IETF Logo Mail Archive

Re: [mpls] MPLS-RT review of draft-pdutta-mpls-tldp-hello-reduce-03

Eric Rosen <erosen@cisco.com> Mon, 23 July 2012 21:04 UTC

Return-Path: <erosen@cisco.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2914C11E80AE for <mpls@ietfa.amsl.com>; Mon, 23 Jul 2012 14:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oChKdkKVrlLD for <mpls@ietfa.amsl.com>; Mon, 23 Jul 2012 14:04:13 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com [173.36.130.12]) by ietfa.amsl.com (Postfix) with ESMTP id 7708711E80A1 for <mpls@ietf.org>; Mon, 23 Jul 2012 14:04:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=erosen@cisco.com; l=2334; q=dns/txt; s=iport; t=1343077453; x=1344287053; h=to:cc:subject:in-reply-to:reply-to:date:message-id:from; bh=RzEgWkazrrbM9Q9Rze4OPZSmV9yMpVZ/PeM5+zzYEQ0=; b=MdBI8OUAOFXs2CnZbRnTRskwMrCbJbaTGaF9e2Vj+Fmo2IAoE5vgWm3t 07IYrs5VyBvUMZs9a8HtO6/LzREYDbbWZ44hYk38soKbFUdNNH4x+Dcut tbKKThbOs3Gjnz7oAeonoZt/aTEEh8ma6F9zwW9SpjtPrdkYcp59xFYaf M=;
X-IronPort-AV: E=Sophos;i="4.77,640,1336348800"; d="scan'208";a="49697185"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-1.cisco.com with ESMTP; 23 Jul 2012 21:04:13 +0000
Received: from erosen-linux.cisco.com (erosen-linux.cisco.com [161.44.70.34]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q6NL4Cal020625 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Jul 2012 21:04:13 GMT
Received: from erosen-linux (localhost.localdomain [127.0.0.1]) by erosen-linux.cisco.com (8.13.8/8.13.8) with ESMTP id q6NL48Ro024257; Mon, 23 Jul 2012 17:04:09 -0400
To: "Dutta, Pranjal K (Pranjal)" <pranjal.dutta@alcatel-lucent.com>
In-reply-to: Your message of Mon, 23 Jul 2012 08:18:50 +0530. <C584046466ED224CA92C1BC3313B963E09F20ADE2E@INBANSXCHMBSA3.in.alcatel-lucent.com>
Date: Mon, 23 Jul 2012 17:04:08 -0400
Message-ID: <24256.1343077448@erosen-linux>
From: Eric Rosen <erosen@cisco.com>
Cc: "mpls@ietf.org" <mpls@ietf.org>, Giles Heron <giheron@cisco.com>, Thomas Nadeau <tnadeau@juniper.net>, "mpls-chairs@tools.ietf.org" <mpls-chairs@tools.ietf.org>
Subject: Re: [mpls] MPLS-RT review of draft-pdutta-mpls-tldp-hello-reduce-03
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: erosen@cisco.com
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2012 21:04:14 -0000

Pranjal> This draft does not change or violate procedures defined in RFC
Pranjal> 5036. It proposes an OPTIONAL method of reduction of "targeted'
Pranjal> hellos (only - as the name of the draft suggests) and the proposed
Pranjal> method is backward compatible with procedures defined in RFC
Pranjal> 5036. The method uses the hello timeout negotiation procedures as
Pranjal> per RFC 5036 without any changes in negotiation procedures.

If the draft does not change any of the procedures specified in RFC 5036,
and does not define any new procedures or messages either, then why is the
draft marked as "standards track"?  At best it would be "Informational".
But are you saying that all the draft really does is to suggest that a
particular parameter be set to a particular value?  That doesn't seem like
very much content.

Pranjal> The reduction of hellos provides probabilistically better
Pranjal> resiliency on maintenance of hello adjacency during sporadic DoS
Pranjal> attacks. Sporadic DoS attacks on UDP port 646 can result in loss of
Pranjal> "good" hello packets for certain period of time and thus leading to
Pranjal> loss of existing adjacencies.

If an attacker can send you UDP packets on port 646, why doesn't he make
them look like Hello packets specifying a short hold time?  That's a much
more effective attack than a "sporadic DoS attack".  In fact, if real Hellos
are not being sent at all, it just becomes easier to mount an attack with a
spoofed Hello.  An attacker could send a spoofed Hello with a hold time of 3
days, and the session would stay up for a few days and then fail
mysteriously, for no apparent reason.  An attack whose effects are not felt
until days later can be quite hard to deal with.  When the Hellos are sent
periodically, on the other hand, there is a self-correction mechanism that
prevents this.

If you want to reduce the targeted Hello load, it might be better to invent
a way (i.e., a protocol change) of turning them off entirely after the
session comes up, so that arriving Hellos are just discarded.  (

BTW, the draft asserts that the periodic Hellos have no value that is not
better served by either BFD or the LDP session keepalives.  I don't know
whether that's true, but it would be nice to see an argument with a little
more substance.

v2.23.0 | Report a Bug | By Email