IETF Logo Mail Archive

Re: [MBONED] [Msr6] MSR6 BOF 3rd Issue Category: More details are requested about the large scale use cases, including issue 8-11

Toerless Eckert <tte@cs.fau.de> Thu, 03 November 2022 11:58 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C4CBC1522AF; Thu, 3 Nov 2022 04:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.66
X-Spam-Level:
X-Spam-Status: No, score=-6.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YfxLBlyI8qe; Thu, 3 Nov 2022 04:58:15 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E2ECC14CE31; Thu, 3 Nov 2022 04:58:13 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 0F5E1548536; Thu, 3 Nov 2022 12:58:09 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 014A94EBEFB; Thu, 3 Nov 2022 12:58:08 +0100 (CET)
Date: Thu, 03 Nov 2022 12:58:08 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Dino Farinacci <farinacci@gmail.com>
Cc: Jeffrey Zhang <zzhang@juniper.net>, "Xiejingrong (Jingrong)" <xiejingrong=40huawei.com@dmarc.ietf.org>, BIER WG <bier@ietf.org>, "msr6@ietf.org" <msr6@ietf.org>, "mboned@ietf.org" <mboned@ietf.org>, "pim@ietf.org" <pim@ietf.org>
Message-ID: <Y2Os0EHIIq7Mtjie@faui48e.informatik.uni-erlangen.de>
References: <DDD735E2-0930-4CB8-8992-E3E74C715D16@gmail.com> <Y1a8+EK9qA2kKDBF@faui48e.informatik.uni-erlangen.de> <03B2B681-FE16-4961-8932-1F3F29932837@gmail.com> <0d2e78fefe9e4cef87c52493b7fefc80@huawei.com> <BL0PR05MB56528FCEF7FDE262F633A24FD4329@BL0PR05MB5652.namprd05.prod.outlook.com> <C10FBD6A-E651-49BB-B2EC-0C04FC966C4A@gmail.com> <Y1/nUmnoYQhTn7OO@faui48e.informatik.uni-erlangen.de> <15F231E4-1D93-4531-AEA1-B4DC06F25A69@gmail.com> <Y2HqfVIOKKeDfdF0@faui48e.informatik.uni-erlangen.de> <5A79421D-7843-4F60-9165-0A077FF2695A@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5A79421D-7843-4F60-9165-0A077FF2695A@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mboned/HG707SWjTbqapsuk9rQgcVXOcfA>
Subject: Re: [MBONED] [Msr6] MSR6 BOF 3rd Issue Category: More details are requested about the large scale use cases, including issue 8-11
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mboned/>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2022 11:58:17 -0000

On Wed, Nov 02, 2022 at 03:11:45PM -0700, Dino Farinacci wrote:
> I'm not going to argue what has succeeded in the past or what has failed. They are subjective comments and are not productive for moving forward.
> 
> Removed text I'm not going to respond to.
> 
> My point was that its "easier to DoS attack a data-plane then a control-plane". I didn't make any other assertions about control-plane security.

Right, and that high level assertion is also subjective IMHO.
And my high level assertion is the opposite, and i tried to objectify
that assertion in my last email with a range of factual experiences.

Happy to learn about other means to better objectify our assertions.

> > MSDP was then (predictably ?) the first protocol that brought down
> > a good part of the Internet control plane when it was attacked UNINTENTIONAL:
> 
> This is simply not true. I was debugging such events at the time and the Internet was working or I wouldn't be able to debug it. ;-)

Hey, i said "a good part" ;-)

> > High level, you are arguing that control plane state is more trustworthy or
> > better controlled than packet header state, but IP multicast control plane state
> 
> No I am not. Its easier to get access to the data-plane by an ordinary user. So anyone can really attack the data-plane, and they might not even know it. I did not mention trust at all.

Every SP has packet level filters for destination addresses used
for inband managemnt, every router supports them at linerate.

Likewise, packet filter can/do filter unknown (extension)headers
as easily, even if arguably consistent support may be less universal
across vendors.

How and how well are routers IGMP/MLD control plane protected,
yes, i did see some of the protection commands trickle through
to other vendors after we'd implemented them first, but pretty sure
i can still find enough vendors not doing all we know to be necessary.

Cheers
    Toerless

> Dino
> 

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email