Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)

Mach Chen <mach.chen@huawei.com> Thu, 08 October 2015 02:35 UTC

Return-Path: <mach.chen@huawei.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A941B2F41; Wed, 7 Oct 2015 19:35:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukufa057ivIL; Wed, 7 Oct 2015 19:35:05 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CC7C1B2F4C; Wed, 7 Oct 2015 19:35:03 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml406-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CCE97658; Thu, 08 Oct 2015 02:35:02 +0000 (GMT)
Received: from SZXEMA414-HUB.china.huawei.com (10.82.72.73) by lhreml406-hub.china.huawei.com (10.201.5.243) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 8 Oct 2015 03:35:01 +0100
Received: from SZXEMA510-MBX.china.huawei.com ([169.254.3.229]) by SZXEMA414-HUB.china.huawei.com ([10.82.72.73]) with mapi id 14.03.0235.001; Thu, 8 Oct 2015 10:34:56 +0800
From: Mach Chen <mach.chen@huawei.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
Thread-Index: AQHQ+smnXGeV7WAYuE6rs4dLRLhHFZ5UWBhg//9+moCAAIfXwIAAW2CAgAwzrUA=
Date: Thu, 08 Oct 2015 02:34:56 +0000
Message-ID: <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B60A73E@SZXEMA510-MBX.china.huawei.com>
References: <20150929151503.2931.97454.idtracker@ietfa.amsl.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606E58@SZXEMA510-MBX.china.huawei.com> <562A4F65-2A63-4D75-BCF6-6F6ECC77CC41@gmail.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606F0D@SZXEMA510-MBX.china.huawei.com> <CAHbuEH7WetBik3eJtUB1yyQSTRazpLimLhDov48Kym9miFrJsQ@mail.gmail.com>
In-Reply-To: <CAHbuEH7WetBik3eJtUB1yyQSTRazpLimLhDov48Kym9miFrJsQ@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.102.135]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/oj5dKscJkIDCHVp9iP89KB2dOjU>
Cc: "mpls@ietf.org" <mpls@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org>, The IESG <iesg@ietf.org>, "rcallon@juniper.net" <rcallon@juniper.net>
Subject: Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 02:35:07 -0000

Hi Kathleen,

Sorry for the delayed response, just returned from the National Day Holidays!

We will upload the updated document that addresses all received DISSCUS and comments so far.

Thanks,
Mach

> -----Original Message-----
> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> Sent: Thursday, October 01, 2015 12:12 AM
> To: Mach Chen
> Cc: The IESG; draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> mpls-chairs@ietf.org; draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org; rcallon@juniper.net;
> mpls@ietf.org
> Subject: Re: Kathleen Moriarty's Discuss on
> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> 
> On Tue, Sep 29, 2015 at 11:13 PM, Mach Chen <mach.chen@huawei.com>
> wrote:
> > Hi Kathleen,
> >
> > Thanks for your prompt response!
> >
> > Please see my reply inline...
> >
> >> -----Original Message-----
> >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> >> Sent: Wednesday, September 30, 2015 10:39 AM
> >> To: Mach Chen
> >> Cc: The IESG;
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> >> mpls-chairs@ietf.org;
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org;
> >> rcallon@juniper.net; mpls@ietf.org
> >> Subject: Re: Kathleen Moriarty's Discuss on
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> >>
> >> Hi,
> >>
> >> Thanks for suggesting text quickly to address this.  Inline
> >>
> >> Sent from my iPhone
> >>
> >> > On Sep 29, 2015, at 10:28 PM, Mach Chen <mach.chen@huawei.com>
> >> wrote:
> >> >
> >> > Hi Kathleen,
> >> >
> >> > Thanks for reviewing the draft and the suggestion!
> >> >
> >> > Regarding the DISCUSS, how about the following update?
> >> >
> >> > OLD:
> >> > Beyond those specified in [RFC4379] and [RFC7110], there are no
> >> > further
> >> security measures required.
> >> >
> >> > NEW:
> >> > Those security considerations specified in [RFC4379] and [RFC7110]
> >> > apply for
> >> this document.
> >> > In addition, this document introduces the Reply Mode Order TLV. It
> >> > provides a
> >> new way for an unauthorized source to gather more network
> >> information, especially the potential return path(s) information of
> >> an LSP. To protect against unauthorized sources using MPLS echo
> >> request messages with the Reply Mode Order TLV to obtain network
> >> information, similar to [RFC4379], it is RECOMMENDED that
> >> implementations provide a means of checking the source addresses of
> >> MPLS echo request messages against an access list before accepting the
> message.
> >>
> >> If the message is not encrypted, this content is still exposed potentially,
> right?
> >
> > Yes, but it is exposed within the MPLS domain.
> >
> >> This helps, but also mentioning lack of confidentiality protection
> >> might be helpful too.
> >
> > I'm not sure whether this issue is specific to this document, seems this is a
> common issue for MPLS OAM and control plane.
> >
> > If this is a concern, how about adding the following text:
> > "
> > Another potential security issue is that the MPLS echo request and
> >    reply messages are not encrypted, the content of the MPLS echo
> >    request and reply messages may be potentially exposed. Although the
> >    exposure is within the MPLS domain, if such exposure is a concern,
> >    some encryption mechanisms may be employed.
> > "
> 
> This additional text puts int he caveat that you are concerned with and limits
> the scope to the MPLS domain, so I think that is helpful on both fronts.  The
> two combined would cover any additional considerations for this draft nicely,
> thank you.
> 
> Please let me know when the updated text has been incorporated and I will
> clear.
> 
> Thanks,
> Kathleen
> >
> > Best regards,
> > Mach
> >
> >>
> >> Thank you,
> >> Kathleen
> >>
> >> >
> >> >
> >> > Best regards,
> >> > Mach
> >> >
> >> >
> >> >> -----Original Message-----
> >> >> From: Kathleen Moriarty [mailto:Kathleen.Moriarty.ietf@gmail.com]
> >> >> Sent: Tuesday, September 29, 2015 11:15 PM
> >> >> To: The IESG
> >> >> Cc: draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> >> >> mpls-chairs@ietf.org;
> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org;
> >> >> rcallon@juniper.net; mpls@ietf.org
> >> >> Subject: Kathleen Moriarty's Discuss on
> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> >> >>
> >> >> Kathleen Moriarty has entered the following ballot position for
> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: Discuss
> >> >>
> >> >> When responding, please keep the subject line intact and reply to
> >> >> all email addresses included in the To and CC lines. (Feel free to
> >> >> cut this introductory paragraph, however.)
> >> >>
> >> >>
> >> >> Please refer to
> >> >> https://www.ietf.org/iesg/statement/discuss-criteria.html
> >> >> for more information about IESG DISCUSS and COMMENT positions.
> >> >>
> >> >>
> >> >> The document, along with other ballot positions, can be found here:
> >> >> https://datatracker.ietf.org/doc/draft-ietf-mpls-lsp-ping-reply-mo
> >> >> de-
> >> >> simple/
> >> >>
> >> >>
> >> >>
> >> >> ------------------------------------------------------------------
> >> >> ---
> >> >> -
> >> >> DISCUSS:
> >> >> ------------------------------------------------------------------
> >> >> ---
> >> >> -
> >> >>
> >> >> This should be easy to resolve.  SInce this draft adds a new
> >> >> capability to include the return path, this provides another
> >> >> attack vector to observe path information that could be part of
> >> >> reconnaissance gathering to later attack the network or path.
> >> >> While the referenced RFC4379 mentions the following in the
> >> >> security
> >> considerations section:
> >> >>
> >> >>   The third is an
> >> >>   unauthorized source using an LSP ping to obtain information about the
> >> >>   network.
> >> >>
> >> >> The equivalent should be added for this new capability in this
> >> >> draft, since now it's possible to gather the path information from the new
> feature.
> >> >
> 
> 
> 
> --
> 
> Best regards,
> Kathleen