Re: [mpls] Working Geoup Adoption poll on draft-kompella-mpls-lspping-norao
Adrian Farrel <adrian@olddog.co.uk> Sat, 31 December 2022 13:09 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46F2EC1524AB; Sat, 31 Dec 2022 05:09:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.092
X-Spam-Level:
X-Spam-Status: No, score=-7.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olddog.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJrotvwXaYXX; Sat, 31 Dec 2022 05:09:13 -0800 (PST)
Received: from mta8.iomartmail.com (mta8.iomartmail.com [62.128.193.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00C03C1524A9; Sat, 31 Dec 2022 05:09:10 -0800 (PST)
Received: from vs2.iomartmail.com (vs2.iomartmail.com [10.12.10.123]) by mta8.iomartmail.com (8.14.7/8.14.7) with ESMTP id 2BVD97qj005018; Sat, 31 Dec 2022 13:09:07 GMT
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AD1104604B; Sat, 31 Dec 2022 13:09:07 +0000 (GMT)
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8D7E946048; Sat, 31 Dec 2022 13:09:07 +0000 (GMT)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs2.iomartmail.com (Postfix) with ESMTPS; Sat, 31 Dec 2022 13:09:07 +0000 (GMT)
Received: from LAPTOPK7AS653V ([85.255.234.76]) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.7/8.14.7) with ESMTP id 2BVD96iM020321 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 31 Dec 2022 13:09:07 GMT
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Loa Andersson' <loa@pi.nu>, mpls@ietf.org
Cc: draft-kompella-mpls-lspping-norao@ietf.org
References: <3fd09c02-b979-348c-d9dd-f066f87a4ae7@pi.nu>
In-Reply-To: <3fd09c02-b979-348c-d9dd-f066f87a4ae7@pi.nu>
Date: Sat, 31 Dec 2022 13:09:06 -0000
Organization: Old Dog Consulting
Message-ID: <007301d91d19$109972a0$31cc57e0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIAYwaE8cAFVpxfMWze5cFu8X50bq45ayaw
Content-Language: en-gb
X-Originating-IP: 85.255.234.76
X-Thinkmail-Auth: adrian@olddog.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=olddog.co.uk; h=reply-to :from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding; s= 20221128; bh=F64T/080iChWx46jB9PDLpWjMAYP/ss/Eqezsx0UCUw=; b=b0l 30eyrq9gf3NczLBtt90IKkWhVz4g5abELh3zM0K6Y45knMtIV/CWY3jiNfYND/5Y Eg7fBnd+faeV8/ZeJ8RBbe/iBgYZvhMZHxETw71A3OaGNjHP69Tn0OT11hy7h5St jJlZhkNqBV0vZz/fpOacwaJHSBhJFNQcayLVw3EjVywzzjMbzDkvCYhyrSmv7Rws MoHEE5P6WZb0pf7oENjm3hFeRWcB581uzlxxOnmLpJ13nSINJ8cu4ZoESQGMfJGw DsbpVj+kBd7qCqbtMN86Lk7GI38pwu/0uZ/JHWnxt+1V7rnzpZ8p6iPGAr7Prws8 VbHGJctjzxwEKd0EqHA==
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2090-9.0.0.1002-27356.007
X-TM-AS-Result: No--29.498-10.0-31-10
X-imss-scan-details: No--29.498-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2090-9.0.1002-27356.007
X-TMASE-Result: 10--29.498000-10.000000
X-TMASE-MatchedRID: 8HTFlOrbAtHxIbpQ8BhdbDjNGpWCIvfTT5ysQDj6eFnXtEChBBT6jEop D+RCCRBk7jUA7Y9PwrQGRCtHSkI1/tA38DHaVaK4IQrubkFPQdlvk3JiXDj4dW8gXz2vH0PRA8D K6eXHNb19hZWfrOAVmCl1/aec3qDKPXdZx1sZHpB3NZJQR75PKlkN0eJOT05w+a3bC2tdCMx43k Yqe8X/k3lI7JakaI5m/fG/lvEupNRmdyCa5id7auLdprnA5EQRV9FSsHmLmSfdym7nj6iFqoC8Y gOcKzA9WgWOyHx8tVs65m9meG/WS7DWcuedaHO3OWUWxTQJdI8XivwflisSrFPWC5gcKVCvRKLa 632yXzQg4kw/oFp4FeEg7TN/SPRmX6OrMQajfMRWeFNzK1vl0iUe3Ue96s+uAolyO2xxVAWPbqU oH8TMoZp6VbtqvFM0G2ANca2kG5T0a+dotjUlLCAWHOR37+ATq3MsQB4M7MJ/8zHJ6KkGg8fc5p KTMK1b016DO+yZCAnVeptTRKjYpVW9o3W1Rn0zWTWEh5N2a9GNCqGZ2ehfl44mJRo3N/MnXbw+g psOp4os6431c1LVdeprqRq+pN8eAoU2MUt2UTkM6z3iDvziBz/FEHo4advaWFyVePGN2QymIlj9 2kc9fCiOUNh0Cg8FYHVaFopGvuQmF/cZUQd8Zf3vrjdfNHuXoZoUnnV928K15eNIExieaQ0QjyN vzI3pOi3a79A00Gz8q57oEyJKb+VsdeNpdvi/5PTak5rnadRBHuVYxc8DW74hD5p4uWGfJiJpfs sK6r7vPSt1zxntq1hTV0LxIv7es0V1c5XE5TSeAiCmPx4NwLTrdaH1ZWqCii7lXaIcF/Ww7M6dy uYKg46HM5rqDwqtlExlQIQeRG0=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/gRYyV07JZigqD_84HfevoOM3Lk0>
Subject: Re: [mpls] Working Geoup Adoption poll on draft-kompella-mpls-lspping-norao
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Dec 2022 13:09:18 -0000
Hi, There seems to be a bit of silence about this document, so here are my thoughts. Tl;dr - Yes we should adopt this document I did an early review for Loa, which I believe he shared with the authors. So it shouldn't be a surprise if I now find fewer issues. BTW, and not really relevant for the current content of the document, I believe the reason for the "belts and braces" use of the RAO was to protect against "pop-and-go" implementations where an encapsulated IP packet might be exposed and forwarded without checks made on the IP TTL. Whether or not this was a real concern can be left as an exercise for the reader. Happy New Year, Adrian === Please settle on "LSP ping" or "LSP Ping" --- The title makes clear the purpose of the document. However... This document also recommends the use of an IPv6 loopback address (:::1/128) and discourages the use of an IPv4 loopback address mapped to IPv6. That fact is lost to people who read document titles and apply filters! Perhaps... LSP Ping: Deprecating the Use of Router Alert and Recommendations for the use of IPv6 Loopback Address --- Abstract has: The rationale for including an RAO is questionable. Furthermore, RFC6398 identifies security vulnerabilities associated with the RAO. I don't believe that the reason for deprecating RAO in this case is the "questionable" rationale for its use. Who cares whether it is questionable, and who wants to have that debate? The reason to deprecate is the security vulnerabilities. That no implementation relies on the RAO is an indication that deprecation is safe. A throw-away comment is that we don't believe including RAO adds any value. So, I'd suggest to focus on the main event... LSP ping messages (RFC 8029) are encapsulated in IP headers that include a Router Alert Option (RAO). However, RFC6398 identifies security vulnerabilities associated with the RAO, and it is believed that no implementation relies on the presence of the RAO to add any functional value. --- Abstract should not just say, "It updates RFCs 7506 and 8029," but should also indicate in what way it makes an update. I think this can be achieved by rewriting the paragraph as... Therefore, this document updates 8029 to remove the RAO from LSP ping message encapsulations and reclassifies RFC 7506 as Historic. -- Interesting that, despite the assertion that the document makes recommendations on the use of IPv6 loopbacks, the text uses SHOULD and not RECOMMENDS. Not important, but a nice-to-have. --- 1. The IP header that encapsulates an echo request message must include a Router Alert Option (RAO), while the IP header that encapsulates an echo reply message may include an RAO. Given what this document sets out to do, you should phrase this as... RFC 8029 specifies that, the IP header.... --- 1. Same issue as mentioned for the Abstract. OLD In both cases, the rationale for including an RAO is questionable. Furthermore, [RFC6398] identifies security vulnerabilities associated with the RAO and recommends against its use outside of controlled environments. NEW However, [RFC6398] identifies security vulnerabilities associated with the RAO and recommends against its use outside of controlled environments. Further, it is believed that no implementation relies on the presence of the RAO to add any functional value. END --- 1. Similar issue to in the Abstract, but we can also give some more details about the updated RFCs. OLD Therefore, this document removes the RAO from both LSP ping message encapsulations. It updates RFCs 7506 [RFC7506] and 8029. NEW [RFC7506] discusses the use of the IPv6 ROA for MPLS Operations, Administration, and Maintenance (OAM) and allocates a new, generic IPv6 RAO value that can be used by MPLS OAM tools, including the MPLS Echo Request and MPLS Echo Reply messages for LSP ping in IPv6 environments. Therefore, this document updates 8029 to remove the RAO from LSP ping message encapsulations, and reclassifies RFC 7506 as Historic. END --- 2.1 To achieve this, RFC 8029 proposes the following: To be fair, 8029 is a little more direct. It "specifies". --- 2.1 To make the relationship to 7506 clearer... OLD 3. When the echo request message is encapsulated in IPv4, the IPv4 header must include an RAO. When the echo request message is encapsulated in IPv6, the IPv6 header chain must include a Hop- by-hop extension header and the Hop-by-hop extension header must include an RAO. NEW 3. When the echo request message is encapsulated in IPv4, the IPv4 header must include an RAO. When the echo request message is encapsulated in IPv6, the IPv6 header chain must include a Hop- by-hop extension header and the Hop-by-hop extension header must include an RAO as defined by RFC 7506. END --- 2.1 "ALL" is not a 2119 word, and the use of "therefore" is not a logical progression. So... OLD Currently, ALL of these are required. However, any one is sufficient to prevent forwarding the packet beyond the egress LSR. Therefore, this document changes RFC 8029 in that Requirement 3 is removed. NEW RFC 8029 states that all of these four behaviors must be implemented. However, it can be observed that any one of them is sufficient to prevent the packet being forwarded beyond the egress LSR. Therefore, the third requirement (use of the RAO) does not add any value, and so, in view of the security concerns outlined in RFC 6398, this document updates RFC 8029 to remove this third requirement. END --- 2.1 The authors are not aware of any implementation that relies on the RAO to prevent packets from being forwarded beyond the egress LSR. This is fine for now. Obviously, before we request publication, it needs to be strengthened into something like... An ad hoc survey of implementers conducted by MPLS Working Group has not revealed any implementation that relies on the RAO to prevent packets from being forwarded beyond the egress LSR. --- 2.2 I'd suggest some re-wording to avoid debate... OLD The rationale for mode 3 is questionable, if not wholly misguided. According to RFC 8029, "If the normal IP return path is deemed unreliable, one may use 3 (Reply via an IPv4/IPv6 UDP packet with Router Alert)." However, it is not clear that the use of the RAO increases the reliability of the return path. In fact, one can argue it decreases the reliability in many instances, due to the additional burden of processing the RAO. This document changes RGC 8020 in that mode 3 are removed. NEW In the case of mode 3, this uses the IPv6 RAO defined in RFC 7506. RFC 8029 states: "If the normal IP return path is deemed unreliable, one may use 3 (Reply via an IPv4/IPv6 UDP packet with Router Alert)." However, it is not clear that the use of the RAO increases the reliability of the return path. In fact, one can argue it decreases the reliability in many instances, due to the additional burden of processing the RAO. This document changes RFC 8020 in that mode 3 is removed. END --- 2.2 The authors are not aware of any implementations of mode 3. Again, this is fine for now, but it will need to be strengthened before publication. --- 3. It's good, but could be a little clearer. Suggest... [RFC7506] defines the IPv6 Router Alert Option for MPLS Operations, Administration, and Management. With the changes to RFC 8029 described in Section 2, that RAO is no longer required. Therefore, this document reclassifies RFC 7506 as Historic and requests IANA to mark the IPv6 RAO value of MPLS OAM as Deprecated (see Section 6). --- 4. s/in[RFC1122]/in [RFC1122]/ --- I found sections 2 and 4 to be confusing in content. From the section titles, it looks like 2 is just descriptive and 4 includes all of the updates to 8029. But that's not the case. Further, it is not clear in 4 whether... LSP Ping implementations SHOULD ignore RAO options when they arrive on incoming echo request and echo reply messages. ...is original text, an update, or new text. I suggest three actions: 1. Make the section titles clearer: 2. Updates to RFC 8029 for Router Alert for LSP Ping 3. Reclassifying RFC 7506 as Historic 4. Update to RFC 8029 for IPv6 Loopback Addresses 2. Move... LSP Ping implementations SHOULD ignore RAO options when they arrive on incoming echo request and echo reply messages. ...to Section 2 where it better fits with the content 3. In Sections 2 and 4 make it abundantly clear what text is replaced with what. This can either be, "The entirety of Section x.y is replaced with the following text," or use OLD/NEW notation. --- 5. s/tha that/that/ --- 5. AFAICS, section 5 doesn't talk about backward compatibility directly! And, while it is delightful to know how you interpret "DEPRECATED": - You have only used "Deprecated" in the text - You have (correctly) noted in section 6 that 8126 provides the definition. You should have something like: According to the update to RFC 8029 set out in Section X, LSP Ping implementations should ignore RAO options when they arrive on incoming echo request and echo reply messages. As well as using the RAO, RFC 8029 requires echo requests have the destination address set to a loopback address and that the IP TTL/Hop Limit be set to 1. Therefore, echo requests sourced by a legacy implementation will still be captured and not forwarded even if the RAO they carry is ignored, and echo requests sourced by an implementation conformant to this document will be correctly captured by legacy end points. Furthermore, in the case of an echo reply, the only option in which a legacy implementation may use an RAO is option 3, and with the RAO ignored, this looks like option 2 which must, in any case be supported by a receiver. Thus, backwards compatibility is not impeded by this document. This document requests that the IPv6 RAO value for MPLS OAM (69) in [IANA-IPV6-RAO] is marked as "Deprecated". It also requests that Reply Mode 3 ("Reply via an IPv4/IPv6 UDP packet with Router Alert") in [IANA-LSP-PING] is marked as "Deprecated". The term "Deprecated" is defined in [RFC8126] and means that deprecated values should not be used in new implementations, and that deployed implementations that use these values continue to work seamlessly. This is consistent with the non-use and ignoring of RAO as described above. --- 6. This section needs to be more pithy about what it is asking IANA to do and also not tell IANA what their own terms mean! IANA maintains the "IPv6 Router Alert Option Values" registry. IANA is requested to mark value 69 ("MPLS OAM") as Deprecated and include a reference to this document. IANA should continue to include the reference to RFC 7506. IANA maintains the "Reply Modes" registry within the "Multiprotocol Label Switching Architecture (MPLS)" registries. IANA is requested to mark value 3 ("Reply via an IPv4/IPv6 UDP packet with Router Alert") as Deprecated and include a reference to this document. IANA should continue to include the reference to RFC 8029. --- 7. Given that one of your motivations for this work is the security concerns expressed in RFC 6398, I think that this section should spend some characters to state that you believe that this improves the security of IP-over-MPLS systems, and why. --- 8. Not appropriate to include the URLs of the IANA registries as references because they are not long-term stable (compared to the names of the registries). See my proposed text in section 6. -----Original Message----- From: mpls <mpls-bounces@ietf.org> On Behalf Of Loa Andersson Sent: 15 December 2022 23:43 To: mpls@ietf.org Cc: draft-kompella-mpls-lspping-norao@ietf.org Subject: [mpls] Working Geoup Adoption poll on draft-kompella-mpls-lspping-norao Working Group, This is to start a two week poll on adopting draft-kompella-mpls-lspping-norao as a MPLS working group document. Normally we do the two weeks wgap's pretty strict, however in this case I keep the right to extend the wgap, if there has not been enough reactions and discussion, the wgap might be extended into 2023. Please send your comments (support/not support) to the mpls working group mailing list (mpls@ietf.org). Please give a technical motivation for your support/not support, especially if you think that the document should not be adopted as a working group document. For this poll we also want to point at text in section 2.1 and 2.2. Section 2.1 have the following: The authors are not aware of any implementation that relies on the RAO to prevent packets from being forwarded beyond the egress LSR. Section 2.2 have the following: The authors are not aware of any implementations of mode 3. We'd like to confirm that we don't have such implementations. If you have additional information, or agree with the statements above, please include this in your response on the wgap. There are no IPR disclosures against this document. All the authors have stated on the MPLS wg mailing list that they are unaware of any IPRs that relates to this document. The working group adoption poll ends December 29, 2022. /Loa -- Loa Andersson email: loa@pi.nu Senior MPLS Expert loa.pi.nu@gmail.com Bronze Dragon Consulting phone: +46 739 81 21 64 _______________________________________________ mpls mailing list mpls@ietf.org https://www.ietf.org/mailman/listinfo/mpls
- [mpls] Working Geoup Adoption poll on draft-kompe… Loa Andersson
- Re: [mpls] Working Geoup Adoption poll on draft-k… Joel Halpern
- Re: [mpls] Working Geoup Adoption poll on draft-k… Adrian Farrel
- [mpls] Closed: Working Group Adoption poll on dra… Loa Andersson