Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-entropy-lsp-ping-04: (with DISCUSS)
kathleen.moriarty.ietf@gmail.com Thu, 01 September 2016 12:02 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1A912D85C; Thu, 1 Sep 2016 05:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jB7yqs6g2H0Y; Thu, 1 Sep 2016 05:02:36 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD21D12D91A; Thu, 1 Sep 2016 05:02:35 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id z190so81976901qkc.0; Thu, 01 Sep 2016 05:02:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XbaNuF9J9vn+Dre6fsiTbjZ7+iBQC5IGNeWLf8jE0wk=; b=Kb6AkZoabbn9jpfE0pVsfhwXWBta4tkXvje1hpksNhgm4lX4kLPuqZU8Oc5pDIyp9S zP/83rDo0akR3TTh/Y474ZMJFRhVYJRAYjwO3j2LZ0XTRgvxpk78GJ4nncG/U9ggfe54 vgY75j9KHtMBqSPL97X/hl1ZPtitE6bHhkiXCJJ/bXlNc6MC2dprQpxZtKUXJIgGa259 k24eb7N8QVOropAullr6ON+Z9cK32s0+3lo+q6P+KJzfTr80FYVjPqqzrc/SulnhuGBZ FcvHl8RJtWGN+en6Qu0CjB41Z0LOrG0Mtio+Xdu5/yDPEqh+I4ThTsnHDg+x2iNjBx6A OxzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XbaNuF9J9vn+Dre6fsiTbjZ7+iBQC5IGNeWLf8jE0wk=; b=HJADSp8tY2pm691OWMjhYwe35Qm0XLFmrNSlwn9cNrCuE11AS9H6R4joti8WehLOWr 1vlAijJF1AWBc8jfhkMaWl0Nh0R9hgdKwveQHkr3BT06TVuTmww0F00xJacgKYjZ9Kfp AbF19Adws0ZeLHWNz/m8OQw60sLCKHQ3ZUFF1FIteyRHSGGyBbw0kijibpcFepdycnSu V349hQlUsDWlIJlZEBOf8cWyggpIt2uG9HcSSH8BCfF6NJ93DHSyuF/oRqFwAj2KVCwF ZYmRBJzjk3ygc2LnueQ80BSvWG4f1EyB/f3B8HADcEmNurRTJDxBUMgLFTB8YysGJXV9 X7Yw==
X-Gm-Message-State: AE9vXwPoVAbGABvlTipH9epydmEYZBvukpJGs/voppndI0os7Gd3hPCTIsYr7UvUn7rjFQ==
X-Received: by 10.55.101.10 with SMTP id z10mr16804166qkb.186.1472731355013; Thu, 01 Sep 2016 05:02:35 -0700 (PDT)
Received: from [192.168.1.6] (209-6-124-204.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.124.204]) by smtp.gmail.com with ESMTPSA id f16sm2592673qkf.14.2016.09.01.05.02.33 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 01 Sep 2016 05:02:33 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: kathleen.moriarty.ietf@gmail.com
X-Mailer: iPhone Mail (13G35)
In-Reply-To: <8F81FCBF-8233-4ECA-86DC-8B7D2981C04F@cisco.com>
Date: Thu, 01 Sep 2016 08:02:33 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <5777F150-E019-4C0F-A4D9-A784BD8E15C0@gmail.com>
References: <147249876362.19041.12556734351955536494.idtracker@ietfa.amsl.com> <8F81FCBF-8233-4ECA-86DC-8B7D2981C04F@cisco.com>
To: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/qzQvUCz_-uikJV7F-RdAk9PhNFg>
Cc: "draft-ietf-mpls-entropy-lsp-ping@ietf.org" <draft-ietf-mpls-entropy-lsp-ping@ietf.org>, The IESG <iesg@ietf.org>, "mpls@ietf.org" <mpls@ietf.org>, mpls-chairs <mpls-chairs@ietf.org>
Subject: Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-entropy-lsp-ping-04: (with DISCUSS)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 12:02:40 -0000
Hi Carlos, Thanks for adding a few sentences on this. Let me know when you have text to review. Thanks, Kathleen Sent from my iPhone > On Aug 31, 2016, at 11:04 PM, Carlos Pignataro (cpignata) <cpignata@cisco.com> wrote: > > Hi Kathleen, > >> On Aug 29, 2016, at 3:26 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: >> >> Kathleen Moriarty has entered the following ballot position for >> draft-ietf-mpls-entropy-lsp-ping-04: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-mpls-entropy-lsp-ping/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> The description of what is added in this draft in the Security >> Considerations section is good, but aren't there additional security >> considerations (risks) with this addition? > > Thanks for the review and question, see below. > >> >> This document extends the LSP Ping and Traceroute mechanisms to >> discover and exercise ECMP paths when an LSP uses ELI/EL in the label >> stack. Additional processing is required for responder and initiator >> nodes. The responder node that pushes ELI/EL will need to compute >> and return multipath data including associated EL. The initiator >> node will need to store and handle both IP multipath and label >> multipath information, and include destination IP addresses and/or >> ELs in MPLS echo request packets as well as in multipath information >> sent to downstream nodes. >> >> BTW, the above is a nice description that would have been nice to see >> sooner in the text. >> The draft then says: >> >> This document does not itself introduce >> any new security considerations. >> >> Isn't there anything that should be said about risks with the extended >> capabilities to discover and exercise ECMP paths? Does this help network >> reconnaissance? Does it help attackers to have this additional >> information? If it doesn't, please explain why and that will clear up >> this discuss or adding text would be good. > > I think that sentence oversimplifies a bit. Even the additional processing can result in security considerations, although in this case it is quite incremental on top of the baseline existing processing of LSP Ping. We can clarify a bit. > > Further, RFC 4379 already allows for a faster network reconnaissance with the DDMAP and tree trace functionality as compared to brute force exercising all paths, but it does not mention it. This does the same also for when there’s ELI/EL. > > It really does not help attackers any other way. > > We will add some text covering these two things. > > Thanks! > > — Carlos. > >> Thanks. >
- [mpls] Kathleen Moriarty's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Carlos Pignataro (cpignata)
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… kathleen.moriarty.ietf
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Carlos Pignataro (cpignata)
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Carlos Pignataro (cpignata)