IETF Logo Mail Archive

Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)

Acee Lindem <acee.ietf@gmail.com> Thu, 01 February 2024 01:51 UTC

Return-Path: <acee.ietf@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43259C14F69A; Wed, 31 Jan 2024 17:51:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcNxrQlgoX5k; Wed, 31 Jan 2024 17:50:56 -0800 (PST)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B639C14F616; Wed, 31 Jan 2024 17:50:56 -0800 (PST)
Received: by mail-qv1-xf34.google.com with SMTP id 6a1803df08f44-686b389b5d6so2090986d6.0; Wed, 31 Jan 2024 17:50:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706752255; x=1707357055; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=CE1IyzJMDfLEX29rVODzcSHJtXzBWPAljavx2YuZ+CA=; b=mHRHrfEMaNdM4gkk2mh3Fha1HEVigHiCQfbveW3fyVK7v8XbZOga43EdtHwQlqiDJT 1ae0jQ5OMIaPtIo6CURnUAdTphtbteFwagDwMTqn8ylIuqtmmNxsTKbbH6zEnORmdP/i J9ZiIKTrBd+nNZSPJ+/OsS86/NYX2fwH/6hTWqUQzS/N8n1i4CC5Zf79q3Od1LHt3pV/ 0LHVtQ9IF2tANE2tresnNobXdpaJpU3cgsoeEIp//B2OdndExI+PbdYuiXbRmygIUJ9K INRt0oOdIHW3YFA9bsAm+QdKRZJdC8CLcK1GGGHRRH/yRHgglM6IGmGow+k1F5UzNpbW Jq2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706752255; x=1707357055; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CE1IyzJMDfLEX29rVODzcSHJtXzBWPAljavx2YuZ+CA=; b=dnT8PooYHhmW/XdQyod1ukqQ6A+otmE13AXQNisZgfriiL4Hc/o9IBNOsPA/Tc57ni vdjBc6vTS6isK7GlMmD44pzJRMxE6pMa3+FR5BK9FiU0d75cKaxpME3arS1JZkloq/4G wJfw1H5lMLKGdPoOBwFGAIs1tIlqb8fDP1oaJ2G054tQYLx2uNyvGIBJ9mEYq0diIIxb D9wDNLpkRfNp9A7tDsGHMRSSwTQgjstopx5Q/Y9Nc91gQWQbNkoL4/NEfwSArbQEmUxM UKllY0olXiD8MIagOezkGx2+UIOoI1zSm34fjcjLlHvxZpkf+W3j9yFEKSHVPGZuNtVl DDhA==
X-Gm-Message-State: AOJu0Yzd5Rtz1OQljph/2priItWiQpjEEbLxHyY616nE1+x0+pD10tw/ hvg+naxzELKNu+fNY1dpU+qkcyVb/8z56QfVjo0fzQ0Z4fxf2qXf
X-Google-Smtp-Source: AGHT+IG0IYWu4EnW0uYOfDvVChG8Q7rM0QnAKjugbx3V03q4cAnVXcJOUexdtGYMdSwU1ASJpB/MZg==
X-Received: by 2002:a05:6214:2a4a:b0:686:9deb:8e33 with SMTP id jf10-20020a0562142a4a00b006869deb8e33mr1262800qvb.10.1706752255007; Wed, 31 Jan 2024 17:50:55 -0800 (PST)
Received: from smtpclient.apple ([136.54.28.118]) by smtp.gmail.com with ESMTPSA id kr27-20020a0562142b9b00b0068c60d00412sm2219674qvb.57.2024.01.31.17.50.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jan 2024 17:50:54 -0800 (PST)
From: Acee Lindem <acee.ietf@gmail.com>
Message-Id: <FCF92100-0393-46A2-92ED-A86D9B3CA747@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FA1FC46D-B7A8-47B1-B5C9-EEB791A4B2F9"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Wed, 31 Jan 2024 20:50:44 -0500
In-Reply-To: <3DA1DD3C-BE3A-42DD-8FD3-734953C39F16@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-lsr-ospfv3-extended-lsa-yang@ietf.org, lsr-chairs <lsr-chairs@ietf.org>, lsr <lsr@ietf.org>, Christian Hopps <chopps@chopps.org>
To: Roman Danyliw <rdd@cert.org>
References: <170674896520.10154.16061739265470573273@ietfa.amsl.com> <3DA1DD3C-BE3A-42DD-8FD3-734953C39F16@gmail.com>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/RsPX2_9U3NcBCYaAYn55quf8EJs>
Subject: Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2024 01:51:00 -0000


> On Jan 31, 2024, at 20:14, Acee Lindem <acee.ietf@gmail.com> wrote:
> 
> 
> 
>> On Jan 31, 2024, at 19:56, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
>> 
>> Roman Danyliw has entered the following ballot position for
>> draft-ietf-lsr-ospfv3-extended-lsa-yang-28: Discuss
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
>> for more information about how to handle DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-lsr-ospfv3-extended-lsa-yang/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>> 
>> ** Section 5.
>> 
>>  Write
>>  operations (e.g., edit-config) to these data nodes without proper
>>  protection can have a negative effect on network operations.  There
>>  are the subtrees and data nodes and their sensitivity/vulnerability:
>> 
>>     /ospf:ospf/extended-lsa-support
>>     /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
>>     The ability to disable OSPFv3 Extended LSA support can result in a
>>     denial of service.
>> 
>> Isn’t it more than just denial of service?  In certain environments wouldn’t
>> the ability to modify OSPF Extended LSA configurations enable an attacker to:
>> modify network topologies to enable select traffic to avoid inspection or
>> treatment by security controls; route traffic in a way that it would be subject
>> to inspect/modification by an adversary node; or gain access to otherwise
>> segregated parts of the network.
> 
> Only if they were able to craft extended LSAs on behalf of the original as well as
> modify the YANG configuration added by this document. I didn’t think we’d have to
> reiterate all the possible protocol attacks for every incremental enhancement.

Furthermore, no one is going to use the support of extended LSAs to isolate OSPFv3 domains 
from one another. The configuration is to control migration to the extended LSA encodings.
Please see RFC 8362 for more information on OSPFv3 Extended LSAs.  

Acee





> 
> Acee
> 
> 
> 
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> As an editorial note, I would have benefit from some narrative prose on the data model.

v2.23.0 | Report a Bug | By Email