Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo-09
Peter Psenak <ppsenak@cisco.com> Thu, 04 May 2023 12:35 UTC
Return-Path: <ppsenak@cisco.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1436C13AE3C; Thu, 4 May 2023 05:35:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FN7Vfa5Yx6_1; Thu, 4 May 2023 05:35:33 -0700 (PDT)
Received: from aer-iport-8.cisco.com (aer-iport-8.cisco.com [173.38.203.70]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 329A2C13AE37; Thu, 4 May 2023 05:35:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26787; q=dns/txt; s=iport; t=1683203733; x=1684413333; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=O2SIQlYGNOEV2TpVlDW+KaSrOdFGfnawKK/o+Ob/Nz4=; b=KafCMUylb4iqJlaqCdjdw+Bmk18iezY+e3evieotC5ifXi5FQe4Wvttj zSHo0gF7S3WbrDlk1nka6sBjSqyAE/JkPkNGFUjv5b4ufauAGvWgnN570 iOKywojho0HlwdHqi9FAFbI54AlWhqfr4Y9KoASrUjNKY5+lbiJXjIEyz Y=;
X-IPAS-Result: A0ABAAB5pVNkmBbLJq1aGQEBAQEBAQEBAQEBAQEBAQEBARIBAQEBAQEBAQEBAQFAgTsEAQEBAQELAYMiVS0SRoRRiB1fiDkDkSCGJ4E4hF6BJQNRBQ8BAQEPLgsLBAEBhQYChUQmNAkOAQIEAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBHhkFEA4nhWgNhgQBAQEBAgEBARgJDwEFNgsQCQIYAgIjAwICJx8RBg0GAgEBgnoBgjkjAxCQZ5sfeoEygQGDZ0GbNoFhBoEULQGHUnyEPoIVgjNCgUlEgRQBJwyBCW2BAj6CYgEBAgGBNFWDL4JnBIocgXYKBAkCCT4Ci0uBMXSBJ4EugQQCCQIRa4EQCGiBdEACDWMLC22BRIMPBAIRNA4MFQVYAoEGCBQBGAMHBwIBgSMQOgcEQBYlBA4DGSsdQAIBCzs6PRQhCQsfBkMCK4FZBC+BTQoGASUkl3qBZwEBEBwyDAYCMDIEFA4LCwMICAYCBBwCDRkHDBgIShUKBQIZDwELDQ4FCZJmEZxSkw+BN4QIhF+HFo4IhngGDwQvg31MjByGOo58gkpimACNU5RmKQcMAwqFI4FjOoFbMxoIGxU7gmdSGQ+OOYhtimQDQjECAToCBwEKAQEDCYhsglkBAQ
IronPort-Data: A9a23:tFqQy6Lca3nqWskRFE+RFJUlxSXFcZb7ZxGr2PjKsXjdYENS0TRRy DMfXjjVaKnbMGDwctwjYd++/RgA7MfTmIQwGVYd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcIZsCCW0Si6FatANl1EkvU2zbue6Wb+s1hxZH1c+E3980U47wobVv6Yx6TSHK1LV0 T/Ni5W31G+Ng1aY5UpNtspvADs21BjDkGtwUm4WPJinj3eC/5UhN6/zEInqR5fOria4KcbhL wrL5OnREmo0ZH7BAPv9+lrwWhVirrI/oWFih1IOM5VOjCSuqQQ0zIBnbfEbW314tDyjsY0t8 YxDiYKZHFJB0q3kwIzxUjFRHjs7Nqpc9fqeez60sNeYyAvNdH6EL/dGVR5te9ZIvLwvWicUr 5T0KxhVBvyHr/qu27+9Q+pEjcU4J86tN4Qa0p1l5W2GUax5Gcurr6Pivd5D3wco1oN3MsnEP JNBah0/NEiRSkgaUrsQIMtuwLj37pXlSBVcs0i9pKcr7S7U1gMZ+LT3OdTJP92HWcsQml2C4 2Peumr9DwETMNOY4TuI7nzqgfXA9QvgWJgbGLG4/9ZonVuS3mEJThsbSTOTo/aiokyjXdNHJ lZS/CcyxYAx+VCiSMW7XhCkrlaLuxcdX5xbFOhS1e2W4qPZ+UOYHm8eUntHYcBgv84tTjts3 ViM9z/0OdBxmLuLby7E/bCmlxyNMAI7cDM7PCE4UyJQtrEPv7oPph7IS99iFou8gdv0BSz8z li2QM4W2ux7YSkjivzTwLzXv96/jsWTFVBktm07Skr4tFojNeZJcqTysTDmAeB8wJGxaH3pU JIsssyb4foDRaqRnSDlrA4lRerwup5p3BXyhVNxGJ0o8TjFxpJCQWyyyGwkTKuKGp9aEdMMX KM0kVgLjKK/xFPwMcdKj3uZUqzGN5TIG9X/TezzZdFTeJV3fwLv1HgwNRXJhDCzyxN3zPpX1 XKnnSCEUCZy5UNPkWXeegvh+eNDKt0WnDmKHsmrk3xLL5LEPyDOIVv6DLd+RrlpsPzbyOkk2 91eLMCNgw5OS/HzZzK/zGLgBQ5iEJTPPriv85Y/XrfaemJOQThxY9ePmulJU9I+wMxoehLgo yvVtrlwkgSv3BUq6GyiNxheVV8Ydcwj9ShjY3Z3Yj5FGRELOO6S0UvWTLNvFZFPyQCp5acco yUtEylYPslydw==
IronPort-HdrOrdr: A9a23:NT+8KK5Q1B8m0BFbwAPXwPnXdLJyesId70hD6qm+c203TiXqra GTdZMgpHnJYVcqKRYdcL+7VZVoLUmskKKdpLNhWYtKPzOLhILLFutfBOLZqlWKJ8S9zJ8+6U 4KScZD4bPLbWSSwfyU3OF9eOxQuOVuN8uT9J7j80s=
X-Talos-CUID: 9a23:M0Bdzm+Yj+0/3JX66/yVv0gKPJx8eXrv9ljvKmWWVDpQEbOpV3bFrQ==
X-Talos-MUID: 9a23:BdwiigqwPn95xtCTN7cez2ljL8RY+/TtMW8yi85f48qjZXQsah7I2Q==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.99,249,1677542400"; d="scan'208";a="4742703"
Received: from aer-iport-nat.cisco.com (HELO aer-core-12.cisco.com) ([173.38.203.22]) by aer-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 04 May 2023 12:35:30 +0000
Received: from [10.147.24.27] ([10.147.24.27]) by aer-core-12.cisco.com (8.15.2/8.15.2) with ESMTP id 344CZUrf068239; Thu, 4 May 2023 12:35:30 GMT
Message-ID: <7472b7df-3ab7-2136-c7e5-644acf79cf6b@cisco.com>
Date: Thu, 04 May 2023 14:35:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: John Scudder <jgs@juniper.net>, Shraddha Hegde <shraddha@juniper.net>, draft-ietf-lsr-ip-flexalgo@ietf.org, lsr <lsr@ietf.org>
References: <3A7BA75A-2561-4B4F-87B1-01BEFB167DCF@juniper.net> <52143c2f-906a-a574-a872-3ffb4f8746c8@cisco.com> <BF7FD212-0330-4310-935E-105B4E60B0BC@juniper.net> <d2718d4f-eb6d-3b15-9b59-e18e211fa755@cisco.com> <DC8412DA-7CEB-42C7-B37A-04E59690C36A@juniper.net> <CAH6gdPzwJ=pksvBkF5wsHnkh5M-jBksrQcZB_sq9+7wynKUgqQ@mail.gmail.com> <5c3a2682-090f-73f0-b595-de56fa728df5@cisco.com> <CAH6gdPybams9aTsE32Ftidb0VtV7E5M6Ty5kk8203g3zHJ305g@mail.gmail.com> <f4c7f945-927c-ab4a-dc8f-20714e235146@cisco.com> <CAH6gdPyAj35G=p6iaNi5WPDgebMp+C0kwJHSW3imvWti9QbMzg@mail.gmail.com>
From: Peter Psenak <ppsenak@cisco.com>
In-Reply-To: <CAH6gdPyAj35G=p6iaNi5WPDgebMp+C0kwJHSW3imvWti9QbMzg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Outbound-SMTP-Client: 10.147.24.27, [10.147.24.27]
X-Outbound-Node: aer-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/Q1FGNtvyrHrlyW31tIOyDllAEok>
Subject: Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo-09
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2023 12:35:37 -0000
Hi Ketan, On 04/05/2023 14:32, Ketan Talaulikar wrote: > Hi Peter, > > Thanks for this updated version and it addresses my comments. great, I will push the new version. > > The route tag functionality for IP Algo reachability is best provided by > the upcoming draft-ietf-lsr-ospf-admin-tags. As co-authors of that > draft, could either you or Acee cover applicability for both IP Algo and > SRv6 Locator? sure. thanks, Peter > > That way we have functional parity for IP algorithm reachability for > OSPF all taken care of. > > Thanks, > Ketan > > > On Thu, 4 May, 2023, 5:39 pm Peter Psenak, <ppsenak@cisco.com > <mailto:ppsenak@cisco.com>> wrote: > > Hi Ketan, > > please find the updated version and the diffs from previous one > attached. > > Please let me know if you have any comments or suggestions. > > thanks, > Peter > > On 03/05/2023 15:30, Ketan Talaulikar wrote: > > Hi Peter, > > > > Please check inline below. > > > > On Wed, May 3, 2023 at 6:16 PM Peter Psenak <ppsenak@cisco.com > <mailto:ppsenak@cisco.com> > > <mailto:ppsenak@cisco.com <mailto:ppsenak@cisco.com>>> wrote: > > > > Hi Ketan, > > > > On 03/05/2023 06:09, Ketan Talaulikar wrote: > > > Hello Authors/All, > > > > > > I think there are a couple of issues with this document > related to > > > OSPFv2 aspects. My apologies for this last minute notice > and not > > > catching them earlier during the WGLC. > > > > 1) The OSPFv2 IP Algorithm Prefix Reachability Sub-TLV is not > > carrying > > > the indication of Type1/Type2 for External and > NSSA-External route > > > advertisements. A way to fix/address this would be to > introduce a > > 1 byte > > > flags in the Reserved space and then introduce the "E -bit" > > similar to > > > how it is there in the base OSPFv2 External LSAs - > > > > https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5 > <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5> > > <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5 > <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5>> > > > > <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5 > <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5> > > <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5 > <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5>>> > > > > can't we live without the Ext. Type-2 metric for the IP algo > prefixes > > and treat then as Type 1 ext metric always? > > The real advantage of the Type-2 metric is not really > significant. > > > > > > KT> That is an option but it would create deviations from the > base OSPF > > processing for IP Algo reachability. That may be more of an issue > for > > implementations and may be even operators used to OSPF. It may be > easier > > to just fix the encoding to allow the indication of Type 1/2. > > > > > > > > > > 2) Also for OSPFv2, since we don't have the base OSPFv2 > LSA for Algo > > > reachability, we are missing some key sub-TLVs in the OSPFv2 > > Extended > > > Prefix Sub-TLVs that would be required for IP FlexAlgo > > reachability - > > > mainly Forwarding Address and Route Tag. > > > > Similarly using the forwarding address is something which has > limited > > benefits and we do not need it for the IP Algo prefixes. > > > > The only problem is during the NSSA translation, where the spec > > mandates > > the non-zero forwarding address. Is that something that we > really need? > > > > > > KT> Same as the previous comment. We will hit some corner cases > and may > > need to carve out these exceptions. It may be simpler to just add > these > > sub-TLVs. > > > > > > > > > > 3) Along with the above changes, perhaps some text is > required to > > > indicate the use of these new sub-TLVs and how OSPFv2 base > route > > > calculations apply for various route types (specifically > external > > and NSSA)? > > > > how is that different to regular prefix (RFC2328)? > > > > > > KT> The route calculations don't change - only that everything is > done > > using only the OSPFv2 Extended Prefix LSAs instead of the base OSPF > > LSAs. One can say it is implicit so I wonder if it helps to make > this > > explicit. > > > > > > thanks, > > Peter > > > > > > > > 4) A nit: in a few places in sec 6.3, the OSPFv2 IP > Algorithm Prefix > > > Reachability is being referred to as TLV instead of > sub-TLV. Similar > > > issue in sec 6.4 for OSPFv3. > > > > > > Thanks, > > > Ketan > > > > > > > > > On Wed, May 3, 2023 at 12:01 AM John Scudder > > > <jgs=40juniper.net@dmarc.ietf.org > <mailto:40juniper.net@dmarc.ietf.org> > > <mailto:40juniper.net@dmarc.ietf.org > <mailto:40juniper.net@dmarc.ietf.org>> > > <mailto:40juniper.net@dmarc.ietf.org > <mailto:40juniper.net@dmarc.ietf.org> > > <mailto:40juniper.net@dmarc.ietf.org > <mailto:40juniper.net@dmarc.ietf.org>>>> > > > wrote: > > > > > > Hi Peter, > > > > > > All good, I figured it was something like that. Two > residual > > nits — > > > > > > 1. One “datapalne” got left in. I guess you need > something to > > seed > > > version 11 after all… > > > > > > 2. It looks like this one got omitted: > > > > > > @@ -579,8 +592,18 @@ > > > receiver. > > > > > > The metric value in the parent TLV is RECOMMENDED > to be > > set to > > > - LSInfinity [RFC2328]. This recommendation only > servers for > > > debugging > > > + LSInfinity [RFC2328]. This recommendation only serves > > for debugging > > > purposes and does not impact the functionality. > > > +--- > > > +jgs: Thanks for adding the additional explanation. I > made a > > minor > > > editing > > > +correction in-line, but I also have a slightly more > extensive > > > revision to > > > +suggest: > > > + > > > +NEW: > > > + This recommendation is provided as a network > > troubleshooting > > > + convenience; if it is not followed the protocol > will still > > > + function correctly. > > > +— > > > > > > Obviously, I don’t insist on the proposed rewrite. But > even > > if you > > > don’t use it you presumably should take the > s/servers/serves/ > > > proofreading correction. > > > > > > I’m going to go ahead and request IETF Last Call, but feel > > free to > > > push a revision with corrections if you want. > > > > > > —John > > > > > > > On May 2, 2023, at 6:06 AM, Peter Psenak > > > <ppsenak=40cisco.com@dmarc.ietf.org > <mailto:40cisco.com@dmarc.ietf.org> > > <mailto:40cisco.com@dmarc.ietf.org > <mailto:40cisco.com@dmarc.ietf.org>> > > > <mailto:40cisco.com@dmarc.ietf.org > <mailto:40cisco.com@dmarc.ietf.org> > > <mailto:40cisco.com@dmarc.ietf.org > <mailto:40cisco.com@dmarc.ietf.org>>>> wrote: > > > > > > > > > > > > Hi John, > > > > > > > > I apologize for the misses, likely the result of > multiple > > editors > > > > updating the draft in parallel. > > > > > > > > I also fixed the nits and updated the security > sections as you > > > proposed. > > > > > > > > Version 10 has been published. > > > > > > > > thanks, > > > > Peter > > > > > > > > > > > > > > > > > > > > > > > > On 01/05/2023 20:54, John Scudder wrote: > > > >> Hi Peter (and Shraddha), > > > >> > > > >>> On Apr 28, 2023, at 9:13 AM, Peter Psenak > > > <ppsenak=40cisco.com@dmarc.ietf.org > <mailto:40cisco.com@dmarc.ietf.org> > > <mailto:40cisco.com@dmarc.ietf.org > <mailto:40cisco.com@dmarc.ietf.org>> > > > <mailto:40cisco.com@dmarc.ietf.org > <mailto:40cisco.com@dmarc.ietf.org> > > <mailto:40cisco.com@dmarc.ietf.org > <mailto:40cisco.com@dmarc.ietf.org>>>> wrote: > > > >>> > > > >>> Shradha and I have worked to address your comments. > > > >>> The new version of the draft has been published. > > > >> > > > >> Thanks for that. I’ve reviewed the diffs in 09. I’ve > > attached a > > > short review of it; there are some minor proofreading > > changes, but > > > also one place a substantive edit was overlooked that I’ve > > flagged > > > in Section 6.2. I also made a further suggestion on > your Security > > > Considerations. > > > >> > > > >> I think one more revision and we will be ready for > IETF > > Last Call. > > > >> > > > >> Thanks, > > > >> > > > >> —John > > > >> > > > >> --- draft-ietf-lsr-ip-flexalgo-09.txt 2023-05-01 > > > 13:21:34.000000000 -0400 > > > >> +++ draft-ietf-lsr-ip-flexalgo-09-jgs-comments.txt > > 2023-05-01 > > > 14:47:16.000000000 -0400 > > > >> @@ -138,9 +138,9 @@ > > > >> result, traffic for different sessions is > destined to a > > > different > > > >> destination IP address. > > > >> > > > >> - IP address allocated to the UPF can be > associated with an > > > algoritm. > > > >> + The IP address allocated to the UPF can be > associated > > with > > > an algorithm. > > > >> The mobile user traffic is then forwarded > along the path > > > based on the > > > >> - algorithm specific metric and constraints. As > a result, > > > traffic can > > > >> + algorithm-specific metric and constraints. As > a result, > > > traffic can > > > >> be sent over a path that is optimized for minimal > > latency or > > > highest > > > >> bandwidth. This mechanism is used to achieve SLA > > (Service Level > > > >> Agreement) appropriate for a user session. > > > >> @@ -186,9 +186,9 @@ > > > >> > > > >> Advertisement of participation in IP > Flex-Algorithm > > does not > > > impact > > > >> the router participation signaled for other > > data-planes. For > > > >> - Example, it is possible that a router > participates in a > > > particular > > > >> - flex-algo for IP datapalne but does not > participate > > in the > > > same flex- > > > >> - algo for SR dataplane. > > > >> + example, it is possible that a router > participates in a > > > particular > > > >> + flex-algo for the IP dataplane but does not > > participate in > > > the same flex- > > > >> + algo for the SR dataplane. > > > >> > > > >> The following sections describe how the IP > Flex-Algorithm > > > >> participation is advertised in IGP protocols. > > > >> @@ -196,6 +196,11 @@ > > > >> 5.1. The IS-IS IP Algorithm Sub-TLV > > > >> > > > >> The ISIS [ISO10589] IP Algorithm Sub-TLV is a > sub-TLV > > of the > > > IS-IS > > > >> +--- > > > >> +jgs: Was it deliberate that you didn't accept the > > suggestion to > > > >> +hyphenate "ISIS" above, or an oversight? If > deliberate, > > how come? > > > >> +If accidental, please change in next rev. > > > >> +--- > > > >> Router Capability TLV [RFC7981] and has the > following > > format: > > > >> > > > >> 0 1 2 > > > 3 > > > >> @@ -302,9 +307,9 @@ > > > >> 6. Advertising IP Flex-Algorithm Reachability > > > >> > > > >> To be able to associate the prefix with the > > Flex-Algorithm, the > > > >> - existing prefix reachability advertisements > can not > > be used, > > > because > > > >> + existing prefix reachability advertisements > cannot be > > used, > > > because > > > >> they advertise the prefix reachability in default > > algorithm 0. > > > >> - Instead, a new IP Flex-Algorithm reachability > > advertisements are > > > >> + Instead, new IP Flex-Algorithm reachability > > advertisements are > > > >> defined in IS-IS and OSPF. > > > >> > > > >> The M-flag in the FAD is not applicable to IP > Algorithm > > > Prefixes. > > > >> @@ -410,6 +415,11 @@ > > > >> all of them do not advertise the same > algorithm, it MUST > > > ignore all > > > >> of them and MUST NOT install any forwarding > entries > > based on > > > these > > > >> advertisements. This situation SHOULD be > logged as > > an error. > > > >> +--- > > > >> +jgs: Thanks for these rewrites. Unfortunately > there is a > > > similar case > > > >> +later (Section 6.2) which was missed. It needs a > similar > > rewrite, > > > >> +I will flag it below, please refer back to this > section. > > > >> +--- > > > >> > > > >> In cases where a prefix advertisement is > received in > > both a IPv4 > > > >> Prefix Reachability TLV and an IPv4 Algorithm > Prefix > > > Reachability > > > >> @@ -434,6 +444,9 @@ > > > >> with a different Algorithm, MUST ignore all of > them > > and MUST NOT > > > >> install any forwarding entries based on these > > > advertisements. This > > > >> situation SHOULD be logged as an error. > > > >> +--- > > > >> +jgs: These two paragraphs need a rewrite similar to > > Section 6.1. > > > >> +--- > > > >> > > > >> In cases where a prefix advertisement is > received in > > both an > > > IPv6 > > > >> Prefix Reachability TLV and an IPv6 Algorithm > Prefix > > > Reachability > > > >> @@ -579,8 +592,18 @@ > > > >> receiver. > > > >> > > > >> The metric value in the parent TLV is > RECOMMENDED to > > be set to > > > >> - LSInfinity [RFC2328]. This recommendation only > > servers for > > > debugging > > > >> + LSInfinity [RFC2328]. This recommendation only > > serves for > > > debugging > > > >> purposes and does not impact the functionality. > > > >> +--- > > > >> +jgs: Thanks for adding the additional > explanation. I made a > > > minor editing > > > >> +correction in-line, but I also have a slightly more > > extensive > > > revision to > > > >> +suggest: > > > >> + > > > >> +NEW: > > > >> + This recommendation is provided as a network > > troubleshooting > > > >> + convenience; if it is not followed the protocol > > will still > > > >> + function correctly. > > > >> +--- > > > >> > > > >> An OSPFv3 router receiving multiple OSPFv3 IP > > Algorithm Prefix > > > >> Reachability Sub-TLVs in the same parent TLV, > MUST select > > > the first > > > >> @@ -932,13 +955,47 @@ > > > >> This document inherits security considerations > from > > [RFC9350]. > > > >> > > > >> This document introduces one additional way to > > disrupt Flexible > > > >> - algorithm based networks. If the node that is > > authenticated > > > is taken > > > >> - over by an attacker, such rogue node can > advertise a > > prefix > > > >> + Algorithm based networks. If a node that is > > authenticated > > > is taken > > > >> + over by an attacker, such a rogue node can > advertise > > a prefix > > > >> reachability for a particular IP > Flexible-algorithm X > > while that > > > >> prefix has been advertised in algorithm Y. > This kind of > > > attack makes > > > >> - the prefix unreachable. Such attack is not > > preventable through > > > >> + the prefix unreachable. Such an attack is not > > preventable > > > through > > > >> authentication, and it is not different from > > advertising any > > > other > > > >> incorrect information through IS-IS or OSPF. > > > >> +--- > > > >> +jgs: Thanks for this. I think you should provide a > > reference to > > > >> +illustrate what you're talking about, e.g. "This > kind of > > attack > > > makes > > > >> +the prefix unreachable (to see why this is, > consider, for > > > example, the > > > >> +rule given in the second-last paragraph of > Section 6.1)". > > > >> + > > > >> +I see you cribbed the text from RFC 9350, which > is not a > > bad idea > > > >> +considering that was recently approved by the IESG so > > > presumably they > > > >> +like the look of it. But in that case, I think it > would be a > > > good idea > > > >> +to copy the 9350 section more comprehensively. > Something > > like this: > > > >> + > > > >> + This document adds one new way to disrupt IGP > > networks that > > > are using > > > >> + Flex-Algorithm: an attacker can suppress > reachability > > for a > > > given > > > >> + prefix whose reachability is advertised by a > > legitimate node > > > for a > > > >> + particular IP Flex-Algorithm X, by advertising > the same > > > prefix in > > > >> + Flex-Algorithm Y from another, malicious node. (To > > see why > > > this is, > > > >> + consider, for example, the rule given in the > second-last > > > paragraph of > > > >> + Section 6.1.) > > > >> + > > > >> + This attack can be addressed by the existing > security > > > extensions, as > > > >> + described in [RFC5304] and [RFC5310] for IS-IS, in > > [RFC2328] and > > > >> + [RFC7474] for OSPFv2, and in [RFC4552] and > [RFC5340] > > for OSPFv3. > > > >> + > > > >> + If a node that is authenticated is taken over > by an > > > attacker, such a > > > >> + rogue node can perform the attack described > above. > > Such an > > > attack is > > > >> + not preventable through authentication, and it > is not > > > different from > > > >> + advertising any other incorrect information > through > > IS-IS or > > > OSPF. > > > >> + > > > >> +I was tempted to rewrite further (I was bugged that > > "node that is > > > >> +authenticated" isn't a well-defined term) but I > think the > > > argument that > > > >> +this text already passed IESG review recently, is > pretty > > > compelling, so > > > >> +the above is just a minimal substitution into the RFC > > 9350 security > > > >> +considerations. > > > >> +--- > > > >> > > > >> 13. Acknowledgements > > > >> > > > >> > > > >> > > > >> > > > >> > > > > > > > > > > _______________________________________________ > > > Lsr mailing list > > > Lsr@ietf.org <mailto:Lsr@ietf.org> <mailto:Lsr@ietf.org > <mailto:Lsr@ietf.org>> <mailto:Lsr@ietf.org <mailto:Lsr@ietf.org> > > <mailto:Lsr@ietf.org <mailto:Lsr@ietf.org>>> > > > https://www.ietf.org/mailman/listinfo/lsr > <https://www.ietf.org/mailman/listinfo/lsr> > > <https://www.ietf.org/mailman/listinfo/lsr > <https://www.ietf.org/mailman/listinfo/lsr>> > > > <https://www.ietf.org/mailman/listinfo/lsr > <https://www.ietf.org/mailman/listinfo/lsr> > > <https://www.ietf.org/mailman/listinfo/lsr > <https://www.ietf.org/mailman/listinfo/lsr>>> > > > > > >
- [Lsr] AD review of draft-ietf-lsr-ip-flexalgo-08 John Scudder
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… John Scudder
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Peter Psenak
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… John Scudder
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Peter Psenak
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Acee Lindem
- [Lsr] AD review of draft-ietf-lsr-ip-flexalgo-09 John Scudder
- [Lsr] Duplication of TLVs [was: Re: AD review of … John Scudder
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Peter Psenak
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… John Scudder
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Ketan Talaulikar
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Peter Psenak
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Peter Psenak
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Ketan Talaulikar
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Acee Lindem
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Peter Psenak
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Ketan Talaulikar
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Peter Psenak
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Acee Lindem
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Ketan Talaulikar
- Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo… Acee Lindem