IETF Logo Mail Archive

Re: [mpls] Questions for draft-ietf-mpls-tp-on-demand-cv-05

Eric Gray <eric.gray@ericsson.com> Wed, 27 July 2011 05:17 UTC

Return-Path: <eric.gray@ericsson.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1A9421F8B82 for <mpls@ietfa.amsl.com>; Tue, 26 Jul 2011 22:17:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.199
X-Spam-Level:
X-Spam-Status: No, score=-6.199 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, J_CHICKENPOX_93=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YakEdB0dtIQ for <mpls@ietfa.amsl.com>; Tue, 26 Jul 2011 22:17:49 -0700 (PDT)
Received: from imr4.ericy.com (imr4.ericy.com [198.24.6.8]) by ietfa.amsl.com (Postfix) with ESMTP id 7095F21F8B83 for <mpls@ietf.org>; Tue, 26 Jul 2011 22:17:49 -0700 (PDT)
Received: from eusaamw0712.eamcs.ericsson.se ([147.117.20.181]) by imr4.ericy.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id p6R5Hdqm024218; Wed, 27 Jul 2011 00:17:43 -0500
Received: from EUSAACMS0701.eamcs.ericsson.se ([169.254.1.59]) by eusaamw0712.eamcs.ericsson.se ([147.117.20.181]) with mapi; Wed, 27 Jul 2011 01:17:35 -0400
From: Eric Gray <eric.gray@ericsson.com>
To: Zhenlong Cui <c-sai@bx.jp.nec.com>
Date: Wed, 27 Jul 2011 01:17:33 -0400
Thread-Topic: [mpls] Questions for draft-ietf-mpls-tp-on-demand-cv-05
Thread-Index: AQHMLGAfW26yQHHsSES4MoXuuvjsuJTLNK7QgAHHkYCAA/0dQIAAGryggAAC3ZCAF28eAIAWWg2ggABTzkCAACpC4A==
Message-ID: <C0AC8FAB6849AB4FADACCC70A949E2F10B24DDED26@EUSAACMS0701.eamcs.ericsson.se>
References: <4DFA60E3.90807@pi.nu><791AD3077F94194BB2BDD13565B6295D13B65A62@Polydeuces.office.hd><C0AC8FAB6849AB4FADACCC70A949E2F10B2256B154@EUSAACMS0701.eamcs.ericsson.se><791AD3077F94194BB2BDD13565B6295D13B69562@Polydeuces.office.hd><C0AC8FAB6849AB4FADACCC70A949E2F10B2484A3ED@EUSAACMS0701.eamcs.ericsson.se> <791AD3077F94194BB2BDD13565B6295D13B695EF@Polydeuces.office.hd> <D6432A3783F045B694EA0467F7173898@nsl.ad.nec.co.jp> <C0AC8FAB6849AB4FADACCC70A949E2F10B24DDE877@EUSAACMS0701.eamcs.ericsson.se> <60F069FADFF94B1C8594EEB26514F486@nsl.ad.nec.co.jp>
In-Reply-To: <60F069FADFF94B1C8594EEB26514F486@nsl.ad.nec.co.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "mpls@ietf.org" <mpls@ietf.org>, "draft-ietf-mpls-tp-on-demand-cv@tools.ietf.org" <draft-ietf-mpls-tp-on-demand-cv@tools.ietf.org>
Subject: Re: [mpls] Questions for draft-ietf-mpls-tp-on-demand-cv-05
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2011 05:17:50 -0000

Zhenlong,

A few observations:

1) Even if you can respond to the sender - as expected for the
   unknown TLV case - you should exercise implementation caution
   to avoid banging the network with these responses if you keep
   getting the offending TLVs.  That turns some other vendor's
   problems into your problem.  This approach reduces security
   risks associated with a known sender that is behaving badly.
2) If you are relying on the TLV to give you the identity of the
   sender, how can you not know the TLV type?  On the other hand,
   if you know how to get a reply to the sender by some means,
   and you get one or more TLVs that you don't understand, then
   you should probably send an error code at least once, and you
   may determine from your own experience that you need to send
   additional replies periodically if it continues.
3) Specifying this sort of implementation detail is not part
   of what the IETF is not paying me to do.  :-)
4) Since this document refers to RFC 4379 extensively, it isn't
   necessary for this document to repeat the content of RFC 4379.
5) What we can do is point to the specific location in RFC 4379,
   since it is not easy to find.  That we will do.

--
Eric

-----Original Message-----
From: Zhenlong Cui [mailto:c-sai@bx.jp.nec.com] 
Sent: Tuesday, July 26, 2011 5:04 PM
To: Eric Gray
Cc: mpls@ietf.org; draft-ietf-mpls-tp-on-demand-cv@tools.ietf.org
Subject: RE: [mpls] Questions for draft-ietf-mpls-tp-on-demand-cv-05
Importance: High

Hi Eric,

I remember you said earlier that you should drop the packet from unknown source nodes, because there is a security problem with
responding.
On the other hand, you say that you should send a reply when the request includes an unknown TLV.

I think if the responder receives a request it checks the type of the TLV before it checks the identifiers.

So, my question is "if the responder receives a request from an unknown source node that includes an unknown TLV, does the responder
have to reply to the unknown source node?". If yes, this has the security problem you mentioned earlier, doesn't it?


Lastly, I suggest that add some mention to this draft regarding responder's behavior for new TLV.
1) Which return code to send when source/destination identifiers are wrong or drop the request.
2) Which return code to send when ingress if_num/egress if_num of DSMAP TLV are wrong or drop the request.


Best,
Zhenlong

> -----Original Message-----
> From: Eric Gray [mailto:eric.gray@ericsson.com]
> Sent: Wednesday, July 27, 2011 12:56 AM
> To: Zhenlong Cui
> Cc: mpls@ietf.org; draft-ietf-mpls-tp-on-demand-cv@tools.ietf.org
> Subject: RE: [mpls] Questions for draft-ietf-mpls-tp-on-demand-cv-05
> 
> Zhenlong,
> 
> Q-1: See RFC 4379, where these registry entries are derived from.
>      RFC 4379 sets up a number of registries - including the TLV
>      registry - and defines explicitly how to handle unknown TLV
>      types in section 3, in two very obscure paragraphs on page
>      10, just before section 3.1.
> 
> Q-2: "ingress port" is not correct - thanks for spotting this
>      cut-and-paste duplication error.
> 
> --
> Eric
> 
> -----Original Message-----
> From: Zhenlong Cui [mailto:c-sai@bx.jp.nec.com]
> Sent: Tuesday, July 12, 2011 5:20 AM
> To: mpls@ietf.org; draft-ietf-mpls-tp-on-demand-cv@tools.ietf.org
> Subject: [mpls] Questions for draft-ietf-mpls-tp-on-demand-cv-05
> 
> Dear Authors,
> 
> Two questions regarding the idenfifiers TLV and DSMAP TLV.
> 
> Question 1:
> > > > Which return code to send when identifiers are wrong (Malformed echo
> > > > request received?) or drop the packet.
> > > >
> > > > EG > Drop the packet, probably log the error, possibly run off
> > > > EG > screaming into the night.  What does one do when one gets
> > > > EG > something either not recognizably intended for one, or not
> > > > EG > from a source that one recognizes?  From a security point
> > > > EG > of view, we cannot require an implementation to reply to
> > > > EG > the requester in this case (this is an attack vector for
> > > > EG > all kinds of hate and discontent).  Nor can we forbid it.
> > > >
> If the "type" of identifier TLV is incorrect, then should this request frame be dropped? Should we reply to the requestor(One
> or
> more of the TLVs was not understood)? Can this way two answers be generated?
> 
> 
> Question 2:
> In section 2.1.1, Is below("ingress port") correct?
> 
>    Egress IF_Num identifies the ingress port on the target node.  A
>    value of 0 indicates that the port is not part of the identifier.
> 
> 
> Best,
> zhenlong
> 
> > -----Original Message-----
> > From: mpls-bounces@ietf.org [mailto:mpls-bounces@ietf.org] On Behalf Of Rolf Winter
> > Sent: Monday, June 27, 2011 8:04 PM
> > To: Eric Gray; mpls@ietf.org; draft-ietf-mpls-tp-on-demand-cv@tools.ietf.org
> > Subject: Re: [mpls] Verification call on draft-ietf-mpls-tp-on-demand-cv
> >
> > I think that's OK, since the value is not beyond but within the TLV. Taken from 4379:
> >
> > Types are defined below; Length is the length of the Value field in
> > octets.  The Value field depends on the Type; it is zero padded to
> > align to a 4-octet boundary.
> >
> > That means the length is the length of the actual value (excluding the padding). So the beginning of the next TLV is determined
> > by the length plus a value that makes it align on a 4-octet boundary (which of course can be 0). I cannot follow your argument
> > why this is not correct. I am sure I am missing something trivial, so sorry for spamming the list. But all information
> is
> > encoded in the packet (plus the simple rule quoted above). Otherwise, a node needs to understand the internal structure
> of
> > each TLV to extract the value instead of applying the simple rule above.
> >
> >
> > Best,
> >
> > Rolf
> >
> >
> > NEC Europe Limited | Registered Office: NEC House, 1 Victoria Road, London W3 6BL | Registered in England 2832014
> >
> >
> > > -----Original Message-----
> > > From: Eric Gray [mailto:eric.gray@ericsson.com]
> > > Sent: Montag, 27. Juni 2011 12:42
> > > To: Rolf Winter; mpls@ietf.org; draft-ietf-mpls-tp-on-demand-
> > > cv@tools.ietf.org
> > > Subject: RE: [mpls] Verification call on draft-ietf-mpls-tp-on-demand-
> > > cv
> > >
> > > IMO, that would be a problem with RFC 4379.  Perhaps there is
> > > an errata?
> > >
> > > TLVs are meant to follow each other, where the beginning of the
> > > next TLV is determined by the length of the current TLV - hence
> > > it is not correct to specify any content as having any value at
> > > all if it is beyond the end of the TLV.
> > >
> > > -----Original Message-----
> > > From: Rolf Winter [mailto:Rolf.Winter@neclab.eu]
> > > Sent: Monday, June 27, 2011 5:06 AM
> > > To: Eric Gray; mpls@ietf.org; draft-ietf-mpls-tp-on-demand-
> > > cv@tools.ietf.org
> > > Subject: RE: [mpls] Verification call on draft-ietf-mpls-tp-on-demand-
> > > cv
> > > Importance: High
> > >
> > > Hi Eric,
> > >
> > > just one more to follow up. You say:
> > >
> > > > EG > 24 is correct for the Static LSP Sub-TLV (it is 6 words long,
> > > > EG > even if the last two octets "Must be Zero").  The length of
> > > > EG > the Static Pseudowire Sub-TLV - on the other hand - was made
> > > > EG > longer by the addition of the 2-word AGI.  Nice catch!
> > >
> > > In RFC 4379, section 3.2, the MUST be Zero parts don't seem to be
> > > included in the length of the sub-TLVs. Why are they included here?
> > >
> > > Best,
> > >
> > > Rolf
> > >
> > >
> > > NEC Europe Limited | Registered Office: NEC House, 1 Victoria Road,
> > > London W3 6BL | Registered in England 2832014
> > >
> > >
> > > >
> > > > EG > Apparently.
> > > >
> > > > Which return code to send when identifiers are wrong (Malformed echo
> > > > request received?) or drop the packet.
> > > >
> > > > EG > Drop the packet, probably log the error, possibly run off
> > > > EG > screaming into the night.  What does one do when one gets
> > > > EG > something either not recognizably intended for one, or not
> > > > EG > from a source that one recognizes?  From a security point
> > > > EG > of view, we cannot require an implementation to reply to
> > > > EG > the requester in this case (this is an attack vector for
> > > > EG > all kinds of hate and discontent).  Nor can we forbid it.
> > > >
> > > > Using the per-interface model and say the DSMAP TLV did not match the
> > > > ingress IF identifier, then should this request frame be dropped?
> > > > Should we reply to the requestor? Can this way two answers be
> > > > generated?
> > > >
> > > > Nit (section 2.1): s/mpls/MPLS/
> > > >
> > > > EG > Thanks.
> > > >
> > > >
> > > > Best,
> > > >
> > > >
> > > >
> > > > Rolf
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > NEC Europe Limited | Registered Office: NEC House, 1 Victoria Road,
> > > > London W3 6BL | Registered in England 2832014
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: mpls-bounces@ietf.org [mailto:mpls-bounces@ietf.org] On
> > > Behalf
> > > > Of
> > > > > Loa Andersson
> > > > > Sent: Donnerstag, 16. Juni 2011 22:01
> > > > > To: mpls@ietf.org; draft-ietf-mpls-tp-on-demand-cv@tools.ietf.org;
> > > > Ross
> > > > > Callon; George Swallow; MPLS-TP ad hoc team
> > > > > Subject: [mpls] Verification call on draft-ietf-mpls-tp-on-demand-
> > > cv
> > > > >
> > > > > Working Group.
> > > > >
> > > > > the authors of draft-ietf-mpls-tp-on-demand-cv have updated the ID
> > > > > after wg last call and published version -04 of the document.
> > > > >
> > > > > A document detailing how the comments have been addressed will be
> > > > > found at:
> > > > > http://www.pi.nu/~loa/comments-on-03.xls
> > > > >
> > > > > This is to start a working group call to verify that all comments
> > > > > been adequately addressed. Please send your comments to the
> > > > > mpls working group mailing list before June 24th.
> > > > >
> > > > > Loa
> > > > > on behalf of the MPLS wg co-chairs
> > > > >
> > > > > --
> > > > >
> > > > >
> > > > > Loa Andersson                         email:
> > > > loa.andersson@ericsson.com
> > > > > Sr Strategy and Standards Manager            loa@pi.nu
> > > > > Ericsson Inc                          phone: +46 10 717 52 13
> > > > >                                               +46 767 72 92 13
> > > > > _______________________________________________
> > > > > mpls mailing list
> > > > > mpls@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/mpls
> > > > _______________________________________________
> > > > mpls mailing list
> > > > mpls@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/mpls
> > _______________________________________________
> > mpls mailing list
> > mpls@ietf.org
> > https://www.ietf.org/mailman/listinfo/mpls

v2.23.0 | Report a Bug | By Email