Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-entropy-lsp-ping-04: (with DISCUSS)
"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Thu, 01 September 2016 03:05 UTC
Return-Path: <cpignata@cisco.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1BEB12D610; Wed, 31 Aug 2016 20:05:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.069
X-Spam-Level:
X-Spam-Status: No, score=-15.069 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-5pcUkUaoYv; Wed, 31 Aug 2016 20:05:00 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17DD112D16F; Wed, 31 Aug 2016 20:05:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4020; q=dns/txt; s=iport; t=1472699100; x=1473908700; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=KhPOSKpARByMD30b6kEPc6r14gRHtJrMDoeaZAdP6OM=; b=CQguPkGZTiCcUC8POPesbbLC5IdLjyy/eLnyGamkeEQSl9yh9aJe6C7u YJrYZFfVj7aVubvBilzLJE+u2xHtuPR3+/2osSMlJ8XLZz6Jrb7Q0B2SE FAxsb5Ytk+v0NvRSscidlAygURP7pVKkXRKbOOp8vDU7QrnL4Vk6Mdcpd U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHAgB/msdX/4cNJK1dg1ABAQEBAR5XfAerbIomgg+CASSFeAIcgTI4FAECAQEBAQEBAV4nhGEBAQQBIxFFBQsCAQgYAgImAgICHxEVEAIEDgWILgMPCA6uGIkzDYMvAQEBAQEBAQEBAQEBAQEBAQEBAQEBFwWBBYUqgXgIgk2CQ4FPEQGDHiuCLwWILYtchRM0AYYfhj6CU4FthF2JDYg/hAmDeAEeNoJJGxiBNXABhEyBIH8BAQE
X-IronPort-AV: E=Sophos;i="5.30,265,1470700800"; d="scan'208";a="317321816"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 01 Sep 2016 03:04:42 +0000
Received: from XCH-RCD-016.cisco.com (xch-rcd-016.cisco.com [173.37.102.26]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id u8134gZg031299 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 1 Sep 2016 03:04:42 GMT
Received: from xch-aln-020.cisco.com (173.36.7.30) by XCH-RCD-016.cisco.com (173.37.102.26) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 31 Aug 2016 22:04:41 -0500
Received: from xch-aln-020.cisco.com ([173.36.7.30]) by XCH-ALN-020.cisco.com ([173.36.7.30]) with mapi id 15.00.1210.000; Wed, 31 Aug 2016 22:04:41 -0500
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-mpls-entropy-lsp-ping-04: (with DISCUSS)
Thread-Index: AQHSAisyTm+jzjuY4U+gxYKgxNQbe6BkSqQA
Date: Thu, 01 Sep 2016 03:04:41 +0000
Message-ID: <8F81FCBF-8233-4ECA-86DC-8B7D2981C04F@cisco.com>
References: <147249876362.19041.12556734351955536494.idtracker@ietfa.amsl.com>
In-Reply-To: <147249876362.19041.12556734351955536494.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.82.170.224]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A5447F624884D24FA6BD09BAF626F489@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/67Nd_KYfR4Oi3DA6A4pUAQSyu_Y>
Cc: "draft-ietf-mpls-entropy-lsp-ping@ietf.org" <draft-ietf-mpls-entropy-lsp-ping@ietf.org>, The IESG <iesg@ietf.org>, "mpls@ietf.org" <mpls@ietf.org>, mpls-chairs <mpls-chairs@ietf.org>
Subject: Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-entropy-lsp-ping-04: (with DISCUSS)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 03:05:02 -0000
Hi Kathleen, > On Aug 29, 2016, at 3:26 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: > > Kathleen Moriarty has entered the following ballot position for > draft-ietf-mpls-entropy-lsp-ping-04: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-mpls-entropy-lsp-ping/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > The description of what is added in this draft in the Security > Considerations section is good, but aren't there additional security > considerations (risks) with this addition? Thanks for the review and question, see below. > > This document extends the LSP Ping and Traceroute mechanisms to > discover and exercise ECMP paths when an LSP uses ELI/EL in the label > stack. Additional processing is required for responder and initiator > nodes. The responder node that pushes ELI/EL will need to compute > and return multipath data including associated EL. The initiator > node will need to store and handle both IP multipath and label > multipath information, and include destination IP addresses and/or > ELs in MPLS echo request packets as well as in multipath information > sent to downstream nodes. > > BTW, the above is a nice description that would have been nice to see > sooner in the text. > The draft then says: > > This document does not itself introduce > any new security considerations. > > Isn't there anything that should be said about risks with the extended > capabilities to discover and exercise ECMP paths? Does this help network > reconnaissance? Does it help attackers to have this additional > information? If it doesn't, please explain why and that will clear up > this discuss or adding text would be good. I think that sentence oversimplifies a bit. Even the additional processing can result in security considerations, although in this case it is quite incremental on top of the baseline existing processing of LSP Ping. We can clarify a bit. Further, RFC 4379 already allows for a faster network reconnaissance with the DDMAP and tree trace functionality as compared to brute force exercising all paths, but it does not mention it. This does the same also for when there’s ELI/EL. It really does not help attackers any other way. We will add some text covering these two things. Thanks! — Carlos. > Thanks. > > > >
- [mpls] Kathleen Moriarty's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Carlos Pignataro (cpignata)
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… kathleen.moriarty.ietf
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Carlos Pignataro (cpignata)
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Carlos Pignataro (cpignata)