IETF Logo Mail Archive

Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo-09

Ketan Talaulikar <ketant.ietf@gmail.com> Thu, 04 May 2023 12:32 UTC

Return-Path: <ketant.ietf@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88897C13AE37; Thu, 4 May 2023 05:32:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQ_ZGxVc5946; Thu, 4 May 2023 05:32:48 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF031C13AE41; Thu, 4 May 2023 05:32:46 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-50bc3a2d333so608582a12.0; Thu, 04 May 2023 05:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683203565; x=1685795565; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Tjoeevb2xhaPJwM+u0n1nOgN13NuDpcv41P2IArZUGk=; b=MS3DVUd+6xSyt31bYL0e41DnmnHgH9qBDsywy0rwrg/Orxe9fJ0hMyw3FCv90I5/5T Rsd4GZ8L+0yTTs/0HsE0KLLEWhhEHEeSNYtW62aASWfD0Eco1maKItnkb3TGJspIVR9E +PW2IiluoOuCS3gKNiw3GvsGLimk12Wuz+bfgYESXB4Vue4FJUABn1dERmR1VZWezRw/ l+NU6iEZEfa6X/TBA1KAImqoA1hCPGOOkhL2hSEAk1d3Qz1AZ/g6P89dlfpqlGbbt9Vw +ypP2BwOuvYDVe3AZ49qtuZ0HiQHz0ZUCD4s7qotlXoULAv4Oor5yZ6ge5qghV2stbT0 TIDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683203565; x=1685795565; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Tjoeevb2xhaPJwM+u0n1nOgN13NuDpcv41P2IArZUGk=; b=Bb0Tmriz71QQsDYl5B9iE98Odm6iWW/bqHMFAZKLfvYbkFLol6sI87QDa1jJkkkpOJ j2bNKwGfxMdXQ0V68bKhOFXQZDqGQAHPW65DXVGqxoS7r6vnDUk1eNJ/HbEKLqGZuJM3 e3RJf2xcpJmOEQIn6cNfI/UAumVZfwyALf7MPUeQzX0nXOBz79h1UmljIj7HoJTo0GUn ONoq/lXuxTfUCajoR/kPRel0qJPIlPadY/zdQvlq/nC05G2UvaODPw/v0SxVlHk9YPc4 GZ/KsbykdbenxN2Bt32DtD58G2KJajjkAuQ33MJ6mXGPRBn1p+9HWEYql76eThk7NkoM ZSwg==
X-Gm-Message-State: AC+VfDyGU+/yIBZj/CkyOkWw7FZsVMszdWDr8fHmbSKlzctvoi9qFwOn eZ/bG6e/H8C0glyaTQzpKm6x8s+ePFTfoF+aMvk=
X-Google-Smtp-Source: ACHHUZ7yZu72/vSHZpxBIDZy5UW9DkX8lti4DNstu4MpCnRxYjaT3GJ3tZemCIwdtJNRwwVlbSNUWC+9LQKuWGZQPRU=
X-Received: by 2002:a17:907:9306:b0:94e:6a24:9463 with SMTP id bu6-20020a170907930600b0094e6a249463mr6665959ejc.28.1683203565083; Thu, 04 May 2023 05:32:45 -0700 (PDT)
MIME-Version: 1.0
References: <3A7BA75A-2561-4B4F-87B1-01BEFB167DCF@juniper.net> <52143c2f-906a-a574-a872-3ffb4f8746c8@cisco.com> <BF7FD212-0330-4310-935E-105B4E60B0BC@juniper.net> <d2718d4f-eb6d-3b15-9b59-e18e211fa755@cisco.com> <DC8412DA-7CEB-42C7-B37A-04E59690C36A@juniper.net> <CAH6gdPzwJ=pksvBkF5wsHnkh5M-jBksrQcZB_sq9+7wynKUgqQ@mail.gmail.com> <5c3a2682-090f-73f0-b595-de56fa728df5@cisco.com> <CAH6gdPybams9aTsE32Ftidb0VtV7E5M6Ty5kk8203g3zHJ305g@mail.gmail.com> <f4c7f945-927c-ab4a-dc8f-20714e235146@cisco.com>
In-Reply-To: <f4c7f945-927c-ab4a-dc8f-20714e235146@cisco.com>
From: Ketan Talaulikar <ketant.ietf@gmail.com>
Date: Thu, 04 May 2023 18:02:33 +0530
Message-ID: <CAH6gdPyAj35G=p6iaNi5WPDgebMp+C0kwJHSW3imvWti9QbMzg@mail.gmail.com>
To: Peter Psenak <ppsenak@cisco.com>
Cc: John Scudder <jgs@juniper.net>, Shraddha Hegde <shraddha@juniper.net>, draft-ietf-lsr-ip-flexalgo@ietf.org, lsr <lsr@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000094de8b05fadd5e05"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/wCFus_H_sf6YdnsXMNubsMzGgHc>
Subject: Re: [Lsr] AD review of draft-ietf-lsr-ip-flexalgo-09
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2023 12:32:52 -0000

Hi Peter,

Thanks for this updated version and it addresses my comments.

The route tag functionality for IP Algo reachability is best provided by
the upcoming draft-ietf-lsr-ospf-admin-tags. As co-authors of that draft,
could either you or Acee cover applicability for both IP Algo and SRv6
Locator?

That way we have functional parity for IP algorithm reachability for OSPF
all taken care of.

Thanks,
Ketan


On Thu, 4 May, 2023, 5:39 pm Peter Psenak, <ppsenak@cisco.com> wrote:

> Hi Ketan,
>
> please find the updated version and the diffs from previous one attached.
>
> Please let me know if you have any comments or suggestions.
>
> thanks,
> Peter
>
> On 03/05/2023 15:30, Ketan Talaulikar wrote:
> > Hi Peter,
> >
> > Please check inline below.
> >
> > On Wed, May 3, 2023 at 6:16 PM Peter Psenak <ppsenak@cisco.com
> > <mailto:ppsenak@cisco.com>> wrote:
> >
> >     Hi Ketan,
> >
> >     On 03/05/2023 06:09, Ketan Talaulikar wrote:
> >      > Hello Authors/All,
> >      >
> >      > I think there are a couple of issues with this document related to
> >      > OSPFv2 aspects. My apologies for this last minute notice and not
> >      > catching them earlier during the WGLC. >
> >      > 1) The OSPFv2 IP Algorithm Prefix Reachability Sub-TLV is not
> >     carrying
> >      > the indication of Type1/Type2 for External and NSSA-External route
> >      > advertisements. A way to fix/address this would be to introduce a
> >     1 byte
> >      > flags in the Reserved space and then introduce the "E -bit"
> >     similar to
> >      > how it is there in the base OSPFv2 External LSAs -
> >      > https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5
> >     <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5>
> >      > <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5
> >     <https://datatracker.ietf.org/doc/html/rfc2328#appendix-A.4.5>>
> >
> >     can't we live without the Ext. Type-2 metric for the IP algo prefixes
> >     and treat then as Type 1 ext metric always?
> >     The real advantage of the Type-2 metric is not really significant.
> >
> >
> > KT> That is an option but it would create deviations from the base OSPF
> > processing for IP Algo reachability. That may be more of an issue for
> > implementations and may be even operators used to OSPF. It may be easier
> > to just fix the encoding to allow the indication of Type 1/2.
> >
> >
> >      >
> >      > 2) Also for OSPFv2, since we don't have the base OSPFv2 LSA for
> Algo
> >      > reachability, we are missing some key sub-TLVs in the OSPFv2
> >     Extended
> >      > Prefix Sub-TLVs that would be required for IP FlexAlgo
> >     reachability -
> >      > mainly Forwarding Address and Route Tag.
> >
> >     Similarly using the forwarding address is something which has limited
> >     benefits and we do not need it for the IP Algo prefixes.
> >
> >     The only problem is during the NSSA translation, where the spec
> >     mandates
> >     the non-zero forwarding address. Is that something that we really
> need?
> >
> >
> > KT> Same as the previous comment. We will hit some corner cases and may
> > need to carve out these exceptions. It may be simpler to just add these
> > sub-TLVs.
> >
> >
> >      >
> >      > 3) Along with the above changes, perhaps some text is required to
> >      > indicate the use of these new sub-TLVs and how OSPFv2 base route
> >      > calculations apply for various route types (specifically external
> >     and NSSA)?
> >
> >     how is that different to regular prefix (RFC2328)?
> >
> >
> > KT> The route calculations don't change - only that everything is done
> > using only the OSPFv2 Extended Prefix LSAs instead of the base OSPF
> > LSAs. One can say it is implicit so I wonder if it helps to make this
> > explicit.
> >
> >
> >     thanks,
> >     Peter
> >
> >      >
> >      > 4) A nit: in a few places in sec 6.3, the OSPFv2 IP Algorithm
> Prefix
> >      > Reachability is being referred to as TLV instead of sub-TLV.
> Similar
> >      > issue in sec 6.4 for OSPFv3.
> >      >
> >      > Thanks,
> >      > Ketan
> >      >
> >      >
> >      > On Wed, May 3, 2023 at 12:01 AM John Scudder
> >      > <jgs=40juniper.net@dmarc.ietf.org
> >     <mailto:40juniper.net@dmarc.ietf.org>
> >     <mailto:40juniper.net@dmarc.ietf.org
> >     <mailto:40juniper.net@dmarc.ietf.org>>>
> >      > wrote:
> >      >
> >      >     Hi Peter,
> >      >
> >      >     All good, I figured it was something like that. Two residual
> >     nits —
> >      >
> >      >     1. One “datapalne” got left in. I guess you need something to
> >     seed
> >      >     version 11 after all…
> >      >
> >      >     2. It looks like this one got omitted:
> >      >
> >      >     @@ -579,8 +592,18 @@
> >      >          receiver.
> >      >
> >      >          The metric value in the parent TLV is RECOMMENDED to be
> >     set to
> >      >     -   LSInfinity [RFC2328].  This recommendation only servers
> for
> >      >     debugging
> >      >     +   LSInfinity [RFC2328].  This recommendation only serves
> >     for debugging
> >      >          purposes and does not impact the functionality.
> >      >     +---
> >      >     +jgs: Thanks for adding the additional explanation. I made a
> >     minor
> >      >     editing
> >      >     +correction in-line, but I also have a slightly more extensive
> >      >     revision to
> >      >     +suggest:
> >      >     +
> >      >     +NEW:
> >      >     +     This recommendation is provided as a network
> >     troubleshooting
> >      >     +     convenience; if it is not followed the protocol will
> still
> >      >     +     function correctly.
> >      >     +—
> >      >
> >      >     Obviously, I don’t insist on the proposed rewrite. But even
> >     if you
> >      >     don’t use it you presumably should take the s/servers/serves/
> >      >     proofreading correction.
> >      >
> >      >     I’m going to go ahead and request IETF Last Call, but feel
> >     free to
> >      >     push a revision with corrections if you want.
> >      >
> >      >     —John
> >      >
> >      >      > On May 2, 2023, at 6:06 AM, Peter Psenak
> >      >     <ppsenak=40cisco.com@dmarc.ietf.org
> >     <mailto:40cisco.com@dmarc.ietf.org>
> >      >     <mailto:40cisco.com@dmarc.ietf.org
> >     <mailto:40cisco.com@dmarc.ietf.org>>> wrote:
> >      >      >
> >      >      >
> >      >      > Hi John,
> >      >      >
> >      >      > I apologize for the misses, likely the result of multiple
> >     editors
> >      >      > updating the draft in parallel.
> >      >      >
> >      >      > I also fixed the nits and updated the security sections as
> you
> >      >     proposed.
> >      >      >
> >      >      > Version 10 has been published.
> >      >      >
> >      >      > thanks,
> >      >      > Peter
> >      >      >
> >      >      >
> >      >      >
> >      >      >
> >      >      >
> >      >      > On 01/05/2023 20:54, John Scudder wrote:
> >      >      >> Hi Peter (and Shraddha),
> >      >      >>
> >      >      >>> On Apr 28, 2023, at 9:13 AM, Peter Psenak
> >      >     <ppsenak=40cisco.com@dmarc.ietf.org
> >     <mailto:40cisco.com@dmarc.ietf.org>
> >      >     <mailto:40cisco.com@dmarc.ietf.org
> >     <mailto:40cisco.com@dmarc.ietf.org>>> wrote:
> >      >      >>>
> >      >      >>> Shradha and I have worked to address your comments.
> >      >      >>> The new version of the draft has been published.
> >      >      >>
> >      >      >> Thanks for that. I’ve reviewed the diffs in 09. I’ve
> >     attached a
> >      >     short review of it; there are some minor proofreading
> >     changes, but
> >      >     also one place a substantive edit was overlooked that I’ve
> >     flagged
> >      >     in Section 6.2. I also made a further suggestion on your
> Security
> >      >     Considerations.
> >      >      >>
> >      >      >> I think one more revision and we will be ready for IETF
> >     Last Call.
> >      >      >>
> >      >      >> Thanks,
> >      >      >>
> >      >      >> —John
> >      >      >>
> >      >      >> --- draft-ietf-lsr-ip-flexalgo-09.txt 2023-05-01
> >      >     13:21:34.000000000 -0400
> >      >      >> +++ draft-ietf-lsr-ip-flexalgo-09-jgs-comments.txt
> >     2023-05-01
> >      >     14:47:16.000000000 -0400
> >      >      >> @@ -138,9 +138,9 @@
> >      >      >>     result, traffic for different sessions is destined to
> a
> >      >     different
> >      >      >>     destination IP address.
> >      >      >>
> >      >      >> -   IP address allocated to the UPF can be associated
> with an
> >      >     algoritm.
> >      >      >> +   The IP address allocated to the UPF can be associated
> >     with
> >      >     an algorithm.
> >      >      >>     The mobile user traffic is then forwarded along the
> path
> >      >     based on the
> >      >      >> -   algorithm specific metric and constraints.  As a
> result,
> >      >     traffic can
> >      >      >> +   algorithm-specific metric and constraints.  As a
> result,
> >      >     traffic can
> >      >      >>     be sent over a path that is optimized for minimal
> >     latency or
> >      >     highest
> >      >      >>     bandwidth.  This mechanism is used to achieve SLA
> >     (Service Level
> >      >      >>     Agreement) appropriate for a user session.
> >      >      >> @@ -186,9 +186,9 @@
> >      >      >>
> >      >      >>     Advertisement of participation in IP Flex-Algorithm
> >     does not
> >      >     impact
> >      >      >>     the router participation signaled for other
> >     data-planes.  For
> >      >      >> -   Example, it is possible that a router participates in
> a
> >      >     particular
> >      >      >> -   flex-algo for IP datapalne but does not participate
> >     in the
> >      >     same flex-
> >      >      >> -   algo for SR dataplane.
> >      >      >> +   example, it is possible that a router participates in
> a
> >      >     particular
> >      >      >> +   flex-algo for the IP dataplane but does not
> >     participate in
> >      >     the same flex-
> >      >      >> +   algo for the SR dataplane.
> >      >      >>
> >      >      >>     The following sections describe how the IP
> Flex-Algorithm
> >      >      >>     participation is advertised in IGP protocols.
> >      >      >> @@ -196,6 +196,11 @@
> >      >      >>  5.1.  The IS-IS IP Algorithm Sub-TLV
> >      >      >>
> >      >      >>     The ISIS [ISO10589] IP Algorithm Sub-TLV is a sub-TLV
> >     of the
> >      >     IS-IS
> >      >      >> +---
> >      >      >> +jgs: Was it deliberate that you didn't accept the
> >     suggestion to
> >      >      >> +hyphenate "ISIS" above, or an oversight? If deliberate,
> >     how come?
> >      >      >> +If accidental, please change in next rev.
> >      >      >> +---
> >      >      >>     Router Capability TLV [RFC7981] and has the following
> >     format:
> >      >      >>
> >      >      >>          0                   1                   2
> >      >           3
> >      >      >> @@ -302,9 +307,9 @@
> >      >      >>  6.  Advertising IP Flex-Algorithm Reachability
> >      >      >>
> >      >      >>     To be able to associate the prefix with the
> >     Flex-Algorithm, the
> >      >      >> -   existing prefix reachability advertisements can not
> >     be used,
> >      >     because
> >      >      >> +   existing prefix reachability advertisements cannot be
> >     used,
> >      >     because
> >      >      >>     they advertise the prefix reachability in default
> >     algorithm 0.
> >      >      >> -   Instead, a new IP Flex-Algorithm reachability
> >     advertisements are
> >      >      >> +   Instead, new IP Flex-Algorithm reachability
> >     advertisements are
> >      >      >>     defined in IS-IS and OSPF.
> >      >      >>
> >      >      >>     The M-flag in the FAD is not applicable to IP
> Algorithm
> >      >     Prefixes.
> >      >      >> @@ -410,6 +415,11 @@
> >      >      >>     all of them do not advertise the same algorithm, it
> MUST
> >      >     ignore all
> >      >      >>     of them and MUST NOT install any forwarding entries
> >     based on
> >      >     these
> >      >      >>     advertisements.  This situation SHOULD be logged as
> >     an error.
> >      >      >> +---
> >      >      >> +jgs: Thanks for these rewrites. Unfortunately there is a
> >      >     similar case
> >      >      >> +later (Section 6.2) which was missed. It needs a similar
> >     rewrite,
> >      >      >> +I will flag it below, please refer back to this section.
> >      >      >> +---
> >      >      >>
> >      >      >>     In cases where a prefix advertisement is received in
> >     both a IPv4
> >      >      >>     Prefix Reachability TLV and an IPv4 Algorithm Prefix
> >      >     Reachability
> >      >      >> @@ -434,6 +444,9 @@
> >      >      >>     with a different Algorithm, MUST ignore all of them
> >     and MUST NOT
> >      >      >>     install any forwarding entries based on these
> >      >     advertisements.  This
> >      >      >>     situation SHOULD be logged as an error.
> >      >      >> +---
> >      >      >> +jgs: These two paragraphs need a rewrite similar to
> >     Section 6.1.
> >      >      >> +---
> >      >      >>
> >      >      >>     In cases where a prefix advertisement is received in
> >     both an
> >      >     IPv6
> >      >      >>     Prefix Reachability TLV and an IPv6 Algorithm Prefix
> >      >     Reachability
> >      >      >> @@ -579,8 +592,18 @@
> >      >      >>     receiver.
> >      >      >>
> >      >      >>     The metric value in the parent TLV is RECOMMENDED to
> >     be set to
> >      >      >> -   LSInfinity [RFC2328].  This recommendation only
> >     servers for
> >      >     debugging
> >      >      >> +   LSInfinity [RFC2328].  This recommendation only
> >     serves for
> >      >     debugging
> >      >      >>     purposes and does not impact the functionality.
> >      >      >> +---
> >      >      >> +jgs: Thanks for adding the additional explanation. I
> made a
> >      >     minor editing
> >      >      >> +correction in-line, but I also have a slightly more
> >     extensive
> >      >     revision to
> >      >      >> +suggest:
> >      >      >> +
> >      >      >> +NEW:
> >      >      >> +     This recommendation is provided as a network
> >     troubleshooting
> >      >      >> +     convenience; if it is not followed the protocol
> >     will still
> >      >      >> +     function correctly.
> >      >      >> +---
> >      >      >>
> >      >      >>     An OSPFv3 router receiving multiple OSPFv3 IP
> >     Algorithm Prefix
> >      >      >>     Reachability Sub-TLVs in the same parent TLV, MUST
> select
> >      >     the first
> >      >      >> @@ -932,13 +955,47 @@
> >      >      >>     This document inherits security considerations from
> >     [RFC9350].
> >      >      >>
> >      >      >>     This document introduces one additional way to
> >     disrupt Flexible
> >      >      >> -   algorithm based networks.  If the node that is
> >     authenticated
> >      >     is taken
> >      >      >> -   over by an attacker, such rogue node can advertise a
> >     prefix
> >      >      >> +   Algorithm based networks.  If a node that is
> >     authenticated
> >      >     is taken
> >      >      >> +   over by an attacker, such a rogue node can advertise
> >     a prefix
> >      >      >>     reachability for a particular IP Flexible-algorithm X
> >     while that
> >      >      >>     prefix has been advertised in algorithm Y.  This kind
> of
> >      >     attack makes
> >      >      >> -   the prefix unreachable.  Such attack is not
> >     preventable through
> >      >      >> +   the prefix unreachable.  Such an attack is not
> >     preventable
> >      >     through
> >      >      >>     authentication, and it is not different from
> >     advertising any
> >      >     other
> >      >      >>     incorrect information through IS-IS or OSPF.
> >      >      >> +---
> >      >      >> +jgs: Thanks for this. I think you should provide a
> >     reference to
> >      >      >> +illustrate what you're talking about, e.g. "This kind of
> >     attack
> >      >     makes
> >      >      >> +the prefix unreachable (to see why this is, consider, for
> >      >     example, the
> >      >      >> +rule given in the second-last paragraph of Section 6.1)".
> >      >      >> +
> >      >      >> +I see you cribbed the text from RFC 9350, which is not a
> >     bad idea
> >      >      >> +considering that was recently approved by the IESG so
> >      >     presumably they
> >      >      >> +like the look of it. But in that case, I think it would
> be a
> >      >     good idea
> >      >      >> +to copy the 9350 section more comprehensively. Something
> >     like this:
> >      >      >> +
> >      >      >> +   This document adds one new way to disrupt IGP
> >     networks that
> >      >     are using
> >      >      >> +   Flex-Algorithm: an attacker can suppress reachability
> >     for a
> >      >     given
> >      >      >> +   prefix whose reachability is advertised by a
> >     legitimate node
> >      >     for a
> >      >      >> +   particular IP Flex-Algorithm X, by advertising the
> same
> >      >     prefix in
> >      >      >> +   Flex-Algorithm Y from another, malicious node. (To
> >     see why
> >      >     this is,
> >      >      >> +   consider, for example, the rule given in the
> second-last
> >      >     paragraph of
> >      >      >> +   Section 6.1.)
> >      >      >> +
> >      >      >> +   This attack can be addressed by the existing security
> >      >     extensions, as
> >      >      >> +   described in [RFC5304] and [RFC5310] for IS-IS, in
> >     [RFC2328] and
> >      >      >> +   [RFC7474] for OSPFv2, and in [RFC4552] and [RFC5340]
> >     for OSPFv3.
> >      >      >> +
> >      >      >> +   If a node that is authenticated is taken over by an
> >      >     attacker, such a
> >      >      >> +   rogue node can perform the attack described above.
> >     Such an
> >      >     attack is
> >      >      >> +   not preventable through authentication, and it is not
> >      >     different from
> >      >      >> +   advertising any other incorrect information through
> >     IS-IS or
> >      >     OSPF.
> >      >      >> +
> >      >      >> +I was tempted to rewrite further (I was bugged that
> >     "node that is
> >      >      >> +authenticated" isn't a well-defined term) but I think the
> >      >     argument that
> >      >      >> +this text already passed IESG review recently, is pretty
> >      >     compelling, so
> >      >      >> +the above is just a minimal substitution into the RFC
> >     9350 security
> >      >      >> +considerations.
> >      >      >> +---
> >      >      >>
> >      >      >>  13.  Acknowledgements
> >      >      >>
> >      >      >>
> >      >      >>
> >      >      >>
> >      >      >>
> >      >      >
> >      >
> >      >     _______________________________________________
> >      >     Lsr mailing list
> >      > Lsr@ietf.org <mailto:Lsr@ietf.org> <mailto:Lsr@ietf.org
> >     <mailto:Lsr@ietf.org>>
> >      > https://www.ietf.org/mailman/listinfo/lsr
> >     <https://www.ietf.org/mailman/listinfo/lsr>
> >      >     <https://www.ietf.org/mailman/listinfo/lsr
> >     <https://www.ietf.org/mailman/listinfo/lsr>>
> >      >
> >
>

v2.23.0 | Report a Bug | By Email