IETF Logo Mail Archive

Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping

Ron Bonica <rbonica@juniper.net> Tue, 17 March 2015 10:13 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70FF61A0231 for <mpls@ietfa.amsl.com>; Tue, 17 Mar 2015 03:13:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.902
X-Spam-Level:
X-Spam-Status: No, score=-101.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLl1v98GiCzl for <mpls@ietfa.amsl.com>; Tue, 17 Mar 2015 03:13:12 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0128.outbound.protection.outlook.com [207.46.100.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC9D21A01F9 for <mpls@ietf.org>; Tue, 17 Mar 2015 03:13:12 -0700 (PDT)
Received: from CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) by CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) with Microsoft SMTP Server (TLS) id 15.1.106.15; Tue, 17 Mar 2015 10:13:11 +0000
Received: from CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.61]) by CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.61]) with mapi id 15.01.0106.007; Tue, 17 Mar 2015 10:13:11 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Loa Andersson <loa@pi.nu>, "lizho.jin@gmail.com" <lizho.jin@gmail.com>, mpls-chairs <mpls-chairs@tools.ietf.org>, draft-bonica-mpls-self-ping <draft-bonica-mpls-self-ping@tools.ietf.org>, mpls-ads <mpls-ads@tools.ietf.org>
Thread-Topic: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
Thread-Index: AQHQUBZCJvzLYgooPEWTjWPAAzQbFJ0Y/3rsgACladCAAC8HAIAGwbJQ
Date: Tue, 17 Mar 2015 10:13:10 +0000
Message-ID: <CO1PR05MB442856C4FD46E74D03AE980AE030@CO1PR05MB442.namprd05.prod.outlook.com>
References: <54EC4776.5040402@pi.nu>, <2015031100220789189743@gmail.com>, <CO1PR05MB44294439D8B4C216054A1E5AE060@CO1PR05MB442.namprd05.prod.outlook.com> <201503122220311215427@gmail.com> <CO1PR05MB44255E38E0CB8D75B8B0B82AE070@CO1PR05MB442.namprd05.prod.outlook.com> <5502531C.40103@pi.nu>
In-Reply-To: <5502531C.40103@pi.nu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.14]
authentication-results: pi.nu; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO1PR05MB442;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(13464003)(252514010)(377454003)(51704005)(24454002)(377424004)(87936001)(66066001)(77156002)(54356999)(86362001)(19580405001)(2656002)(62966003)(46102003)(19580395003)(122556002)(99286002)(106116001)(40100003)(74316001)(102836002)(33656002)(2950100001)(93886004)(2900100001)(2501003)(15975445007)(230783001)(76176999)(50986999)(92566002)(76576001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR05MB442; H:CO1PR05MB442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <CO1PR05MB4422B098EE96BC7011ADC42AE030@CO1PR05MB442.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:CO1PR05MB442; BCL:0; PCL:0; RULEID:; SRVR:CO1PR05MB442;
x-forefront-prvs: 0518EEFB48
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2015 10:13:10.8267 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR05MB442
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/lOFnnHcO_iCh1vfo4oq6HYqEAwY>
Cc: mpls <mpls@ietf.org>
Subject: Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 10:13:17 -0000

Ack.

I will catch this in the next draft version.

                              Ron


> -----Original Message-----
> From: Loa Andersson [mailto:loa@pi.nu]
> Sent: Friday, March 13, 2015 4:02 AM
> To: Ronald Bonica; lizho.jin@gmail.com; mpls-chairs; draft-bonica-mpls-self-
> ping; mpls-ads
> Cc: mpls
> Subject: Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
> 
> Ron,
> 
> The MPLS-RT review spawned some discussion on access lists. I could not
> remember what you said about access lists in the draft so I checked.
> Quick search "access" and "ACL" and found that you do not mention access
> lists at all. Maybe you should after the discussion here.
> 
> /Loa
> 
> On 2015-03-13 08:34, Ronald Bonica wrote:
> > Lizhong,
> >
> > I think that we are misunderstanding each other's words.
> >
> > RFC 6335 divides UDP ports into the following ranges:
> >
> > -Well-known (0-1023)
> >
> > -User (1024-49151)
> >
> > -Dynamic (49152-65535)
> >
> > The draft says that the UDP source and destination ports will be
> > selected from the dynamic range. It **does not** say that UDP port
> > numbers will be selected dynamically.
> >
> > When writing the draft, I was assuming that a typical implementation
> > selects a port form the dynamic range and sends all MPLS Self-ping
> > traffic to that port. Therefore, the user could provision an ACL for
> > that port.
> >
> > I **was not** assuming that the application would select a different
> > port each time that it ran MPLS-ping. This would make it very
> > difficult to ACL MPLS Self-ping traffic.
> >
> > If you like, I can make that assumption explicit in the draft.
> >
> >                                                                   Ron
> >
> > *From:*lizho.jin@gmail.com [mailto:lizho.jin@gmail.com]
> > *Sent:* Thursday, March 12, 2015 10:21 AM
> > *To:* Ronald Bonica; mpls-chairs; draft-bonica-mpls-self-ping;
> > mpls-ads
> > *Cc:* mpls
> > *Subject:* RE: MPLS-RT review of draft-bonica-mpls-self-ping
> >
> >     For section 6, originally ingress could identify the LSP ping packet
> >     with well-known UDP port, and configure ACL rule to reduce risk of
> >     attack. But now it is more difficult to filter the packet with
> >     access list, which may increase the risk.
> >
> >         Lizhong,
> >
> >         *//*
> >
> >         */Implementation know the port(s) upon which they send MPLS
> >         Self-ping traffic. They can configure ACLs on that port or those
> >         ports. ACLs can protect dynamic ports, so long as they are
> >         predictable./*
> >
> >         [Lizhong] yes, it is possible to install ACL ruls everytime when
> >         MPLS self-ping is initiated. That is different with original
> >         implementation which is static ACL rule with well-know port. So
> >         it is better to describe how to reduce the risk of DoS if MPLS
> >         self-ping is implemented.
> >
> >         Lizhong
> >
> >         **
> >
> >         */
> >         Ron/*
> >
> >         *//*
> >
> >
> >
> > _______________________________________________
> > mpls mailing list
> > mpls@ietf.org
> > https://www.ietf.org/mailman/listinfo/mpls
> >
> 
> --
> 
> 
> Loa Andersson                        email: loa@mail01.huawei.com
> Senior MPLS Expert                          loa@pi.nu
> Huawei Technologies (consultant)     phone: +46 739 81 21 64

v2.23.0 | Report a Bug | By Email