Re: [Lsr] Spencer Dawkins' No Objection on draft-ietf-ospf-ospfv3-segment-routing-extensions-20: (with COMMENT)
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Wed, 05 December 2018 20:58 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54892130ECE; Wed, 5 Dec 2018 12:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84PqV6srb4fV; Wed, 5 Dec 2018 12:58:29 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44628130E55; Wed, 5 Dec 2018 12:58:29 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id x85-v6so19658114ljb.2; Wed, 05 Dec 2018 12:58:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7hKEtSINwJ0HyflzSoLPggOAjwcuq0YPsNNn0auHq08=; b=K4iFkqPwVDGLvNOxeYFwvQjO4oKqK9UpWHNp4EvKi3nHurnCN0Ct+eDi6PhZli24j0 Uu8C2DbFf/hYrNwT/PRr/i0Sd8p9pgH72V0S5kz47u02qJkQbE8qsvo72jAM/ffd/p1u AsFoabC+XzFd5b9AP0ZtYmRweaPaJ8JwrdAqVKHzJo1cPn+RdPPpYA1DSaVp68RWnoUA cAGBMdCGluFMnaV8g5ZuG2vuaFVnxUvsNk4Y8FYsym8DqdIy/jRdnWdUkT++0O5YLTnf OdQ+0XPZghwFT7vemj8Tipw/n3Hc6BzMT3f7xNL+4bjJJ+2zgFTAayhxFUmem/nAyeko MUbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7hKEtSINwJ0HyflzSoLPggOAjwcuq0YPsNNn0auHq08=; b=oLkFvD9b8qoJ9oaU/MgK6cC5RW0ocrVHLNoTE6O47uMAbj6lICDgU1lr6C6xUFCSMs Thsjwl10vhbOJS+PrulJGenoNTFAheYh54KQhUtr99muixMU6+7e7pSmaoEGUatmY9yA 3arZiS5K6sYtiZd/WtERKazwnoDwsQJyK4crp2ztFM6FKk3VUk5tIUSDLb4oSThnYFKq rZ8qar1EEWlX+E5+DIGrwGitciQLIosOCSNK9tqD6JA4a9vlgxC/nXpyq7ghBqd5bcLQ /Lg4lUOfLZXcQTWLw407B47+Q6bxm+vRmkBS96otkryPUUVM0Z3YJRfjhNuTjYNTz1oc FXeA==
X-Gm-Message-State: AA+aEWYQK3+SoL/v3yBzykhMGNIXFtcICv6noB6/CaFUb930p9TR+tBx 3DCzarZsY8vq28vZCCKfQj3tgFAUHJJ1SRxbcw0=
X-Google-Smtp-Source: AFSGD/XbOsOwR+JCoy7nfVbu5uOIbsbM/e9Exvl0kSMGltsFQXA1NrK2+hapmthHYtR8i/EX/8j576o/40ADW9QR2sY=
X-Received: by 2002:a2e:851a:: with SMTP id j26-v6mr14805033lji.163.1544043507258; Wed, 05 Dec 2018 12:58:27 -0800 (PST)
MIME-Version: 1.0
References: <D8C248E7-1E14-4BD1-9901-68B377E05EEE@cisco.com>
In-Reply-To: <D8C248E7-1E14-4BD1-9901-68B377E05EEE@cisco.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Wed, 05 Dec 2018 14:58:14 -0600
Message-ID: <CAKKJt-dv4X0U2T2Mg3kJ64tw87KiK4L_sBD=NZ2n8274cmdADg@mail.gmail.com>
To: "Acee Lindem (acee)" <acee@cisco.com>
Cc: IESG <iesg@ietf.org>, "Alvaro Retana (aretana)" <aretana.ietf@gmail.com>, draft-ietf-ospf-ospfv3-segment-routing-extensions@ietf.org, lsr-chairs@ietf.org, lsr@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c49865057c4ca4c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/mf20TrDlnCuMMHzhlX0kQO7Iq30>
Subject: Re: [Lsr] Spencer Dawkins' No Objection on draft-ietf-ospf-ospfv3-segment-routing-extensions-20: (with COMMENT)
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 20:58:33 -0000
Hi, Acee, On Wed, Dec 5, 2018 at 12:07 PM Acee Lindem (acee) <acee@cisco.com> wrote: > Hey Spencer, > > Fixed RFC references in my reply. > Thanks for considering my comments, and correcting the RFC references. Anything you do to unconfuse an AD is probably a good idea! Spencer > On Dec 5, 2018, at 11:34 AM, Spencer Dawkins at IETF < > spencerdawkins.ietf@gmail.com> wrote: > > > > Hi, Acee, > > On Tue, Dec 4, 2018 at 6:37 PM Acee Lindem (acee) <acee@cisco.com> wrote: > > Hi Spencer, > > I'm replying as document shepherd. > > > > It's a pleasure to be talking when we're not both sleepwalking on a 777 > :-) > > > > Luckily the flight home was a breeze compared to my 25 hour 40 minute > flight to Hong Kong. > > > > > > Please note that all of these are comments, so covered under "do the right > thing". > > > > On 12/4/18, 1:40 PM, "Spencer Dawkins" <spencerdawkins.ietf@gmail.com> > wrote: > > Spencer Dawkins has entered the following ballot position for > draft-ietf-ospf-ospfv3-segment-routing-extensions-20: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-ospf-ospfv3-segment-routing-extensions/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > The Introduction would have been much clearer for me if these > paragraphs were > much closer to the top of the section - they're at the bottom of the > section > now. > > This draft describes the OSPFv3 extensions required for Segment > Routing with MPLS data plane. > > Segment Routing architecture is described in [RFC8402]. > > Segment Routing use cases are described in [RFC7855]. > > With that change, I'm not sure how much of the discussion in the > Introduction > would still be required, but do the right thing, of course. > > I'd make the same suggestion for the Abstract, > > Segment Routing (SR) allows a flexible definition of end-to-end paths > within IGP topologies by encoding paths as sequences of topological > sub-paths, called "segments". These segments are advertised by the > link-state routing protocols (IS-IS and OSPF). > > This draft describes the OSPFv3 extensions required for Segment > Routing with MPLS data plane. > > if it was more than two paragraphs long ... > > You mean "were" since this is subjective. I'm not sure what you're asking > for since your comment has something to do with ordering and, as you note, > the abstract is two paragraphs long. > > > > Sorry this wasn't clear. > > > > What I meant was, the Introduction is long enough that moving the > high-order bits to the top is helpful; the Abstract also has the high-order > bits at the bottom, but it's a short distance to the bottom. If you flipped > the Abstract, that might be helpful, and would match the Introduction, but > if you don't, I think making the change in the Introduction would be > sufficient. > > > > I read this and we’ll consider but I don’t think we’ll move things around. > All the SR RFCs/drafts have this abstract ordering and I can’t see just > changing this one. > > > > > > > I am thinking that the reference > > There are additional segment types, e.g., Binding SID defined in > [RFC8402]. > > would be more useful at the beginning of Section 3, because that's > where you > list the additional segment types, but the reference is back in the > Introduction (with only one example of the segment types). > > Actually, the Binding SID is no longer in the encodings so this could be > removed. > > > > An even better reason to remove this sentence :D ... > > > > That would put the reference to RFC 8402 in Section 3, I assume. > > > > > > We will remove the references to binding SID. I think we put the reference > to RFC 8402 earlier in the Introduction. > > > > > > > > I'm thinking the SHOULD in this text > > Existing security extensions as described in [RFC5340] and [RFC8362] > apply to these segment routing extensions. While OSPFv3 is under a > single administrative domain, there can be deployments where > potential attackers have access to one or more networks in the > OSPFv3 > routing domain. In these deployments, stronger authentication > mechanisms such as those specified in [RFC4552] or [RFC7166] SHOULD > be used. > > is not an RFC 2119 SHOULD that describes interworking, so something > like > > In these deployments, stronger authentication > mechanisms such as those specified in [RFC4552] or [RFC7166] are > needed. > > I'll defer to our AD, Alvaro. We have normative text in other "Security > Considerations" sections. > > > > Oh, sure. That wasn't my heartburn at all. My point was > > > would be better, but if this IS a SHOULD, I'm curious why you wouldn't > use > stronger authentication mechanisms if they're needed. You might want > to add > guidance about that, so it's not confused with MUST (BUT WE KNOW YOU > WON'T) as > defined in https://tools.ietf.org/html/rfc6919#section-1. > > > > that I'm reading the text as saying "you're more vulnerable to attackers, > so you SHOULD use stronger authentication mechanisms, but you might not, > for reasons left to the implementer". Is there a reason that you might > decide not to use stronger authentication mechanisms when you're more > vulnerable to attackers? If so, you might provide it as an example, so the > implementers can do the right thing. > > > > (I spent enough time in the SIP community talking to product managers who > wanted to pay for MUSTs, but didn't think they needed to pay for SHOULDs, > that I'm perhaps overreacting to a problem you folks in RTG don't have. Do > the right thing, of course!) > > > > I see your point but “SHOULD” is already pretty strong language but we > wouldn’t be opposed to changing it to “MUST” since an implementation > advanced enough to support OSPFv3 SR should support RFC4552 and/or RFC7166. > However the latter is simpler from an operational standpoint. > > > > Thanks, > > Acee > > > > > > > > Is there another document that says things like > > Implementations MUST assure that malformed TLV and Sub-TLV defined in > this document are detected and do not provide a vulnerability for > attackers to crash the OSPFv3 router or routing process. Reception > of a malformed TLV or Sub-TLV SHOULD be counted and/or logged for > further analysis. Logging of malformed TLVs and Sub-TLVs SHOULD be > rate-limited to prevent a Denial of Service (DoS) attack > (distributed > or otherwise) from overloading the OSPFv3 control plane. > > ? This doesn't seem very SR-specific, although I'm guessing. If > there's a > broader document, I don't object to including this guidance here, but > adding a > reference to a broader document might be useful. > > We do have similar text in section 5 of RFC8362. However, it is not in the > "Security Considerations" and the statement about rate-limiting is not > there. It doesn’t hurt to repeat it and it provides confidence that > "security" has been appropriately "considered". > > > > Agree, and thanks for considering all my comments. > > > > Spencer > > > > > Thanks, > Acee > > > >
- [Lsr] Spencer Dawkins' No Objection on draft-ietf… Spencer Dawkins
- Re: [Lsr] Spencer Dawkins' No Objection on draft-… Acee Lindem (acee)
- Re: [Lsr] Spencer Dawkins' No Objection on draft-… Spencer Dawkins at IETF
- Re: [Lsr] Spencer Dawkins' No Objection on draft-… Acee Lindem (acee)
- Re: [Lsr] Spencer Dawkins' No Objection on draft-… Acee Lindem (acee)
- Re: [Lsr] Spencer Dawkins' No Objection on draft-… Spencer Dawkins at IETF
- Re: [Lsr] Spencer Dawkins' No Objection on draft-… Peter Psenak
- Re: [Lsr] Spencer Dawkins' No Objection on draft-… Thomas Beaver