Re: [mpls] Stephen Farrell's No Objection on draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT)
Gregory Mirsky <gregory.mirsky@ericsson.com> Thu, 19 November 2015 14:44 UTC
Return-Path: <gregory.mirsky@ericsson.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D15931B2AA9; Thu, 19 Nov 2015 06:44:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.201
X-Spam-Level:
X-Spam-Status: No, score=-104.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rh46CXr_M7J; Thu, 19 Nov 2015 06:44:47 -0800 (PST)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56C941B2AB2; Thu, 19 Nov 2015 06:44:47 -0800 (PST)
X-AuditID: c6180641-f792c6d00000686a-da-564d72285dbd
Received: from EUSAAHC006.ericsson.se (Unknown_Domain [147.117.188.90]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 50.3D.26730.8227D465; Thu, 19 Nov 2015 07:54:32 +0100 (CET)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC006.ericsson.se ([147.117.188.90]) with mapi id 14.03.0248.002; Thu, 19 Nov 2015 09:44:45 -0500
From: Gregory Mirsky <gregory.mirsky@ericsson.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT)
Thread-Index: AQHRImHY5+v//ckBgESjvywcna6X7Z6isj1QgAD7KwD//7ncwA==
Date: Thu, 19 Nov 2015 14:44:44 +0000
Message-ID: <7347100B5761DC41A166AC17F22DF1122194416C@eusaamb103.ericsson.se>
References: <20151119003257.1445.91117.idtracker@ietfa.amsl.com> <7347100B5761DC41A166AC17F22DF11221942DFE@eusaamb103.ericsson.se> <564DD02A.6020500@cs.tcd.ie>
In-Reply-To: <564DD02A.6020500@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.11]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOIsWRmVeSWpSXmKPExsUyuXRPlK5GkW+YQdcmXYvjVwstrq0+wGIx 489EZot1l0+xWdxaupLV4u+KKywW0/deY3dg91jbfZXNY8mSn0we15uusgcwR3HZpKTmZJal FunbJXBlnLq4nrVghkPF3ombWBoYj9h1MXJwSAiYSDz+qtzFyAlkiklcuLeerYuRi0NI4Aij xIv221DOckaJP80TmUCq2ASMJF5s7GEHsUUEPCUe9p1iASliFnjOJLFv0moWkISwQK7EpVer oYryJKbtnMoOsk1EwEnixG4ukDCLgKrE9W/HWEFsXgFfidlL3zBCLFvMKNHz8SlYL6eApsTe I0vZQGxGoPO+n1oDdgSzgLjErSfzmSDOFpBYsuc8M4QtKvHy8T9WCFtJ4uPv+WB7mYHmrN+l D9GqKDGl+yE7xF5BiZMzn7BMYBSbhWTqLISOWUg6ZiHpWMDIsoqRo7Q4tSw33chwEyMwuo5J sDnuYFzwyfIQowAHoxIPb8EknzAh1sSy4srcQ4wSHMxKIryWB33DhHhTEiurUovy44tKc1KL DzFKc7AoifPOm3E/VEggPbEkNTs1tSC1CCbLxMEp1cDocueNzs0va9j4gx5fXs0x7faG1pas 3Qtff3wVzvzVcrP991Yenavy/uWJE7g9MnkttcwnrdtWr6IwqZjjAYtrmcZ2Y/bEnXILtk36 bnD22r3XaxleWixQYXgr9UBhRu/eO6u6Jiq8yPzKJHm4curb0I8S6RYm3qtcA/Ju9YZVTf4j 5+/4m6VGiaU4I9FQi7moOBEAiXtb9KoCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/Xle2VVUyBQkiqrmj675l3nh_dv0>
Cc: "draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@ietf.org" <draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@ietf.org>, "draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf@ietf.org" <draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf@ietf.org>, "rcallon@juniper.net" <rcallon@juniper.net>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "mpls@ietf.org" <mpls@ietf.org>
Subject: Re: [mpls] Stephen Farrell's No Objection on draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 14:44:50 -0000
Hi Stephen, thank you for the clarifications. More in-line answers now tagged GIM2>>. Regards, Greg -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Thursday, November 19, 2015 5:36 AM To: Gregory Mirsky; The IESG Cc: draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf@ietf.org; draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@ietf.org; mpls-chairs@ietf.org; rcallon@juniper.net; mpls@ietf.org Subject: Re: Stephen Farrell's No Objection on draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT) Hiya, On 19/11/15 04:03, Gregory Mirsky wrote: > Hi Stephen, > > thank you for your review and comments. Please find my answers in-line > and tagged GIM>>. Hope we can find good solution to address your > concern with BFD security. > > > > Regards, > > Greg > > > > -----Original Message----- From: Stephen Farrell > [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, November 18, 2015 > 4:33 PM To: The IESG Cc: > draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf@ietf.org; > draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@ietf.org; > mpls-chairs@ietf.org; rcallon@juniper.net; mpls@ietf.org Subject: > Stephen Farrell's No Objection on > draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT) > > > > Stephen Farrell has entered the following ballot position for > > draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: No Objection > > > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut > this introductory paragraph, however.) > > > > > > Please refer to > https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-mpls-lsp-ping-mpls-tp-oam- > conf/ > > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > > > > - 2.1.1, is there any chance of moving on from the "Keyed SHA1" > > from RFC5880 to e.g. HMAC-SHA256 for this? We're generally trying to > get that kind of transition done as we can and moving to use of a > standard integrity check rather than a more home-grown one has some > benefits. The HMAC-SHA1-like thing you're doing is still probably ok, > (though could maybe do with crypto eyeballs on it as there may have > been relevant new results since 2010) but future-proofing would > suggest moving to HMAC-SHA256 if we can. (I can imagine such a change > might require a new document, but am asking anyway:-) > > GIM>> The fact is that we're bound by what is defined in RFC 5880. I wonder for how long though, that's now a five year old RFC. Assuming it takes a few years for new deployments to pick up new algorithms, isn't it time that a whole bunch of algorithm choices were revisited? > There was a proposal to strengthen BFD security BFD Generic > Cryptographic > Authentication<http://tools.ietf.org/html/draft-bhatia-bfd-crypto-auth > -03> > but the document had expired. Pity that. > - 2.1.1, I'd recommend saying any password auth-type MUST NOT be used > - would that be possible? > > GIM>> I think that we’ll need to make changes to RFC 5880 first > (5880bis?). I don't see any reason why that is true. This document can easily say "you MUST NOT use the horribly weak option specified in that old RFC" with changing that old RFC. GIM2>> Would adding the following in Section 2.2.4 BFD Authentication sub-TLV to AuthType explanation address your concern: Simple Password SHOULD NOT be used if other authentication types are available. > Besides, there’s RFC 7487 that describes RSVP-TE extensions to > configure MPLS-TP OAM. > > > > - section 6 - what "established secure key-exchange protocol" > > is available to use here? > > GIM>> The document considers key exchange mechanisms being outside > its scope. Mechanisms used only assumed and not discussed at length in > the document. I did not ask if you should specify something here. I asked what exists that is usable? If the answer is "nothing" then the text in the draft would be misleading wouldn't it? GIM2>> PKI (Public Key Infrastructure) > - (this is sort of off-topic) I find an architecture like this where a > packet traversing a network has quite so many side-effects a bit hard > to grok. Do you have a pointer to something (not too long:-) that > explains the consequences of that? > > GIM>> The first paragraph of the Security Considerations section > refers to some scenarios that may suffice due to conditions > (overload) in the management plane. The third paragraph of the same > section notes need to have sufficient security mechanism for LSP Ping > communication. You're mis-interpreting me, I guess because my question wasn't clear. My question above was a simple request for some background information about the consequences of this architecture, and was not a direct criticism of or comment on this draft. (Now if it turns out there is no background material on the consequences of this architecture, then that would be very interesting.) GIM2>> I see now that I've misread the question. LSP Ping, being Request-Reply mechanism with elaborate status reporting, provides self-throttling and sufficient self-diagnostic. In the document we're not discussing what happens if and when Echo request with OAM configuration TLVs times-out because of no Echo reply received as that is implementation specific. At the same time, implementation experience suggests that all of MPLS-TP OAM configuration can be communicated in a single Echo request thus minimizing network impact. Cheers, S. > > > >
- [mpls] Stephen Farrell's No Objection on draft-ie… Stephen Farrell
- Re: [mpls] Stephen Farrell's No Objection on draf… Gregory Mirsky
- Re: [mpls] Stephen Farrell's No Objection on draf… Stephen Farrell
- Re: [mpls] Stephen Farrell's No Objection on draf… Gregory Mirsky
- Re: [mpls] Stephen Farrell's No Objection on draf… Stephen Farrell
- Re: [mpls] Stephen Farrell's No Objection on draf… Gregory Mirsky
- Re: [mpls] Stephen Farrell's No Objection on draf… Stephen Farrell