IETF Logo Mail Archive

Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping

Ronald Bonica <rbonica@juniper.net> Fri, 13 March 2015 00:34 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B91E91AC39D for <mpls@ietfa.amsl.com>; Thu, 12 Mar 2015 17:34:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.901
X-Spam-Level:
X-Spam-Status: No, score=-101.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgqHRe_hwCDJ for <mpls@ietfa.amsl.com>; Thu, 12 Mar 2015 17:34:09 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0104.outbound.protection.outlook.com [207.46.100.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF0451A8937 for <mpls@ietf.org>; Thu, 12 Mar 2015 17:34:09 -0700 (PDT)
Received: from CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) by CO1PR05MB443.namprd05.prod.outlook.com (10.141.73.152) with Microsoft SMTP Server (TLS) id 15.1.106.15; Fri, 13 Mar 2015 00:34:08 +0000
Received: from CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.61]) by CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.61]) with mapi id 15.01.0106.007; Fri, 13 Mar 2015 00:34:08 +0000
From: Ronald Bonica <rbonica@juniper.net>
To: "lizho.jin@gmail.com" <lizho.jin@gmail.com>, mpls-chairs <mpls-chairs@tools.ietf.org>, draft-bonica-mpls-self-ping <draft-bonica-mpls-self-ping@tools.ietf.org>, mpls-ads <mpls-ads@tools.ietf.org>
Thread-Topic: MPLS-RT review of draft-bonica-mpls-self-ping
Thread-Index: AQHQUBZCJvzLYgooPEWTjWPAAzQbFJ0Y/3rsgACladA=
Date: Fri, 13 Mar 2015 00:34:07 +0000
Message-ID: <CO1PR05MB44255E38E0CB8D75B8B0B82AE070@CO1PR05MB442.namprd05.prod.outlook.com>
References: <54EC4776.5040402@pi.nu>, <2015031100220789189743@gmail.com>, <CO1PR05MB44294439D8B4C216054A1E5AE060@CO1PR05MB442.namprd05.prod.outlook.com> <201503122220311215427@gmail.com>
In-Reply-To: <201503122220311215427@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.12]
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO1PR05MB443;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(377454003)(19625215002)(99286002)(33656002)(86362001)(15975445007)(19580405001)(19580395003)(19300405004)(106116001)(16236675004)(74316001)(122556002)(93886004)(54356999)(40100003)(2950100001)(102836002)(2900100001)(50986999)(76176999)(46102003)(66066001)(87936001)(2656002)(62966003)(2501003)(77156002)(230783001)(92566002)(76576001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR05MB443; H:CO1PR05MB442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <CO1PR05MB443E5C83D6187C2143C9F9EAE070@CO1PR05MB443.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002009)(5005006); SRVR:CO1PR05MB443; BCL:0; PCL:0; RULEID:; SRVR:CO1PR05MB443;
x-forefront-prvs: 05143A8241
Content-Type: multipart/alternative; boundary="_000_CO1PR05MB44255E38E0CB8D75B8B0B82AE070CO1PR05MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2015 00:34:07.5709 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR05MB443
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/CnKrOm5HHywbcHPNXvbVebbg__A>
Cc: mpls <mpls@ietf.org>
Subject: Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 00:34:11 -0000

Lizhong,

I think that we are misunderstanding each other’s words.

RFC 6335 divides UDP ports into the following ranges:


-          Well-known (0-1023)

-          User (1024-49151)

-          Dynamic (49152-65535)

The draft says that the UDP source and destination ports will be selected from the dynamic range. It *does not* say that UDP port numbers will be selected dynamically.

When writing the draft, I was assuming that a typical implementation selects a port form the dynamic range and sends all MPLS Self-ping traffic to that port. Therefore, the user could provision an ACL for that port.

I *was not* assuming that the application would select a different port each time that it ran MPLS-ping. This would make it very difficult to ACL MPLS Self-ping traffic.

If you like, I can make that assumption explicit in the draft.

                                                                 Ron


From: lizho.jin@gmail.com [mailto:lizho.jin@gmail.com]
Sent: Thursday, March 12, 2015 10:21 AM
To: Ronald Bonica; mpls-chairs; draft-bonica-mpls-self-ping; mpls-ads
Cc: mpls
Subject: RE: MPLS-RT review of draft-bonica-mpls-self-ping


For section 6, originally ingress could identify the LSP ping packet with well-known UDP port, and configure ACL rule to reduce risk of attack. But now it is more difficult to filter the packet with access list, which may increase the risk.

Lizhong,

Implementation know the port(s) upon which they send MPLS Self-ping traffic. They can configure ACLs on that port or those ports. ACLs can protect dynamic ports, so long as they are predictable.

[Lizhong] yes, it is possible to install ACL ruls everytime when MPLS self-ping is initiated. That is different with original implementation which is static ACL rule with well-know port. So it is better to describe how to reduce the risk of DoS if  MPLS self-ping is implemented.

Lizhong

                                                                    Ron

v2.23.0 | Report a Bug | By Email