Re: [mpls] draft-ietf-mpls-lspping-norao-03 - Review

Gyan Mishra <> Tue, 03 October 2023 15:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A8266C180EB2 for <>; Tue, 3 Oct 2023 08:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V5Uh5-5VCsYW for <>; Tue, 3 Oct 2023 08:53:49 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 8B666C15107E for <>; Tue, 3 Oct 2023 08:53:49 -0700 (PDT)
Received: by with SMTP id d75a77b69052e-4181f8d82b9so7721141cf.0 for <>; Tue, 03 Oct 2023 08:53:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1696348428; x=1696953228;; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Oa9IYd82eJztoMLWevxJSLTpk9KsGVfSiU1WuhW3hsk=; b=httO5bQzs3U6i7mPNuj3xYbzSPY/4hlSkUjsP6TI0VFaqXLVbK7JiBwKA4S70SIiA2 /7rvLGhlAzVdEhw9OSJ9lj+iikRTDzmkEUwFVNIQV668gXH9cvf9rDuYBYGhzd9siXXg DOEvPP8lSRPuiSZPSgwb+ZYbt9x0eSceytSnS/X4OQVqFPngGplKWz7pIVuwbfyaC2rA MLllBNBINm+gGnI8eCgfF0WTmWeXT8J8q90j2GwAPNMy/EFxCao5sGNiaMa7U9PjXiyC Qxrw0E2dOrQaeEHyNso4vA1MRSc9FfGobyWJ1khvVw3ua3wLLzJDQ97M7aOg2aHfRDgP SWeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1696348428; x=1696953228; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Oa9IYd82eJztoMLWevxJSLTpk9KsGVfSiU1WuhW3hsk=; b=NmZmUpknapPLrniiTswS61fLhHM80LQD86p+9XQJITS0WyVC8ClP3d1gBMmWnn24fr 9X3zF0RX5kshFeDzj1LDwgZFO6Uqzr8jTpdoHhPDdHlO8wkFryS8mD2Lv/xieRcJC/I7 wM2NFYhowo3s3uVPW4qH6Bvw2vttj8bv88xbULqbir3z/dIEAAsvAukt1vEq2Bf1wmuJ 0ybU2JuZIsMRqb+9xKxlZDAgxicPE1O5XmyLyOkhIQDf4nPyjdnEJa07ABgx3cbHyZqq Qab+pDkRhVlCIkIRLUdlNN9RwZrfumBkx3p7WGVmhh5Qplux18vxulNIaYI+zk7FnL76 4PSA==
X-Gm-Message-State: AOJu0YyK6drpr4bNnnlDXwB2f985s3oS0c2zZUz3BIVxlQwz1w8+6j7j EVGQeEtBnWn5M+0BQLELa2vC/OBbKRYCMQN/yLkJx9muuII=
X-Google-Smtp-Source: AGHT+IHiZ5ti+oHKEZm8cf45mnVhAZ0R3GncBkphzVD3Fnp1dIUhvIk6nELFHJHqbBdm5ozjZNsQuEW79qXYBXEPWI0=
X-Received: by 2002:ac8:7f55:0:b0:418:194a:f9fe with SMTP id g21-20020ac87f55000000b00418194af9femr19213006qtk.62.1696348428439; Tue, 03 Oct 2023 08:53:48 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Gyan Mishra <>
Date: Tue, 03 Oct 2023 11:53:37 -0400
Message-ID: <>
To: Greg Mirsky <>
Cc: mpls <>
Content-Type: multipart/alternative; boundary="0000000000007e13ea0606d1e5b1"
Archived-At: <>
Subject: Re: [mpls] draft-ietf-mpls-lspping-norao-03 - Review
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multi-Protocol Label Switching WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Oct 2023 15:53:53 -0000

Hi Greg


Responses in-line Gyan2>

On Tue, Oct 3, 2023 at 5:46 AM Greg Mirsky <> wrote:

> Hi Gyan,
> thank you for the review and your helpful suggestions. Please find my
> notes below under the GIM>> tag.
> Regards,
> Greg
> On Tue, Oct 3, 2023 at 7:15 AM Gyan Mishra <> wrote:
>> Dear authors
>> Below is a review of this draft.
>> I think it would be good to explain what a controlled versus not
>> controlled environment is and could be a simple sentence of single
>> administrative domain versus inter domain over public Internet.
> GIM>> Would the following update in the Introduction make the text
> sufficiently clear:
>    Furthermore, [RFC6398] identifies security vulnerabilities associated
>    with the RAO in non-controlled environments, e.g., the case of using
>    the MPLS echo request/reply as inter-area OAM, and recommends against
>    its use outside of controlled environments.
>    Furthermore, [RFC6398] identifies security vulnerabilities associated
>    with the RAO in non-controlled environments, e.g., the case of using
>    the MPLS echo request/reply as inter-domain OAM over the public
>    Internet, and recommends against its use outside of controlled
>    environments, e.g., outside a single administrative domain.
     Gyan> Perfect

>> There are three options available for the LSP ping so as we are
>> deprecating the use of LSP ping with ROA both the link local and TTL=1
>> should be valid options.
> GIM>> As I understand the intent of IP/UDP encapsulation of MPLS echo
> request/reply messages, using the IP loopback address as the IP destination
> address serves as the exception mechanism. The TTL-based exception is used
> but for the MPLS underlay network.

Gyan2>  I think section 2.1 mentions those 3 options and that they are all
required to prevent route leaking past the egress LSR as defined in RFC
8029 which updates RFC 4379.  My understanding is that the link local
loopback is used in conjunction with TTL value to prevent the leaking of
packets beyond the egress LER and that is how it’s implemented by most
vendors example of link from Cisco and Juniper implementation both of which
don’t use RAO.   RFC 6424 talks about MPLS Ping and deprecation of DSMAP to
use DDMAP TLV which I think maybe relevant that with DDMAP TLV on the MPLS
Echo reply message and I believe with the DDMAP TLV the need for RAO
signaled in the control plane is not necessary.

>> RFC 5082 GTSM talks about TTL spoofing and that 255 is hard to spoof
>> opposed to TTL 1.  It maybe a good idea to mention that link local is the
>> recommendation and reasons why TTL 1 is not recommended option due to
>> spoofing.
> GIM>> It is not clear to me how a link-local address can be used in IP/UDP
> encapsulation of an MPLS echo request/reply message. Could you kindly give
> an example of the encapsulation?
     Gyan>. See the two links from Cisco and Juniper implementations.  See
RFC 8029 section 3.

>> This draft below on deprecating IPv6 RAO option goes into more detail and
>> reason why due to issue with HBH EH and RAO bring a HBH option makes it a
>> security risk to use HBH.  This draft has some more detail about control
>> plane and forwarding plane Figure 1 that could be applicable to LSP ping
>> RAO depreciation draft as well.
> GIM>> It seems like replicating information may not be the most efficient
> WoW.  I'll discuss with Ron plans for the work in 6man and if referencing
> it in the MPLS draft is useful.
>> Thank you
>> Gyan
>> _______________________________________________
>> mpls mailing list