Re: [Lsr] [Last-Call] Tsvart last call review of draft-ietf-ospf-ospfv2-hbit-10

"Acee Lindem (acee)" <acee@cisco.com> Thu, 07 November 2019 17:06 UTC

Return-Path: <acee@cisco.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8F112093A; Thu, 7 Nov 2019 09:06:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Hl3EF339; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=rStU0EY5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h93ulltgm5Wp; Thu, 7 Nov 2019 09:06:14 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E549F12082E; Thu, 7 Nov 2019 09:06:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4332; q=dns/txt; s=iport; t=1573146374; x=1574355974; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=gAOYgKpcy0atwlZWrqT1O3V7BOAM3IOZP2TgqVOMyZ4=; b=Hl3EF339VzIGqi3q+XhLJPTq2bKyRi8BEjl3OMHIYc2lGmrSqkcajIkG e+EMC+3xTFPHPgLAESWJIyN9Ns2mreAyfhHpaiHdCxD4TZIw6BHKYQPWx GFD8SjJl7s7UO3EF+6INPLFwphvgFWgn+YkwIchW3miQdg3ylG/YRJ27w A=;
IronPort-PHdr: =?us-ascii?q?9a23=3A13Kf5B9Fa5iQF/9uRHGN82YQeigqvan1NQcJ65?= =?us-ascii?q?0hzqhDabmn44+/YR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfJq3UeaNpJXh?= =?us-ascii?q?4Bh98RmlkpC8OIIUb6N/XtKSc9GZcKWQ=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AUAAACTsRd/5JdJa1kDgwBAQEBAQE?= =?us-ascii?q?BAQEDAQEBAREBAQECAgEBAQGBbAMBAQEBCwGBSlAFgUQgBAsqhCmDRgOLA4J?= =?us-ascii?q?eiVaOKIEuFIEQA1QJAQEBDAEBLQIBAYRAAheDdyQ2Bw4CAwsBAQQBAQECAQU?= =?us-ascii?q?EbYU3DIVRAQEBAQIBEhERDAEBNwEPAgEIDgoCAiYCAgIfERUQAgQBDQUigwC?= =?us-ascii?q?CRwMOIAECqBQCgTiIYHWBMoJ+AQEFhQsNC4IXCYEOKAGMExiBf4E4H4IeLj6?= =?us-ascii?q?CG4F3ARIBH4MQMoIsj1A3jnqOGS1BCoIkkTCEERuCPIdgBYQvhmqEOI5GikO?= =?us-ascii?q?PJwIEAgQFAg4BAQWBWQ0lZ3FwFWUBgkFQERSQNoNzihg7dIEojVyCMQEB?=
X-IronPort-AV: E=Sophos;i="5.68,278,1569283200"; d="scan'208";a="359285390"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Nov 2019 17:06:12 +0000
Received: from XCH-ALN-017.cisco.com (xch-aln-017.cisco.com [173.36.7.27]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id xA7H6C3d026746 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 7 Nov 2019 17:06:12 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-017.cisco.com (173.36.7.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 7 Nov 2019 11:06:11 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 7 Nov 2019 11:06:11 -0600
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 7 Nov 2019 12:06:10 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LX2UHE2SmSV3qc8icP0owOo6ZM8DHBo8BaQ6z1tLVR7cjoOrK8d0MAn0B2VEH9+fF9ivixHqpRf4ga9x5ZwlN7hmReFv9NVvT4hWyD4tqSoFX991fMpabJOqqc5Dt2B18Jxz864rvO37YbcWI/9asyY3kHUNDvf67rN2b96nE0keuDqzWupBd65pXImYHn1hPuhfG/g4ckRqKbnrJt8kLaGOG1qBCW5DX+t+hbQp3x4efmTmWeF4ljnUeS/gwfKCoItnoQA/VWiDp3SittwgSOv/zjTy1kqpv00eO7mFTTK1hra/dgUzWfd/mWbXDCGbkZvGSOam1nTaPBxdWozGRQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gAOYgKpcy0atwlZWrqT1O3V7BOAM3IOZP2TgqVOMyZ4=; b=FdiPWC9r0zZaiobiqlG6js+6ClhdWf3TYiNMEZmyW4MiZsMNQFRCzDx5WX2tuNO4Vpu/M+d6veQvomQkd40lyi367ksJxofXBdX3C4ggYAI/DyA8EGbO4o2oKII9/CFiClV1pNLAqC7hO+VYSGU928wrRqh9OgGsyj8Lkz+vGUKrono93roBl9wHQEQIOHKHTiBdfsml5fTYCjopslK+zb02/C3xE4zxywRfSaSsZFqlVa+ENTm3MgByvn9RSYG4PynNO/vUcOQ8qTC7zlGpGrgZOm25YFlkRop6a62vyWZskIFjZ588oq7n5Rv/g22pw8IwD3RwkJu61LLy7HxeWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gAOYgKpcy0atwlZWrqT1O3V7BOAM3IOZP2TgqVOMyZ4=; b=rStU0EY54bp2/jdhWd3fcpMTK5LImx6S0vH9rx2n1JT5WBZkj3A22emVkd7/5DfTS8yNlk8He0YChzfGdn2UBzlGZFhM5OiQSMAnvphBCJui23w5d3BENrp/cr1jXEaQzdchIzhO/ZFDrRQBLhm6J8W31arQyjF4+lAecUsDPwI=
Received: from MN2PR11MB4221.namprd11.prod.outlook.com (52.135.38.14) by MN2PR11MB4207.namprd11.prod.outlook.com (52.135.37.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.20; Thu, 7 Nov 2019 17:06:10 +0000
Received: from MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::218b:2d04:e653:105]) by MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::218b:2d04:e653:105%7]) with mapi id 15.20.2430.023; Thu, 7 Nov 2019 17:06:10 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Alvaro Retana <aretana.ietf@gmail.com>, Padma Pillay-Esnault <padma.ietf@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: Kyle Rose <krose@krose.org>, "tsv-art@ietf.org" <tsv-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-ospf-ospfv2-hbit.all@ietf.org" <draft-ietf-ospf-ospfv2-hbit.all@ietf.org>, "lsr@ietf.org" <lsr@ietf.org>
Thread-Topic: [Last-Call] Tsvart last call review of draft-ietf-ospf-ospfv2-hbit-10
Thread-Index: AQHVkDTb/1bFTAgzpU6LRZDiqUUoRqd1WtiAgANaYwCAASQDgIAGH4EA//+uUoA=
Date: Thu, 7 Nov 2019 17:06:10 +0000
Message-ID: <8FF8CF2F-8DF3-4E7C-AB48-DB1874962C82@cisco.com>
References: <157255845092.30400.10881471178799546764@ietfa.amsl.com> <CAG-CQxr2OJgHgLZMC0kmK1U6=OhrEggGH0K-zFE9uVXyd9KcqQ@mail.gmail.com> <20191103020302.GZ55993@kduck.mit.edu> <CAG-CQxouv9kguDb9Q-vVGRV603nnSSfNCLNLAsLGzTnRA8qMqg@mail.gmail.com> <CAMMESsycGJ9Xz_TYfHa673zxV+MM9kp-fHciYkgDJmvfRYtqeA@mail.gmail.com>
In-Reply-To: <CAMMESsycGJ9Xz_TYfHa673zxV+MM9kp-fHciYkgDJmvfRYtqeA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=acee@cisco.com;
x-originating-ip: [2001:420:c0c4:1007::5e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0bf0c56c-a34e-4f50-1024-08d763a4c970
x-ms-traffictypediagnostic: MN2PR11MB4207:
x-microsoft-antispam-prvs: <MN2PR11MB42076C11E6E8B8181C914EDCC2780@MN2PR11MB4207.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0214EB3F68
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(366004)(136003)(376002)(396003)(199004)(189003)(66556008)(76116006)(86362001)(7736002)(229853002)(99286004)(64756008)(305945005)(6512007)(54906003)(6436002)(6486002)(316002)(66946007)(33656002)(66476007)(66446008)(110136005)(8936002)(81166006)(81156014)(66574012)(102836004)(8676002)(14454004)(46003)(2906002)(25786009)(4326008)(76176011)(36756003)(478600001)(53546011)(186003)(5660300002)(6246003)(446003)(11346002)(2171002)(14444005)(2616005)(6116002)(6506007)(476003)(256004)(71190400001)(486006)(71200400001); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4207; H:MN2PR11MB4221.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ll30J9dYL5dAo/Rnj5RvwsN8ZLGaTVH8cR4WeNZVZh45fzog7xG/RKyBrqnTbjbzD0iIVL528Jv1qfvKJC9Bjgu24dU/sRSG1rQDOn2IrQHKXO2Yv3gEZqmEO50JBdCNOgKKz5uNGEXrxfRWAiLNBoV8dIeU/g+1TZtIwfmeQVRWkwH78OrXgiqq8YQrPNehf82elXT0hpe1miOQ8lPHquoo/qOAvwKDejIRYf8HhXOJIF7WUl1czha1zprtnvAqAo10eFmZ2eBO0XJqp7RePRuKlAyxbwhaXaU2JAU+pVuxn50Au+oX1VT9VzMthuCgJuBetTJCAlZuwM4r6rJozNFSJfZc9VbgHn2v3Mm4APEPch0tSY/ATj4yQxFUaloDM0HmSbGA5WoWr0s48/RWadSFWiEARx3VjWy5jHlrvO1Oi4BQ6EkbjVwc94BfghlE
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <86FEAD20A665044B87165BFEAF96412D@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0bf0c56c-a34e-4f50-1024-08d763a4c970
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Nov 2019 17:06:10.1015 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dUy36/dzyYdlrDmrfcJhd8b8u0bWMyXJuJ2BsypuTLeGPL7uiIgIwMuQwU/srOgt
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4207
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.27, xch-aln-017.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/LLe_FRMZ6Mnb0BmYDeupnJBH76o>
Subject: Re: [Lsr] [Last-Call] Tsvart last call review of draft-ietf-ospf-ospfv2-hbit-10
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 17:06:16 -0000

Hi Alvaro, 

On 11/7/19, 11:58 AM, "Alvaro Retana" <aretana.ietf@gmail.com>; wrote:

    On November 3, 2019 at 2:28:29 PM, Padma Pillay-Esnault wrote:
    
    Padma:
    
    Hi!
    
    See below...
    
    > On Sat, Nov 2, 2019 at 7:03 PM Benjamin Kaduk wrote:
    > > On Thu, Oct 31, 2019 at 03:50:45PM -0700, Padma Pillay-Esnault wrote:
    > > > On Thu, Oct 31, 2019 at 2:47 PM Kyle Rose via Datatracker
    > > > wrote:
    > > >
    > > > > * I'm curious what happens if a router sets the H-bit when it is on the
    > > > > only feasible transit path.
    > > >
    > > > PPE - The router with the H-bit set will not be "on the only feasible
    > > > transit path" to other destinations. The H-bit functionality will exclude
    > > > the host router from the path calculation in the SPF.
    > >
    > > I think you are talking about normal operation ("will not be on the only
    > > feasible transit path") and Kyle is asking about misconfiguration or
    > > similar edge cases.
    >
    > Thanks for this clarification.
    > >
    > > Having only read this email thread and not the document itself, I assume
    > > that traffic will fail to flow if such a misconfiguration occurred, but it
    > > would be good to confirm/refute that.
    >
    > Yes you are right ... for some cases.
    >
    > Assuming the router with the H-bit clear is on the only transit path. There
    > are several cases see below.
    >
    > Normal case:
    > The router has H-bit set
    > (a) All routers in the area support the H-bit then the router is excluded in
    > the SPF calculations and traffic will not flow.
    > (b) At least one router in the area does not support H-bit then H-bit is not
    > active in area. The traffic will flow as per normal OSPF operation.
    >
    > Misconfiguration case:
    > The router has H-bit erroneously set (misconfig)
    > (a) All routers in the areas support H-bit then the router is excluded in the
    > SPF calculations and traffic will not flow.
    > (b) At least one router in the area does not support H-bit then H-bit is not
    > active in area. The traffic will flow as per normal OSPF operation.
    >
    > The Section 8 of the document has a discussion on this.
    
    Yes, there is a discussion in §8, but I think we left out the case
    where a rogue router, who is on the only transit path, may set the
    H-bit (for no good/valid reason) and effectively partition the
    network.  This case is indistinguishable from the normal case where
    the operator (still on the only transit path) may consciously decide
    to set the H-bit to perform maintenance, for example.
    
    Please add a new bullet to cover this case.

If an OSPFv2 router is a trusted participant in the OSPFv2 routing domain (with or without cryptographic authentication), there are at least 3 or 4 other ways in which it could partition the routing domain. This is just one more. However, I'm not opposed to adding the bullet as this is "what we do" during the security reviews. 

Thanks,
Acee

    
    Thanks!
    
    Alvaro.