IETF Logo Mail Archive

Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)

Acee Lindem <acee.ietf@gmail.com> Thu, 01 February 2024 01:15 UTC

Return-Path: <acee.ietf@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B43C14F6AB; Wed, 31 Jan 2024 17:15:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hfo68awsKVKg; Wed, 31 Jan 2024 17:15:11 -0800 (PST)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7860C14F69A; Wed, 31 Jan 2024 17:15:11 -0800 (PST)
Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-68c3e92d768so2111606d6.1; Wed, 31 Jan 2024 17:15:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706750110; x=1707354910; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=YKW6cjDYrHHV65wprhkFgPAgzqioUiKubVf+lRj2ulM=; b=gpJG7AXeYkulpl1Mavpd4IaHJlsVamxMr5ASpbroS9zvW5mEYu60qEVRPIP2r8cR4Z th1liFzvc5zGC2cRU/SZaPnh0+8Z9z4zTBePHXaLUkw9gjtrNs/OtWJ4BvXOcOqqp639 pMw7Vz0Y4/xFW5EHyo1eDXaH+z/JgHVrKiW0DyxifMQACw6AaSNjft/qrWn4eyqwp2ih 2QkaP06040xxKmYbKrJpudvUdWqGMs48dHpdS+XxildCnjWvqwn2GQ93OqyHlLfrecut 1LGAd7Zl2WJdoEAZJ3cGd3+3lu+hE0twI5aHi8Iirngt2ZaAAaMT8m5SH8d7NvXfY+Ry uaPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706750111; x=1707354911; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YKW6cjDYrHHV65wprhkFgPAgzqioUiKubVf+lRj2ulM=; b=dnMCeJwm0y5ncQqPHMHE6btaCLs5+CoXjfF6w/Obe+ddO4ouH7+y2BEQrSGJctQ+Wx WHDdNHpCUqE1z/8yNvv/xA0rmX5GAbVHKW5nAKOIp81SkwJbH9STXgOWFXGy/kdqXpEW 2kACV48E/mkaMp8nb7HmgeqeQ2yb2wi+oqxfvFWl7PjxD5d/vrvIqAJs3Fq6T1YBLv+l /GJK/KEssbQ8cDmRQhcw706HNfIctCrl25i1TiP2lhe/rOwJnP+GORi37WG2GXrL/Htg +zNmW9d58IlE9CMB7zJF8vF/wVB/CejW9htw7wYOS2uUPd/sOs5KC64SvYosaem2jbY4 GOCQ==
X-Gm-Message-State: AOJu0YwaE+VXWzun6Crxqww3/iwkn7jeTb3p7GNX23dNqhvNC+bbUw3N mM+1R3G6of1pEVlL3fL4bQs7hObV/hEn4sbvp4l8Sr4t2uBdtsTtVzH74nSj
X-Google-Smtp-Source: AGHT+IFm1zF9eyfQCeZaBv0cCE7DYukN3Oltkxk1NQH1ubpBvoMvfnN9O4AHbk4ddHen0EA/UVaHWQ==
X-Received: by 2002:a05:6214:c22:b0:685:9a9f:9f77 with SMTP id a2-20020a0562140c2200b006859a9f9f77mr3740980qvd.9.1706750110671; Wed, 31 Jan 2024 17:15:10 -0800 (PST)
Received: from smtpclient.apple ([136.54.28.118]) by smtp.gmail.com with ESMTPSA id lb11-20020a056214318b00b0068c36cedb3bsm5630016qvb.56.2024.01.31.17.15.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jan 2024 17:15:10 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
From: Acee Lindem <acee.ietf@gmail.com>
In-Reply-To: <170674896520.10154.16061739265470573273@ietfa.amsl.com>
Date: Wed, 31 Jan 2024 20:14:59 -0500
Cc: The IESG <iesg@ietf.org>, draft-ietf-lsr-ospfv3-extended-lsa-yang@ietf.org, lsr-chairs <lsr-chairs@ietf.org>, lsr <lsr@ietf.org>, Christian Hopps <chopps@chopps.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3DA1DD3C-BE3A-42DD-8FD3-734953C39F16@gmail.com>
References: <170674896520.10154.16061739265470573273@ietfa.amsl.com>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/ooPC-mIv0x6EvuilnkV4AtXF1Ng>
Subject: Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2024 01:15:12 -0000


> On Jan 31, 2024, at 19:56, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
> 
> Roman Danyliw has entered the following ballot position for
> draft-ietf-lsr-ospfv3-extended-lsa-yang-28: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
> for more information about how to handle DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-lsr-ospfv3-extended-lsa-yang/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> ** Section 5.
> 
>   Write
>   operations (e.g., edit-config) to these data nodes without proper
>   protection can have a negative effect on network operations.  There
>   are the subtrees and data nodes and their sensitivity/vulnerability:
> 
>      /ospf:ospf/extended-lsa-support
>      /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
>      The ability to disable OSPFv3 Extended LSA support can result in a
>      denial of service.
> 
> Isn’t it more than just denial of service?  In certain environments wouldn’t
> the ability to modify OSPF Extended LSA configurations enable an attacker to:
> modify network topologies to enable select traffic to avoid inspection or
> treatment by security controls; route traffic in a way that it would be subject
> to inspect/modification by an adversary node; or gain access to otherwise
> segregated parts of the network.

Only if they were able to craft extended LSAs on behalf of the original as well as
modify the YANG configuration added by this document. I didn’t think we’d have to
reiterate all the possible protocol attacks for every incremental enhancement.

Acee



> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> As an editorial note, I would have benefit from some narrative prose on the data model.
> 
> 
>

v2.23.0 | Report a Bug | By Email