IETF Logo Mail Archive

Re: [mpls] Spencer Dawkins' No Objection on draft-ietf-mpls-self-ping-05: (with COMMENT)

Ronald Bonica <rbonica@juniper.net> Fri, 16 October 2015 15:44 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31F5B1B31B4; Fri, 16 Oct 2015 08:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.901
X-Spam-Level:
X-Spam-Status: No, score=-101.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5VbtjgdJqBA; Fri, 16 Oct 2015 08:44:08 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0146.outbound.protection.outlook.com [65.55.169.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69B931A9166; Fri, 16 Oct 2015 08:44:08 -0700 (PDT)
Received: from BLUPR05MB1985.namprd05.prod.outlook.com (10.162.224.27) by BLUPR05MB1986.namprd05.prod.outlook.com (10.162.224.28) with Microsoft SMTP Server (TLS) id 15.1.300.14; Fri, 16 Oct 2015 15:44:06 +0000
Received: from BLUPR05MB1985.namprd05.prod.outlook.com ([10.162.224.27]) by BLUPR05MB1985.namprd05.prod.outlook.com ([10.162.224.27]) with mapi id 15.01.0300.010; Fri, 16 Oct 2015 15:44:06 +0000
From: Ronald Bonica <rbonica@juniper.net>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Thread-Topic: [mpls] Spencer Dawkins' No Objection on draft-ietf-mpls-self-ping-05: (with COMMENT)
Thread-Index: AdEHjoUrkTjtIQptSkuMk3hUh/8A9AABA0KAACUY6YA=
Date: Fri, 16 Oct 2015 15:44:05 +0000
Message-ID: <BLUPR05MB19855202B394EEFCEB71B009AE3D0@BLUPR05MB1985.namprd05.prod.outlook.com>
References: <BLUPR05MB1985C8B87E1F9F77A857D15DAE3E0@BLUPR05MB1985.namprd05.prod.outlook.com> <CAKKJt-dig5aaHRgJqmFQV0C0ULLgsEvCCCxFxsQaBN2C-3X6cA@mail.gmail.com>
In-Reply-To: <CAKKJt-dig5aaHRgJqmFQV0C0ULLgsEvCCCxFxsQaBN2C-3X6cA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rbonica@juniper.net;
x-originating-ip: [66.129.241.11]
x-microsoft-exchange-diagnostics: 1; BLUPR05MB1986; 5:+rcDrLN8xcXvLrAgI+rSeZ3AcCvsWp8c7lmEarWut7dFm1QGaeXcpU62QOwuJ3mNBwAMrleOjjbs8Ul+iktz+j+ssntcU7Sfjq+BKUUqpq82CbAUQ7uxBE9VI47zNtlr1iMmtV3rW9HLkdotOz35KA==; 24:lVnlWfqx1Wmjp9SfElBgBhQjbYgcW+5S7EJfetRG1QqulsmpBt74pAd0PykCxVoQllws7luPUR87KclfvIh7gOJYSTQoIck+kONgn+v5+xI=; 20:l0IF3ZqCa3pEnlvoJpQZd+8TQOWIdMSrIP6P238w+SDbkjofJcFbLDC2OnM3CHZQCSzjXAIHeNEx5EqsRZozFA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR05MB1986;
x-microsoft-antispam-prvs: <BLUPR05MB198634B03756CFFEA0B5E2BEAE3D0@BLUPR05MB1986.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(138986009662008)(42673675456677)(108003899814671)(83020558694031)(202767206196957);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001); SRVR:BLUPR05MB1986; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB1986;
x-forefront-prvs: 0731AA2DE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(189002)(377454003)(24454002)(86362001)(101416001)(2900100001)(54356999)(5001960100002)(5007970100001)(76176999)(74316001)(19580405001)(5008740100001)(2950100001)(102836002)(76576001)(92566002)(230783001)(46102003)(19300405004)(16236675004)(50986999)(5004730100002)(110136002)(5003600100002)(11100500001)(189998001)(5002640100001)(19609705001)(40100003)(10400500002)(106356001)(19625215002)(77096005)(15975445007)(33656002)(99286002)(87936001)(66066001)(122556002)(105586002)(81156007)(97736004)(64706001)(19580395003); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR05MB1986; H:BLUPR05MB1985.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BLUPR05MB19855202B394EEFCEB71B009AE3D0BLUPR05MB1985namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2015 15:44:05.8745 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR05MB1986
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/sWL7q1cgc4OtqXnISKDtKbA58Y8>
Cc: "mpls@ietf.org" <mpls@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [mpls] Spencer Dawkins' No Objection on draft-ietf-mpls-self-ping-05: (with COMMENT)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 15:44:11 -0000

Hi Spence,

I guess you deserve a better answer ;-)

In LSP Self-ping, the ingress LSR:


-          Formats a packet addressed to itself

-          Sends the packet through the LSP under test

-          Waits for the packet to return to it

The ingress LSR is both the producer and consumer of the packet.

In an earlier version of the draft, the ingress LSR selected a UDP port from the dynamic range (49152- 65535). Implementations could pick a single port and use it all the time or pick a port for each LSP Self-ping session. However, if an implementation did this, it would be difficult to identify and filter LSP Self-ping packets at the domain edge. So, the WG decided to put all LSP Self-ping traffic on UDP port 8503, so it could be easily identified and filtered.

                                                 Ron

From: Spencer Dawkins at IETF [mailto:spencerdawkins.ietf@gmail.com]
Sent: Thursday, October 15, 2015 5:44 PM
To: Ronald Bonica <rbonica@juniper.net>
Cc: mpls@ietf.org; iesg@ietf.org
Subject: Re: [mpls] Spencer Dawkins' No Objection on draft-ietf-mpls-self-ping-05: (with COMMENT)

Hi, Ron,

On Thu, Oct 15, 2015 at 4:14 PM, Ronald Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:
Hi Spencer,

Thanks for your thoughtful review.

In the Security Considerations section, you will find the following text:

"LSP Self-ping messages are easily forged.  Therefore, an attacker can send the ingress LSR a forged LSP Self-ping message, causing the ingress LSR to terminate the LSP Self-ping session prematurely.  In order to mitigate these threats, implementations SHOULD NOT assign Session-ID's in a predictable manner. Furthermore, operators SHOULD filter LSP Self-ping packets at network ingress points."

The assignment of all LSP Self-ping traffic to UDP Port 8503 facilitates the above-mentioned filtering.

You were answering a different question than the one I was asking (I was thinking of collisions on port numbers), but you provided an answer that makes my question go away.

Good job! Were you once an AD?

;-)

Spencer

                                                                                             Ron


------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> I was looking at
>
>    o  The UDP Destination Port MUST be lsp-self-ping (8503) [IANA.PORTS]
>
> and wondering why this is a MUST. Is the answer that this mechanism works
> within an administrative domain, so you can just tell the other end what the
> port number needs to be?
>
>
>
>
> ------------------------------
>

v2.23.0 | Report a Bug | By Email