Re: [mpls] MPLS working group last call on draft-ietf-mpls-lsp-ping-relay-reply
"George Swallow (swallow)" <swallow@cisco.com> Tue, 23 June 2015 15:45 UTC
Return-Path: <swallow@cisco.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 897E61A8AE3 for <mpls@ietfa.amsl.com>; Tue, 23 Jun 2015 08:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cTVT0VU_03ov for <mpls@ietfa.amsl.com>; Tue, 23 Jun 2015 08:45:05 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E3E51A8AD7 for <mpls@ietf.org>; Tue, 23 Jun 2015 08:45:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5690; q=dns/txt; s=iport; t=1435074305; x=1436283905; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=j2iOp0xlx2UN8gZehu5qbPDxZzvRVEPz+UIhPNwbQ7E=; b=hq83CgSf27FcbTcW4PZ/9fExbGsgzViNHikxLiCbIfp38zgBkPKicoA3 pnFhJkIfLesULqMWBJocnxHoE+YWJZ9oBc/hTRcsN4xqiuEL42k9qu1xL qg0/LsiyA2hwbZvBliQ2ciVoY1cvtjzlWNqTQSBqqUDVy9CAfANtU30vV U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C+AwBQfolV/4UNJK1bgxBUXwa9YAmBXAqFeAKBTDgUAQEBAQEBAYEKhCMBAQMBAQEBNzQdAQg2NwslAgQBEognCA3MYgEBAQEBAQEDAQEBAQEBAQEWBItKhDQBAVeEKwWRJIJbAYtQgTqEEIpqhCaDWyZjgSkcgVJvgQw6gQIBAQE
X-IronPort-AV: E=Sophos;i="5.13,666,1427760000"; d="scan'208";a="162121292"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-5.cisco.com with ESMTP; 23 Jun 2015 15:45:04 +0000
Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t5NFj4L5020579 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 23 Jun 2015 15:45:04 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.123]) by xhc-aln-x11.cisco.com ([173.36.12.85]) with mapi id 14.03.0195.001; Tue, 23 Jun 2015 10:45:03 -0500
From: "George Swallow (swallow)" <swallow@cisco.com>
To: "adrian@olddog.co.uk" <adrian@olddog.co.uk>, "lizho.jin@gmail.com" <lizho.jin@gmail.com>, 'loa' <loa@pi.nu>, 'mpls' <mpls@ietf.org>, 'mpls-chairs' <mpls-chairs@tools.ietf.org>, 'draft-ietf-mpls-lsp-ping-relay-reply' <draft-ietf-mpls-lsp-ping-relay-reply@tools.ietf.org>, 'db3546' <db3546@att.com>
Thread-Topic: [mpls] MPLS working group last call on draft-ietf-mpls-lsp-ping-relay-reply
Thread-Index: AQHQos6oZeAeuVI5fUetJ7xhFGg4eZ2xZOOAgAj9ZIA=
Date: Tue, 23 Jun 2015 15:45:03 +0000
Message-ID: <D1AEF47A.3B610%swallow@cisco.com>
In-Reply-To: <0cc101d0a92b$58745050$095cf0f0$@olddog.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [10.131.118.78]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <DAB02FAFCD4D4D4BA53499D17A9C720E@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/MlAkir7K8pJQN3XwL1W9y4HpopU>
Subject: Re: [mpls] MPLS working group last call on draft-ietf-mpls-lsp-ping-relay-reply
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 15:45:07 -0000
Lizhong, Adrian - Inline - On 6/17/15 2:28 PM, "Adrian Farrel" <adrian@olddog.co.uk> wrote: >Lizhong, > >Apologies, I fumbled your response. > >I snipped out the stuff we agree on. > >> Thank you for the review. Please see my reply inline below. Correct me >> if other authors have different opinion. >> >> I will update the draft after the end of last call. > >>> Just being a good citizen and reviewing this I-D during WG last call. >>> I didn't have much time so I only found a number of nits most of which >>> are probably not significant. >>> --- >>> >>> idnits notes the presence of a pre-RFC5378 disclaimer. Do you really >>> need that? >>> [Lizhong] this may need the answer from chairs and AD. We only follow >>> the rules. > >If you are following the rules, that's fine. I think the rules are that >you only >need to include the disclaimer if text included in the document was >written >before the date of RFC 5378 and if at least one of the authors of the >text has >not given up their copyright as described in that RFC. GS> Sent mail giving up my rights. Need to get Tom as well. > >>> Section 4.1 >>> >>> The source UDP port field MUST be set >>> to the source UDP port. >>> >>> There is no "source UDP port" field. Perhaps the "Initiator Source >>>Port" >>> field? >>> >>> But also, this text is quite confusing. The text in 3.2 is much >>>clearer. >> [Lizhong] yes, should be: >> The source UDP port field MUST be set to the initiator source port. > >Hmmm, I think... > >"The Initiator Source Port field MUST be set to the source UDP port." GS> Agree. > >> [Lizhong] traceroute is not mandatory before ping. If operator has >>knowledge >> of the relay nodes, the initiator could directly send ping with Relay >>Node >> Address Stack TLV containing the already known relay nodes. > >That would make a valuable addition to 4.1, as well. GS> Indeed. One of the applications here is to trace only so that you can successfully ping. > >>> I tried to work out how things would pan out if two ASes on the path >>> used the same address space within their AS. Would an address appear in >>> the stack and seem to be routable when it is really an address in the >>> other AS? >> [Lizhong] we have an example in section 5. And address of P1 and P2 >>could be >> same. In that case, ASBR1 must adds its interface address facing ASBR2 >>with >> the K bit set. Then relay reply will not be miss-routed. > >Ah, I get it. >But this relies on ASBT1 setting the K bit. >So I suspect this needs to not be a special case: you need to require >that the >domain boundary always sets the K bit. GS> I made such a change awhile back. It got shot down on the list. There was push back due to the requirement for topological awareness within the LSP Ping module. Adrian - If you want to try pushing back on that, would you send a message to the list on just this topic and see if we can convince folks. > >>> The third case in 4.5 is when the receiver does not understand the TLV >>> and ignores it. In this case it will send an Echo Reply without itself >>> including the TLV. >> [Lizhong] the receiver is unable to send the Echo Reply, because it does >> know the destination IP address and UDP port number. So if the receiver >> could not understand the TLV, then the relay message will be dropped. > >Section 4.5 of 4379 says: > > The destination IP address and UDP port are copied from the > source IP address and UDP port of the echo request. > >That is what the legacy receiver will attempt to do. It doesn't matter >whether >the optional Relay Node Address Stack TLV is in the echo request message >or not, >the legacy node will follow 4379. So it *will* be able to respond. GS> Adrian - what you say about what the receiver will do is spot on. However, there is no guarantee that it will be routable back to the source >>> Section 6 should note that the new TLV provides a way for Echo Reply >>> messages to be diverted so that information can be collected. For >>> example, if a stack entry can be inserted, the Echo Reply messages can >>> be caused to transit another AS unrelated to the LSP under test. Since >>> the Echo Reply reveals path information about the LSP, this is a >>> valuable attack. Having said that, you can say how this TLV is >>> protected in the Echo Reply message. >> >> [Lizhong] Do you mean the new TLV could be used to collect path >>information >> unrelated to the LSP under test? This is not true. Only the node along >>the >LSP >> will add path information into the new TLV. The relay node in the new >>TLV >> will only relay the Echo Reply to the initiator, and will not add >>information >to >> the new TLV. > >I think you misunderstand how security attacks might work. Suppose I am >able to >do one of two things: >1. Modify the control plane code on a router that adds or processes a > Relay Node Address Stack TLV so that it adds a bogus entry to the > TLV. The prospect of modifications to control plane code is generally > considered to be so disastrous that it is just noted without any > further precautions (after all, if you can get at the control plane > code, you can make the routers do anything). >2. Intercept and modify a packet in transit. This is the main risk I am > talking about. GS> This is a good thing to include. Thanks for the review. George > >Cheers, >Adrian > >_______________________________________________ >mpls mailing list >mpls@ietf.org >https://www.ietf.org/mailman/listinfo/mpls
- [mpls] MPLS working group last call on draft-ietf… Loa Andersson
- Re: [mpls] MPLS working group last call on draft-… Adrian Farrel
- Re: [mpls] MPLS working group last call on draft-… lizho.jin@gmail.com
- [mpls] Closed - MPLS working group last call on d… Loa Andersson
- Re: [mpls] MPLS working group last call on draft-… lizho.jin@gmail.com
- Re: [mpls] MPLS working group last call on draft-… Adrian Farrel
- Re: [mpls] MPLS working group last call on draft-… lizho.jin@gmail.com
- Re: [mpls] MPLS working group last call on draft-… George Swallow (swallow)
- Re: [mpls] MPLS working group last call on draft-… George Swallow (swallow)
- Re: [mpls] MPLS working group last call on draft-… Loa Andersson
- Re: [mpls] MPLS working group last call on draft-… thomas nadeau
- Re: [mpls] MPLS working group last call on draft-… Loa Andersson
- Re: [mpls] MPLS working group last call on draft-… Lizhong Jin
- Re: [mpls] MPLS working group last call on draft-… Adrian Farrel
- Re: [mpls] MPLS working group last call on draft-… Adrian Farrel
- Re: [mpls] MPLS working group last call on draft-… lizho.jin@gmail.com