Re: [Lsr] AD Review of draft-ietf-isis-reverse-metric-11

Alvaro Retana <> Fri, 28 September 2018 21:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 695C112DD85; Fri, 28 Sep 2018 14:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H4fqpetXCvio; Fri, 28 Sep 2018 14:45:06 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AA309127148; Fri, 28 Sep 2018 14:45:06 -0700 (PDT)
Received: by with SMTP id m23-v6so7477281otf.0; Fri, 28 Sep 2018 14:45:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=Lt3VI7wO4ApAxt6faaYDx/snUcr03V/D7WM2xBZ+rI4=; b=dAFIj5tWaqqdzniQUZfdboMcvJLp368AYOGV+UaGBKLImTjMASSJ32e4MofS0xAyK9 kcfLJrJ4ZVtXRUF62+ne1bSRExrnVxtja92XBvsaKmLz76yd6JruUwOB2YqwLiv02Jme zabK8ToAKvjk6Xl8GKF90B6b8onvSclIYC5Io1Y/xbErKJqSjpTIqunKjyaGq3n0mBVU hPHGacv1BDMmPMPqTQ6uAWAFbtQGKppauc3LQP0c0KkaIV6AfX1sw7SGj4cgKfrXZXgm kCcE2EN6bzGdnhW6Sp87WsSHP/ZSwEYVIUk9C65cDa7qewtrl6/YC/GqBa4yC2rSXwBH 9f2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=Lt3VI7wO4ApAxt6faaYDx/snUcr03V/D7WM2xBZ+rI4=; b=p80x/AIVp7rGv3AKOuRO58vtL7sy2ZWzBSYO1K0YYdecdM6XhKkqRCKiLPMRzCgoUJ jVhamjeO/hcIRLBkd2DjT6gG1gd8Qld+EMzVhxvhwtVEhCENSRdX0SEXK0+Jl8zJ/gVr peS/mp/ly/YmzxyV4qCKzMFOWYPMqOcPEMrTsf1+CA4ue/VfmHslWjeZx3D+Lpgv4wlh 6NiX/xYK0RQOlx/tVK+IjGd3bkW/s56zOjrqy5bmDK/2icXITq+MYK4WVA6hhm2VD2E/ Md4dCIc4egPjPVfwkT9pc4BjHKq8gpB3+uE4wPAn59vC+fLHrT1GpXYtN/0pB4LOFRD2 33rg==
X-Gm-Message-State: ABuFfogNkn7YMDI2uCffb4mUbHPAJD7a7OpV9q9IW3bsNuq85udyUvq7 UyuBNpz8Sox7QYp+IqcuGmPFOm4YEtGNOzJdwok=
X-Google-Smtp-Source: ACcGV62DzFj7QCB9j1XKTlVfp78nGqpOkuGLPznPc98Zg1iYKBEnYDxxJoVnlgsmylD7WdfXYwkOazsVf6oJNSV1vIg=
X-Received: by 2002:a9d:1552:: with SMTP id z18-v6mr385239otz.44.1538171105843; Fri, 28 Sep 2018 14:45:05 -0700 (PDT)
Received: from 1058052472880 named unknown by with HTTPREST; Fri, 28 Sep 2018 14:45:05 -0700
From: Alvaro Retana <>
In-Reply-To: <>
References: <> <> <> <>
X-Mailer: Airmail (506)
MIME-Version: 1.0
Date: Fri, 28 Sep 2018 14:45:04 -0700
Message-ID: <>
To: "Naiming Shen (naiming)" <>
Cc: "Les Ginsberg (ginsberg)" <>, "" <>, "" <>, "" <>, Christian Hopps <>
Content-Type: multipart/alternative; boundary="0000000000005e274f0576f55eb5"
Archived-At: <>
Subject: Re: [Lsr] AD Review of draft-ietf-isis-reverse-metric-11
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Sep 2018 21:45:14 -0000

On September 27, 2018 at 6:36:29 PM, Naiming Shen (naiming) ( wrote:



Some answers below.  Please take a look and publish an update.




Note that I read -11, but -12 was published in the interim -- so I'm
putting this comment up here.  The only change in -12 is the addition (in
the IANA Considerations section) of "a new registry for sub-TLVs of the
Reverse Metric TLV".  Why do we need this new registry?  The description
(in §2) of the use of this sub-TLV already references rfc5305 (where a TE
Default Metric sub-TLV is already defined), so it seemed somewhat natural
to me to simply reuse that sub-TLV here.  From the discussion on the list,
I understand the intent to "future proof", even if no other applications
come to mind.  If that is the path we want to go, then we'll need a
complete description of the new sub-TLV as well. [Some of my comments
bellow assume the existing sub-TLV from rfc5305.]

<NS> With the email exchange from you and Les, I assume I keep the same
as in the version 12 on this sub-TLV registry.


However, I need you to add a description of the sub-TLV in this document.
Right now there is a reference to rfc5305, but as Les explained, even
though these sub-TLVs look the same, they are really different.  When doing
so, the references to rfc5305 (for the sub-TLV) would not be needed.

<NS> ok, modified. see diff.

The first MUST (below) sounds as if there must always be one of these
sub-TLVs.  However, if other sub-TLVs are defined in the future, and this
one is not needed, the MUST would make it mandatory.


"This sub-TLV is optional, and MUST appear once at most in the Reverse
Metric TLV, otherwise the entire Reverse Metric TLV MUST be ignore on the


This sub-TLV is optional, if it appears more than once then the entire
Reverse Metric TLV MUST be ignored.


178   The Reverse Metric TLV is optional.  The Reverse Metric TLV may be
179   present in any IS-IS Hello PDU.  A sender MUST only transmit a single
180   Reverse Metric TLV in a IS-IS Hello PDU.  If a received IS-IS Hello
181   PDU contains more than one Reverse Metric TLV, an implementation
182   SHOULD ignore all the Reverse Metric TLVs and treat it as an error
183   condition.

[nit] The first two sentences sound redundant to me.

<NS> OK.

[major] The text above is not specific about which PDUs can include the
Reverse Metric TLV.  The text does say that it is optional and that it may
be in an IIH once...but it doesn't say anything about other PDUs.  The IANA
Considerations section contains the attributes to be included in the
registry, but those are not Normative.

<NS> Added other PDU MUST ignore it.

I saw the new text.  Thanks for being explicit about the TLV being used in
an IIH.

Les also pointed to the following in ISO 10589: “TLVs received in a
non-permitted PDU MUST be ignored.”  That means that the last sentence in
the new text ("If an IS-IS node received of IS-IS Reverse Metric TLV in the
PDU other than the IS-IS Hello PDU, this TLV MUST be ignored.”) is

<NS> ok, removed:-) but it used to be “.. may be optional present in …”,
changed to ".. MAY be optional present in …”, the formally define into
Hello PDU.

The text now reads:

   The Reverse Metric TLV MAY be optionally present in any IS-IS Hello

   PDU. A sender MUST only transmit a single Reverse Metric TLV in a

   IS-IS Hello PDU. If a received IS-IS Hello PDU contains more than

   one Reverse Metric TLV, an implementation MUST ignore all the Reverse

   Metric TLVs.

MAY and optional are the same thing, so the first sentence is redundant.

s/MAY be optionally/MAY



 418     4.  Security Considerations

420       The enhancement in this document makes it possible for one IS-IS
421       router to manipulate the IS-IS default metric and, optionally,
422       Traffic Engineering parameters of adjacent IS-IS neighbors.
423       IS-IS routers within a single Autonomous System nearly always are
424       under the control of a single administrative authority, it is
425       RECOMMENDED that operators configure authentication of IS-IS PDUs
426       mitigate use of the Reverse Metric TLV as a potential attack
427       particularly on multi-access LANs.

[major] Authentication doesn't prevent a subverted router from using the
reverse metric.

<NS> Right. But authentication is all IS-IS has.


[minor] I would love to see more text on what the threat really is.  I
think that includes being able to divert traffic, sent traffic over less
preferred paths, etc. -- in short, this extension can have a significant
effect on routing decisions.

<NS> Right. But this is no different from any other IS-IS operations, such
as changing local interface metric. reverse-metric
is no worse than those. all of them can change the routing behavior in the

True.  However, this is a new mechanism being defined in this document.  At
least recognizing the potential effect and that it “is no worse” is

Note that the difference between, for example, locally changing the metric
and the reverse-metric is that the local change is like shooting yourself
on the foot.  The reverse-metric allows someone else to influence you.
That’s the reason form my comment below:

<NS> Make sense, but I think one of the main reason of this draft is to
the operation of maintenance. If an operator (within the same local domain)
only needs to raise a ‘reverse metric’ on the local device, but also to
hunt down
all the other devices on the same LAN and to enable this feature one by
one, that
would defeats the purpose of this important usage.

Even though this is sent over to neighbor to act, but most provider network
devices are under the same admin domain.

Yeah…that’s the ongoing discussion with the Sec ADs/SecDir: what security
guarantees are provided by the “same admin domain”?

Even in the same domain, a router could be subverted and cause problems.
Yes, if that happens then maybe the operators have bigger problems — which
probably means that the “same domain” assumptions are not met.

In any case, we can wait for the SecDir/Sec AD to bring up the point before
adding text...

 [major] Is there anything (besides authenticating) that can be done to
mitigate the threat?  The text talks about local configuration having the
ability to override a reverse metric -- but it seems like the intent is for
the default to be "accept the reverse metric"..  Making the default be
"don't accept reverse metrics" (i.e. having to explicitly configure the
willingness to accept the new TLV) would help by only allowing the reverse
metric where the operator knows it wants it.  Was there any discussion
about this in the WG?

<NS> I don’t recall there is such a discussion. This document does not
specify which is the default
behavior. An implemetation can use either opt-in or opt-out, which does not
break the

It would be great if the document took a stance on that.

<NS> although I would certainly want this mechanism to be enabled by
but I don’t want to express this in this document since there may generate
security concern.

added in the “operational consideration” section that:

It is RECOMMENDED that the network operators disable the capability
when this Reverse Metric feature or mechanism is not being used in
the network where in the case an IS-IS implementation has this
mechanism enabled by default.

to see if you are ok with that.


If an implementation enables this mechanism by default, it is RECOMMENDED
that it be disabled by the operators when not explicitly using it.