Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
"Lizhong Jin" <lizho.jin@gmail.com> Fri, 13 March 2015 02:26 UTC
Return-Path: <lizho.jin@gmail.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 655CE1AC3CD for <mpls@ietfa.amsl.com>; Thu, 12 Mar 2015 19:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUqs1Y01rqdE for <mpls@ietfa.amsl.com>; Thu, 12 Mar 2015 19:26:57 -0700 (PDT)
Received: from mail-pd0-x236.google.com (mail-pd0-x236.google.com [IPv6:2607:f8b0:400e:c02::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 738EC1A891C for <mpls@ietf.org>; Thu, 12 Mar 2015 19:26:57 -0700 (PDT)
Received: by pdev10 with SMTP id v10so25005280pde.0 for <mpls@ietf.org>; Thu, 12 Mar 2015 19:26:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:thread-index:content-language; bh=lLIn767vFuU5g4Sos4ZeV0OehzNqCwqxa32szlGhdAQ=; b=w8AkNKWPaZowMEfu3u7CTQG4cDTkM7zn3vLrpOqmJ3Sm7D03MyfMM3+6JvmYnscoup 05qaauTrO8TNB8xruf8nEE6Y+DVPFr7Hy+Gp7PaFabvKxUG6sxJmQjEkodlV1DxIlYfa VBczRMX02PQk316vS0K9idjune+czOSTI0u4GDK+E7lytN6tCMSOSrI5zNlU/kVlUcUV Bvhprit6Ku7x6bs5FJdUqfgvKEG/zh1QEVRFeMHZl0lmKfLVOC9LEG+MYGvMhx223mdv 3zlKELFMFOqqlZnmmPjZ4+Dftd3CIKySjFnFxkEsAb9l+llBzbvzbpbFvjXBVa70aIU0 Qawg==
X-Received: by 10.70.31.66 with SMTP id y2mr33882200pdh.118.1426213617138; Thu, 12 Mar 2015 19:26:57 -0700 (PDT)
Received: from LIZHONGJ ([180.166.53.21]) by mx.google.com with ESMTPSA id di10sm621912pad.41.2015.03.12.19.26.53 (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 12 Mar 2015 19:26:55 -0700 (PDT)
From: Lizhong Jin <lizho.jin@gmail.com>
To: 'Ronald Bonica' <rbonica@juniper.net>, 'mpls-chairs' <mpls-chairs@tools.ietf.org>, 'draft-bonica-mpls-self-ping' <draft-bonica-mpls-self-ping@tools.ietf.org>, 'mpls-ads' <mpls-ads@tools.ietf.org>
References: <54EC4776.5040402@pi.nu>, <2015031100220789189743@gmail.com>, <CO1PR05MB44294439D8B4C216054A1E5AE060@CO1PR05MB442.namprd05.prod.outlook.com> <201503122220311215427@gmail.com> <CO1PR05MB44255E38E0CB8D75B8B0B82AE070@CO1PR05MB442.namprd05.prod.outlook.com>
In-Reply-To: <CO1PR05MB44255E38E0CB8D75B8B0B82AE070@CO1PR05MB442.namprd05.prod.outlook.com>
Date: Fri, 13 Mar 2015 10:26:49 +0800
Message-ID: <014a01d05d35$2cb45510$861cff30$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_014B_01D05D78.3ADAC960"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQI2Il8ajV0mxNUpurLRCBHTXFoBGwG0jYF6ANecw8wCXqQ8owKr4rIunBFuKEA=
Content-Language: zh-cn
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/nCwaJV5wQvINAhtZExs7ep5FHxU>
Cc: 'mpls' <mpls@ietf.org>
Subject: Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 02:26:59 -0000
Ron, Got it, thanks for the clarification. Yes, it is better to make it explicitly. Regards Lizhong From: Ronald Bonica [mailto:rbonica@juniper.net] Sent: 2015年3月13日 8:34 To: lizho.jin@gmail.com; mpls-chairs; draft-bonica-mpls-self-ping; mpls-ads Cc: mpls Subject: RE: MPLS-RT review of draft-bonica-mpls-self-ping Lizhong, I think that we are misunderstanding each other’s words. RFC 6335 divides UDP ports into the following ranges: - Well-known (0-1023) - User (1024-49151) - Dynamic (49152-65535) The draft says that the UDP source and destination ports will be selected from the dynamic range. It *does not* say that UDP port numbers will be selected dynamically. When writing the draft, I was assuming that a typical implementation selects a port form the dynamic range and sends all MPLS Self-ping traffic to that port. Therefore, the user could provision an ACL for that port. I *was not* assuming that the application would select a different port each time that it ran MPLS-ping. This would make it very difficult to ACL MPLS Self-ping traffic. If you like, I can make that assumption explicit in the draft. Ron From: lizho.jin@gmail.com <mailto:lizho.jin@gmail.com> [mailto:lizho.jin@gmail.com] Sent: Thursday, March 12, 2015 10:21 AM To: Ronald Bonica; mpls-chairs; draft-bonica-mpls-self-ping; mpls-ads Cc: mpls Subject: RE: MPLS-RT review of draft-bonica-mpls-self-ping For section 6, originally ingress could identify the LSP ping packet with well-known UDP port, and configure ACL rule to reduce risk of attack. But now it is more difficult to filter the packet with access list, which may increase the risk. Lizhong, Implementation know the port(s) upon which they send MPLS Self-ping traffic. They can configure ACLs on that port or those ports. ACLs can protect dynamic ports, so long as they are predictable. [Lizhong] yes, it is possible to install ACL ruls everytime when MPLS self-ping is initiated. That is different with original implementation which is static ACL rule with well-know port. So it is better to describe how to reduce the risk of DoS if MPLS self-ping is implemented. Lizhong Ron
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Carlos Pignataro (cpignata)
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Loa Andersson
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Eric Gray
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ron Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Gregory Mirsky
- [mpls] MPLS-RT review of draft-bonica-mpls-self-p… Mach Chen
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… lizho.jin@gmail.com
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… lizho.jin@gmail.com
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Adrian Farrel
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Gregory Mirsky
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Carlos Pignataro (cpignata)
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Gregory Mirsky
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Lizhong Jin
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Loa Andersson