Re: [MBONED] Mail regarding draft-tissa-pim-mcastoam
"Tissa Senevirathne (tsenevir)" <tsenevir@cisco.com> Wed, 21 March 2012 02:50 UTC
Return-Path: <tsenevir@cisco.com>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFAA421E8050 for <mboned@ietfa.amsl.com>; Tue, 20 Mar 2012 19:50:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.611
X-Spam-Level:
X-Spam-Status: No, score=-7.611 tagged_above=-999 required=5 tests=[AWL=1.322, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_FWDLOOK=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FHaJzzMPHC+m for <mboned@ietfa.amsl.com>; Tue, 20 Mar 2012 19:50:17 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id C4E0021E801A for <mboned@ietf.org>; Tue, 20 Mar 2012 19:50:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=tsenevir@cisco.com; l=5011; q=dns/txt; s=iport; t=1332298217; x=1333507817; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to; bh=n3N0AfJyw22RSgk5EzB8d0mbUs2vt4f6Kb6ers4n4mI=; b=bDbq/ptB0nboZto/by/KETlbKG/MLss+Bh16i2TAI7fo5UTA3LO7ZGFN eq1V7o+YgTzrF8jNPxfUSNj+GtuB6bwhD7bRbnQErTJFySZDsjAeCVrte jiQhhx2XoXZU5iz7Hj8KMZ5OD9F0eaBkroRsE9qB92ZW4W42jY1gkdouO U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EANlAaU+rRDoJ/2dsb2JhbABEtnSBB4IJAQEBAwESAR0KDzUHBAIBCA4DBAEBCwYXAQYBRQkIAQEEARIIAQsOh2MEDJd3nymKXQSFPWMEiFabR4FogweBNAEGAQ
X-IronPort-AV: E=Sophos;i="4.73,621,1325462400"; d="scan'208";a="36993657"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-2.cisco.com with ESMTP; 21 Mar 2012 02:50:17 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id q2L2oHLU015159; Wed, 21 Mar 2012 02:50:17 GMT
Received: from xmb-sjc-214.amer.cisco.com ([171.70.151.145]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 20 Mar 2012 19:50:17 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 20 Mar 2012 19:50:16 -0700
Message-ID: <344037D7CFEFE84E97E9CC1F56C5F4A5D0FBE7@xmb-sjc-214.amer.cisco.com>
In-Reply-To: <13205C286662DE4387D9AF3AC30EF456D768745B27@EMBX01-WF.jnpr.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Mail regarding draft-tissa-pim-mcastoam
Thread-Index: Ac0GG/Iw6vtXBbrBTxGWarf6ZPOOwwAKaTBQABgLJlAAGOsz8A==
References: <13205C286662DE4387D9AF3AC30EF456D768745564@EMBX01-WF.jnpr.net> <344037D7CFEFE84E97E9CC1F56C5F4A5C80039@xmb-sjc-214.amer.cisco.com> <13205C286662DE4387D9AF3AC30EF456D768745B27@EMBX01-WF.jnpr.net>
From: "Tissa Senevirathne (tsenevir)" <tsenevir@cisco.com>
To: Ronald Bonica <rbonica@juniper.net>, draft-tissa-pim-mcastoam@tools.ietf.org, mboned@ietf.org
X-OriginalArrivalTime: 21 Mar 2012 02:50:17.0279 (UTC) FILETIME=[59008CF0:01CD070D]
Subject: Re: [MBONED] Mail regarding draft-tissa-pim-mcastoam
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mboned>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2012 02:50:19 -0000
Hi Ron I presume you are agreeing with use case and need to have ability perform proper multicast data-pane OAM without having to log in to or running agents on End hosts. Which can be administratively prohibitive in some deployments Please see specific comments in-line -----Original Message----- From: Ronald Bonica [mailto:rbonica@juniper.net] Sent: Tuesday, March 20, 2012 7:51 AM To: Tissa Senevirathne (tsenevir); draft-tissa-pim-mcastoam@tools.ietf.org; mboned@ietf.org Subject: RE: Mail regarding draft-tissa-pim-mcastoam Hi Tissa, Comments inline..... > > 1) Backwards compatibility - Hosts running legacy software will not > parse the new extension. They will respond to the ICMP Echo regardless > of how it was scoped by the extension. So, the sender will not be > protected from a barrage of responses. > > > [Answer] Agreed, however draft is provided as a forward looking > approach. Based on the progress of the draft and comments on the > usefulness of the mcast-oam tools we are planning to contribute to > Linux open source both RFC4884 extensions and extensions proposed in > this document. Currently, we don't send ICMP echoes to multicast groups because we may receive more responses than we can handle. [Answer] All OS and routers that I know allow to send ICMP echo requests to multicast addresses, and happily respond to them when the multicast group is registered. Now assume that your draft becomes an RFC and you contribute the code to LINUX. At some future date, multiple OS vendors will implement your feature. At some date after that, the user community will upgrade their systems and your feature will be widely deployed. At that time, it will be safe to send an ICMP Echo to a multicast group. But when will that be? The only way to be certain is to give it a try! Since this is the case, you might want to add some text to your draft concerning what the consequences might be if you try it too soon. [Answer] Like you pointed out earlier this caveat is present as we type and exchange these emails. We are not making any worst. We can make better the situation by mandating implementations complying to this standard to specifically implement ICMP rate limiting for both in-bound request, and response. Most platforms today have protections against Ping of Death attack. I honestly believe that is sufficient to protect against. > > 2) ICMP Behavior - In your draft, the ICMP Echo elicits a response > from all receivers and intermediate routers. Currently, routers do not > respond unless they are also receivers. Are you recommending that the > router should both process the PING message (as a receiver) and > forward it (as a router)? > > > [Answer] We are not expecting routers to respond to ping of receiver > detection. However, as indicated in section 3.3.1 of the draft, for > messages that need to discover routers performing different roles, we > generate the message with router alert bit set, hence letting each > router in the data plane to receive a copy of the discovery OAM > messages. Please see RFC 6398 (BCP 168). Specifically, take a look at Section 4. [Answer] RAO bit used for multicast roles discovery, this is normally done from the devices within the trusted domain. As explained in RFC 6398 section 4.2.1 this falls in to the controlled enviorement. Additionally Section 5 of RFC 6398 explains proposals on how to properly utilize RAO, with dynamic rate limiting of packets with RAO set etc.. Thanks for pointing out, we can under security section mandate implementations to comply with the requirements of Section 5. > > 3) Security considerations - Could multicast PINGs be used as a DoS > vector? In particular, what happens if the multicast source pings a > group that has many, many receivers. The PING specifies a spoofed > source address and is scoped to 0.0.0.0/0. > > In all fairness, this condition exists today. > > [Answer] Like you indicated you can do the same as of today, however, > we strongly recommend platforms implementing this feature to rate > limit receipt of such multicast ICMP packet to the CPU or even in the > data plane itself. Rate limiting inbound ICMP on the host that generates the ping won't help. That host isn't the victim. [Answer] Rate limiting can be done on both directions, in which we mean that both at the request packets and response packets > > 4) ICMP Syntax - The ICMP Echo / Response messages are not extensible. > See RFC 4884, Section 4 for details. > > [Answer] Yes as of RFC4884 it is not extensible, we are planning to > use draft-shen-traceroute-ping-ext-04, which allow to extend ICMP Echo > request messages That much better! Ron > > > -------------------------- > Ron Bonica > vcard: www.bonica.org/ron/ronbonica.vcf >
- [MBONED] Mail regarding draft-tissa-pim-mcastoam Ronald Bonica
- Re: [MBONED] Mail regarding draft-tissa-pim-mcast… Tissa Senevirathne (tsenevir)
- Re: [MBONED] Mail regarding draft-tissa-pim-mcast… Ronald Bonica
- Re: [MBONED] Mail regarding draft-tissa-pim-mcast… Tissa Senevirathne (tsenevir)
- Re: [MBONED] Mail regarding draft-tissa-pim-mcast… Ronald Bonica
- Re: [MBONED] Mail regarding draft-tissa-pim-mcast… Ronald Bonica
- Re: [MBONED] Mail regarding draft-tissa-pim-mcast… Tissa Senevirathne (tsenevir)
- Re: [MBONED] Mail regarding draft-tissa-pim-mcast… Stig Venaas