functional. I don't know what we can do at the protocol level to avoid it. > > This type of attack is not preventable through authentication, and it is not > different from advertising any other incorrect information through IS-IS/OSPF. > It should be mentioned in the Security Considerations section. > > Also, the effect of a hijacked/modified FAD may result in traffic not being > delivered at all -- for example, by using an unsupported Metric-Type or > Calc-Type. ##PP I don't disagree. thanks, Peter > > > > > >
- [Lsr] Alvaro Retana's Discuss on draft-ietf-lsr-f… Alvaro Retana via Datatracker
- Re: [Lsr] Alvaro Retana's Discuss on draft-ietf-l… Peter Psenak
- Re: [Lsr] Alvaro Retana's Discuss on draft-ietf-l… Alvaro Retana
- Re: [Lsr] Alvaro Retana's Discuss on draft-ietf-l… Peter Psenak
- Re: [Lsr] Alvaro Retana's Discuss on draft-ietf-l… Alvaro Retana