Re: [Lsr] AD review of draft-ietf-lsr-isis-area-proxy-09
Tony Li <tony.li@tony.li> Thu, 07 December 2023 20:45 UTC
Return-Path: <tony1athome@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F41F1C090376 for <lsr@ietfa.amsl.com>; Thu, 7 Dec 2023 12:45:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.506
X-Spam-Level:
X-Spam-Status: No, score=-1.506 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1fUOaGsKj2TC for <lsr@ietfa.amsl.com>; Thu, 7 Dec 2023 12:45:33 -0800 (PST)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949E0C090365 for <lsr@ietf.org>; Thu, 7 Dec 2023 12:45:33 -0800 (PST)
Received: by mail-pf1-x433.google.com with SMTP id d2e1a72fcca58-6ce6d926f76so839618b3a.1 for <lsr@ietf.org>; Thu, 07 Dec 2023 12:45:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701981933; x=1702586733; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:sender:from:to:cc:subject :date:message-id:reply-to; bh=+G2iAXTU5LYZkHG/X902btmzsczQiJRTcFKhR+ehd/M=; b=R1ZzZWFpaDSYJZyDLj8Jq0i82MMB88ueBWdIHQt5QHFu05R0aGi6CpeJgyksR4PbN+ /YkVadRgXXE4TH9rFMy24ZUw78DWv3s4yOpoCrUd4RS/LBgcqFPpX76jV/UK3bMzLETl Md2WtBbxgOWwYQh8EbH07kb2MkiTsaVl1zQBlCjCx1hdrK6dWEBJvGPIrGokHVExDmUl j3EEzRxYE+O0GQhBocd2d+HLpy9Pu1JrD468/7DwuYv3Gv6LDdS+BBfIqdosoUE8bbBC /vshGD0tUY8FQg0XNcS/nenG0O1VoUuO7IdIPIkRAm974LjVewKCQOL2YBw/xydSW6FS XbKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701981933; x=1702586733; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:sender:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+G2iAXTU5LYZkHG/X902btmzsczQiJRTcFKhR+ehd/M=; b=MG6SJtJQf4GloMqvaA7dt1i/005g9SiHXAp2GNUlYqltB7bW0aWZN4VXNzMpL+CCN2 yK1fd7eypZAYk+GBa4VmvH5XEaE1vOjb9MNdbL75rXj6ylFuHx8zFgvAPzdeA6j25kaZ PFTmkcFMFK4siWEyol9voBVcfnQkMQC3yr1IYRHO/G7w0IhowOHOYKx2R92p/MXhbJe7 g+gN86DXAw1AZKtxM6Kdc4+Wz9Krvt473G/kto0hTnisz2QQc75U3kRR/EM4TtllR3u0 ilH6Jpc+3oDl0aMrLuLogkpkNcVVhVsMNyB5orI+44Fj3DAwGBZVoabxSpO9t/XEiqMG IjqQ==
X-Gm-Message-State: AOJu0YwjlVO/Ykbrxmvgkcvh37aHt0McfqG2o5BvUTQNd51hKC3sCVNG fU0drQJIb9Q5x925wM5Zhhw=
X-Google-Smtp-Source: AGHT+IH7xcqmVeOCpfJfytvs6M4UiNF+C9o0oohsV/wck7+/t5dQUUkimi57Jxiv3jYCERJYwJHgZA==
X-Received: by 2002:a05:6a20:7da9:b0:18f:354f:58c2 with SMTP id v41-20020a056a207da900b0018f354f58c2mr3387587pzj.44.1701981932859; Thu, 07 Dec 2023 12:45:32 -0800 (PST)
Received: from smtpclient.apple (c-73-158-206-100.hsd1.ca.comcast.net. [73.158.206.100]) by smtp.gmail.com with ESMTPSA id h66-20020a636c45000000b005b9288d51f0sm200824pgc.48.2023.12.07.12.45.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Dec 2023 12:45:32 -0800 (PST)
Sender: Tony Li <tony1athome@gmail.com>
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.200.91.1.1\))
From: Tony Li <tony.li@tony.li>
In-Reply-To: <C6B09B8A-A2E7-4776-A56B-62D93487498C@juniper.net>
Date: Thu, 07 Dec 2023 12:45:20 -0800
Cc: Sarah Chen <sarahchen@arista.com>, Vivek Ilangovan <ilangovan@arista.com>, Gyan Mishra <gyan.s.mishra@verizon.com>, lsr <lsr@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B030F23-558C-4F5D-BE33-AFD221279AF0@tony.li>
References: <C6B09B8A-A2E7-4776-A56B-62D93487498C@juniper.net>
To: John Scudder <jgs@juniper.net>
X-Mailer: Apple Mail (2.3774.200.91.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/xIBSCGENJAuPHquywuPvt-oItIE>
Subject: Re: [Lsr] AD review of draft-ietf-lsr-isis-area-proxy-09
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Dec 2023 20:45:38 -0000
Hi John, Thank you for your comments and suggestions. I’m incorporating most of them and only responding to ones that warrant further discussion. > ++--- > +jgs: I suggested changing 'should' to 'will' for two reasons. First, > +and less important, there's the annoying risk of conflation with the > +RFC 2119 SHOULD. Second, and more important, I think what you're > +saying is that by using the proxy system ID, as a matter of course > +this is what will happen. "Should" makes it sound like maybe it will > +happen, maybe it won't. But in fact, if the outside edge routers do > +anything other than what you've written, that would be a protocol > +error, wouldn't it? > ++--- Yes, it would. I’m fine with the wording change. > @@ -302,14 +315,23 @@ > value of the SRGB advertised by all Inside Nodes MUST start at the > same value. The range advertised for the area will be the minimum of > all Inside Nodes. > ++--- > +jgs: shouldn't the document say something about what to do if > +either one of the MUST requirements isn't met? > ++--- If either is not met, it would be a protocol error and major malfunctions will occur. The network manager should remedy the problem. I’m not sure that needs to be called out. If you’re suggesting that implementations should complain if those constraints are not met, we did not specify that as that would require a walk through the LSDB that is not otherwise required. > @@ -533,6 +559,16 @@ > Flags: 1 octet. > > SID/Index/Label: as defined in [RFC8667] Section 2.1.1.1 > ++--- > +jgs: I'm not very happy with this definition for the field. I realize > +it was copied verbatim from RFC 8667, I've started a discussion with > +the authors of that RFC, > +https://mailarchive.ietf.org/arch/msg/lsr/56_LEEZvHDHrnkC98f7BtpOkkY0/ > + > +Perhaps cite RFC 8667 section 2.1 instead. It's at least equally, and > +arguably more correct, and if there is an erratum it could benefit > +from that. > ++--- Per our private discussion, I’ve left this unchanged. I believe that amending the title of 2.1.1.1 is both necessary and sufficient. I propose: “V-Flag, L-Flag, and the SID/Index/Label Field”. > ++--- > +jgs: of greater concern, I'm wondering why you've elected to use > +SHOULD and not MUST in many of the subsections. Is it the case that > +for each field specified as SHOULD, if any or all of these are > +omitted, the protocol will still operate correctly and usefully? > +Is it the case for each field specified as SHOULD, the authors think > +there are plausible circumstances under which the right thing would be > +to omit the relevant field? > ++--- A combination of things: first, omitting any one of them will not break things syntactically or from a protocol or feature semantics perspective. However, they may be required from a network architecture perspective in some circumstances and may become a scalability barrier in different circumstances. It seems like implementations may want to exhibit some latitude here. > @@ -644,6 +701,28 @@ > If the inside area supports Traffic Engineering (TE), the Area Leader > SHOULD copy TE related sub-TLVs [RFC5305] Section 3 to each Extended > IS Reachability TLV in the Proxy LSP. > ++--- > +jgs: what is 4.4.4 and 4.4.5 are specified as MAY. According to the RFC > +2119 definition of MAY, > + > +5. MAY This word, or the adjective "OPTIONAL", mean that an item is > + truly optional. > + [etc] > + > +That means it would be considered completely reasonable and OK for > +the area leader to omit both the IS neighbors TLV and end the extended > +IS neighbors TLV. Would the protocol still function correctly and > +usefully if both of those TLVs were omitted from the Proxy LSP? Seems > +as though it wouldn't. > + > +I think probably what is going on here is that you're trying to say > +that ordinarily, only one or the other would be expected, not both. > +The RFC 2119 keywords seem like a poor fit for expressing this. This > +seems like a good time to remind you that it's not mandatory to use > +RFC 2119 keywords, and in cases like these where they hinder, > +rather than help, clarity, it's worth considering whether you should > +rewrite the affected text without relying on them. > ++--- Yes, we would expect one and not both. There’s a sentence that even says that. We intentionally selected 2119 keywords because we wanted to explicitly say what is permissible. Again, the protocol would work syntactically and semantically if things are omitted, but not meet network architectural requirements. Additionally, we did not want to preclude filtering, so we did not think that ‘MUST’ was called for. > @@ -754,6 +846,15 @@ > If the inside area supports SRv6, the Area Leader SHOULD copy all > SRv6 locator TLVs [I-D.ietf-lsr-isis-srv6-extensions] advertised by > Inside Routers to the Proxy LSP. > ++--- > +jgs: Really? Isn't this tantamount to saying, advertise at least one > +route for every IS in the area, which kind of seems detrimental to the > +scaling goals? It also seems a little contrary to the model of > +representing the area as if it were a single router. > ++--- I welcome alternative text that says something more intelligent. From my naive understanding, it seems like it’s all or nothing and anyone using SRv6 isn’t going to settle for nothing. > @@ -820,6 +921,10 @@ > which supports the proxy function. The normal system id of the > Inside Edge Router MUST NOT be used as it will cause unnecessary > adjacencies to form and subsequently flap. > ++--- > +jgs: I get why the normal system ID shouldn't be used, but I don't > +get why it would cause adjacency flapping? > ++--- Ok, that’s not worth arguing about, comment withdrawn. > @@ -914,6 +1019,23 @@ > within a domain is already addressed as part of the routing protocols > themselves. This document proposes no changes to those security > architectures. > ++--- > +jgs: I'm not convinced this extension doesn't introduce any new attack > +surfaces. For instance, a single compromised inside router can disable > +the proxy functionality for the entire area by withdrawing its area > +proxy router capability. That seems like a fairly bad attack, since it > +takes the entire area off the air in effect... a case of a single bad > +router spoiling a whole barrel, er, area. A related one is the > +compromised router could announce and withdraw the area proxy router > +capability repeatedly, with a period just slightly greater than the > +delay mentioned in S. 4.3.1. Again, the functionality specified here > +amplifies the gravity of the attack compared to what a single router > +could do otherwise. > + > +This isn't so much a request for you to address this specific attack > +(although that, too) as it is to think a little bit harder about what > +new attack surfaces may have been introduced. > ++— Unless you want to get into byzantine correctness (ob. ref. Radia) of link state protocols, any compromised router can take down the entire network, either by withholding vital information, advertising bad information, sending too much information, or flapping information. The exact syntax isn’t particularly relevant. We traditionally have not asked implementations to address these attacks and to do so would be extremely challenging without taking on the byzantine correctness problem. Without those approaches, our security architecture is wholly dependent on the integrity of the implementations plus the authentication mechanisms that we’ve defined. Those are the hard crunchy shell around the remaining soft gooey interior. The fact that we’re creating new mechanisms that could be used to break things only adds to the gooey interior and in no way compromises our shell. Yes, I realize that this is not an optimal situation, but until someone can design a lightweight link state protocol that exhibits some kind of defense in depth, it’s our reality. Regards, Tony