IETF Logo Mail Archive

Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping

Loa Andersson <loa@pi.nu> Fri, 13 March 2015 03:02 UTC

Return-Path: <loa@pi.nu>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806C61AC3D8 for <mpls@ietfa.amsl.com>; Thu, 12 Mar 2015 20:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hx0aq_CFu9Ol for <mpls@ietfa.amsl.com>; Thu, 12 Mar 2015 20:02:00 -0700 (PDT)
Received: from pipi.pi.nu (pipi.pi.nu [83.168.239.141]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D0A71A89E9 for <mpls@ietf.org>; Thu, 12 Mar 2015 20:01:57 -0700 (PDT)
Received: from [192.168.1.12] (unknown [49.149.165.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: loa@pi.nu) by pipi.pi.nu (Postfix) with ESMTPSA id 0AC801801127; Fri, 13 Mar 2015 04:01:52 +0100 (CET)
Message-ID: <5502531C.40103@pi.nu>
Date: Fri, 13 Mar 2015 11:01:48 +0800
From: Loa Andersson <loa@pi.nu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Ronald Bonica <rbonica@juniper.net>, "lizho.jin@gmail.com" <lizho.jin@gmail.com>, mpls-chairs <mpls-chairs@tools.ietf.org>, draft-bonica-mpls-self-ping <draft-bonica-mpls-self-ping@tools.ietf.org>, mpls-ads <mpls-ads@tools.ietf.org>
References: <54EC4776.5040402@pi.nu>, <2015031100220789189743@gmail.com>, <CO1PR05MB44294439D8B4C216054A1E5AE060@CO1PR05MB442.namprd05.prod.outlook.com> <201503122220311215427@gmail.com> <CO1PR05MB44255E38E0CB8D75B8B0B82AE070@CO1PR05MB442.namprd05.prod.outlook.com>
In-Reply-To: <CO1PR05MB44255E38E0CB8D75B8B0B82AE070@CO1PR05MB442.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/nLAk9swUDj8o2lusEFfMYqntguc>
Cc: mpls <mpls@ietf.org>
Subject: Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 03:02:02 -0000

Ron,

The MPLS-RT review spawned some discussion on access lists. I could not
remember what you said about access lists in the draft so I checked. 
Quick search "access" and "ACL" and found that you do not mention
access lists at all. Maybe you should after the discussion here.

/Loa

On 2015-03-13 08:34, Ronald Bonica wrote:
> Lizhong,
>
> I think that we are misunderstanding each other’s words.
>
> RFC 6335 divides UDP ports into the following ranges:
>
> -Well-known (0-1023)
>
> -User (1024-49151)
>
> -Dynamic (49152-65535)
>
> The draft says that the UDP source and destination ports will be
> selected from the dynamic range. It **does not** say that UDP port
> numbers will be selected dynamically.
>
> When writing the draft, I was assuming that a typical implementation
> selects a port form the dynamic range and sends all MPLS Self-ping
> traffic to that port. Therefore, the user could provision an ACL for
> that port.
>
> I **was not** assuming that the application would select a different
> port each time that it ran MPLS-ping. This would make it very difficult
> to ACL MPLS Self-ping traffic.
>
> If you like, I can make that assumption explicit in the draft.
>
>                                                                   Ron
>
> *From:*lizho.jin@gmail.com [mailto:lizho.jin@gmail.com]
> *Sent:* Thursday, March 12, 2015 10:21 AM
> *To:* Ronald Bonica; mpls-chairs; draft-bonica-mpls-self-ping; mpls-ads
> *Cc:* mpls
> *Subject:* RE: MPLS-RT review of draft-bonica-mpls-self-ping
>
>     For section 6, originally ingress could identify the LSP ping packet
>     with well-known UDP port, and configure ACL rule to reduce risk of
>     attack. But now it is more difficult to filter the packet with
>     access list, which may increase the risk.
>
>         Lizhong,
>
>         *//*
>
>         */Implementation know the port(s) upon which they send MPLS
>         Self-ping traffic. They can configure ACLs on that port or those
>         ports. ACLs can protect dynamic ports, so long as they are
>         predictable./*
>
>         [Lizhong] yes, it is possible to install ACL ruls everytime when
>         MPLS self-ping is initiated. That is different with original
>         implementation which is static ACL rule with well-know port. So
>         it is better to describe how to reduce the risk of DoS if MPLS
>         self-ping is implemented.
>
>         Lizhong
>
>         **
>
>         */
>         Ron/*
>
>         *//*
>
>
>
> _______________________________________________
> mpls mailing list
> mpls@ietf.org
> https://www.ietf.org/mailman/listinfo/mpls
>

-- 


Loa Andersson                        email: loa@mail01.huawei.com
Senior MPLS Expert                          loa@pi.nu
Huawei Technologies (consultant)     phone: +46 739 81 21 64

v2.23.0 | Report a Bug | By Email