Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 08 October 2015 18:11 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BED41B2D2B; Thu, 8 Oct 2015 11:11:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7U6nLL77-Aak; Thu, 8 Oct 2015 11:11:14 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 247E51B2D2C; Thu, 8 Oct 2015 11:11:14 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so36638694wic.0; Thu, 08 Oct 2015 11:11:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5B04CGJ3WqAKXjv42uobylGQqD7tjQxBUGDjsygRTAQ=; b=VT9doEQJI6QNSvaEoDXSjBNbnQXQr60L08bBCLrAbj6wJO3djulB2lySUJhZWrcfMw rgxXfPiCu6qcEgQpTQ9UpBxxnlQRrrW3RnrcV9pqQUiZS+EWl/0A3ReAtFPifzDKm2sN 8Pp59UC9AyCzGvm1rIv7TF5uCtNpOzerEU6J9vNdG5SKUlSIjnLB8OYMLvGtJTBH2eCi k87cr9X+peMRsouWIcWmRxMDU8S/jllzrh+Yj0sIBOTDA6AxBZ5wxvguR0aG6sF6d0rs 84Lrlmld941sSnm38xtk3ANBwuAbEfYobhN40yIG1ngERzbC6NrnhzkaGkEpHjUL1+H+ u7MA==
MIME-Version: 1.0
X-Received: by 10.195.11.72 with SMTP id eg8mr10791822wjd.14.1444327872726; Thu, 08 Oct 2015 11:11:12 -0700 (PDT)
Received: by 10.28.214.213 with HTTP; Thu, 8 Oct 2015 11:11:12 -0700 (PDT)
In-Reply-To: <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B60A73E@SZXEMA510-MBX.china.huawei.com>
References: <20150929151503.2931.97454.idtracker@ietfa.amsl.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606E58@SZXEMA510-MBX.china.huawei.com> <562A4F65-2A63-4D75-BCF6-6F6ECC77CC41@gmail.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606F0D@SZXEMA510-MBX.china.huawei.com> <CAHbuEH7WetBik3eJtUB1yyQSTRazpLimLhDov48Kym9miFrJsQ@mail.gmail.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B60A73E@SZXEMA510-MBX.china.huawei.com>
Date: Thu, 08 Oct 2015 14:11:12 -0400
Message-ID: <CAHbuEH7MZ1tVK_XbpkrqE+4MpLcCZ9pSOxeP9dR=Hvk4MvUnwA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Mach Chen <mach.chen@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/jnvNy6-3QORdSGJvXUbRBTstet4>
Cc: "mpls@ietf.org" <mpls@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org>, The IESG <iesg@ietf.org>, "rcallon@juniper.net" <rcallon@juniper.net>
Subject: Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 18:11:16 -0000
On Wed, Oct 7, 2015 at 10:34 PM, Mach Chen <mach.chen@huawei.com> wrote: > Hi Kathleen, > > Sorry for the delayed response, just returned from the National Day Holidays! > > We will upload the updated document that addresses all received DISSCUS and comments so far. Thank you, I'll look for the update to come through. I hope you enjoyed your holidays! Kathleen > > Thanks, > Mach > >> -----Original Message----- >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >> Sent: Thursday, October 01, 2015 12:12 AM >> To: Mach Chen >> Cc: The IESG; draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org; >> mpls-chairs@ietf.org; draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org; >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org; rcallon@juniper.net; >> mpls@ietf.org >> Subject: Re: Kathleen Moriarty's Discuss on >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS) >> >> On Tue, Sep 29, 2015 at 11:13 PM, Mach Chen <mach.chen@huawei.com> >> wrote: >> > Hi Kathleen, >> > >> > Thanks for your prompt response! >> > >> > Please see my reply inline... >> > >> >> -----Original Message----- >> >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >> >> Sent: Wednesday, September 30, 2015 10:39 AM >> >> To: Mach Chen >> >> Cc: The IESG; >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org; >> >> mpls-chairs@ietf.org; >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org; >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org; >> >> rcallon@juniper.net; mpls@ietf.org >> >> Subject: Re: Kathleen Moriarty's Discuss on >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS) >> >> >> >> Hi, >> >> >> >> Thanks for suggesting text quickly to address this. Inline >> >> >> >> Sent from my iPhone >> >> >> >> > On Sep 29, 2015, at 10:28 PM, Mach Chen <mach.chen@huawei.com> >> >> wrote: >> >> > >> >> > Hi Kathleen, >> >> > >> >> > Thanks for reviewing the draft and the suggestion! >> >> > >> >> > Regarding the DISCUSS, how about the following update? >> >> > >> >> > OLD: >> >> > Beyond those specified in [RFC4379] and [RFC7110], there are no >> >> > further >> >> security measures required. >> >> > >> >> > NEW: >> >> > Those security considerations specified in [RFC4379] and [RFC7110] >> >> > apply for >> >> this document. >> >> > In addition, this document introduces the Reply Mode Order TLV. It >> >> > provides a >> >> new way for an unauthorized source to gather more network >> >> information, especially the potential return path(s) information of >> >> an LSP. To protect against unauthorized sources using MPLS echo >> >> request messages with the Reply Mode Order TLV to obtain network >> >> information, similar to [RFC4379], it is RECOMMENDED that >> >> implementations provide a means of checking the source addresses of >> >> MPLS echo request messages against an access list before accepting the >> message. >> >> >> >> If the message is not encrypted, this content is still exposed potentially, >> right? >> > >> > Yes, but it is exposed within the MPLS domain. >> > >> >> This helps, but also mentioning lack of confidentiality protection >> >> might be helpful too. >> > >> > I'm not sure whether this issue is specific to this document, seems this is a >> common issue for MPLS OAM and control plane. >> > >> > If this is a concern, how about adding the following text: >> > " >> > Another potential security issue is that the MPLS echo request and >> > reply messages are not encrypted, the content of the MPLS echo >> > request and reply messages may be potentially exposed. Although the >> > exposure is within the MPLS domain, if such exposure is a concern, >> > some encryption mechanisms may be employed. >> > " >> >> This additional text puts int he caveat that you are concerned with and limits >> the scope to the MPLS domain, so I think that is helpful on both fronts. The >> two combined would cover any additional considerations for this draft nicely, >> thank you. >> >> Please let me know when the updated text has been incorporated and I will >> clear. >> >> Thanks, >> Kathleen >> > >> > Best regards, >> > Mach >> > >> >> >> >> Thank you, >> >> Kathleen >> >> >> >> > >> >> > >> >> > Best regards, >> >> > Mach >> >> > >> >> > >> >> >> -----Original Message----- >> >> >> From: Kathleen Moriarty [mailto:Kathleen.Moriarty.ietf@gmail.com] >> >> >> Sent: Tuesday, September 29, 2015 11:15 PM >> >> >> To: The IESG >> >> >> Cc: draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org; >> >> >> mpls-chairs@ietf.org; >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org; >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org; >> >> >> rcallon@juniper.net; mpls@ietf.org >> >> >> Subject: Kathleen Moriarty's Discuss on >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS) >> >> >> >> >> >> Kathleen Moriarty has entered the following ballot position for >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: Discuss >> >> >> >> >> >> When responding, please keep the subject line intact and reply to >> >> >> all email addresses included in the To and CC lines. (Feel free to >> >> >> cut this introductory paragraph, however.) >> >> >> >> >> >> >> >> >> Please refer to >> >> >> https://www.ietf.org/iesg/statement/discuss-criteria.html >> >> >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> >> >> >> >> >> >> The document, along with other ballot positions, can be found here: >> >> >> https://datatracker.ietf.org/doc/draft-ietf-mpls-lsp-ping-reply-mo >> >> >> de- >> >> >> simple/ >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------ >> >> >> --- >> >> >> - >> >> >> DISCUSS: >> >> >> ------------------------------------------------------------------ >> >> >> --- >> >> >> - >> >> >> >> >> >> This should be easy to resolve. SInce this draft adds a new >> >> >> capability to include the return path, this provides another >> >> >> attack vector to observe path information that could be part of >> >> >> reconnaissance gathering to later attack the network or path. >> >> >> While the referenced RFC4379 mentions the following in the >> >> >> security >> >> considerations section: >> >> >> >> >> >> The third is an >> >> >> unauthorized source using an LSP ping to obtain information about the >> >> >> network. >> >> >> >> >> >> The equivalent should be added for this new capability in this >> >> >> draft, since now it's possible to gather the path information from the new >> feature. >> >> > >> >> >> >> -- >> >> Best regards, >> Kathleen -- Best regards, Kathleen
- [mpls] Kathleen Moriarty's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Mach Chen
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Mach Chen
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Mach Chen
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Mach Chen