Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
Mach Chen <mach.chen@huawei.com> Wed, 30 September 2015 02:28 UTC
Return-Path: <mach.chen@huawei.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A92A1B59AE; Tue, 29 Sep 2015 19:28:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9KbpHRbbwofU; Tue, 29 Sep 2015 19:28:12 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70CAA1B59AB; Tue, 29 Sep 2015 19:28:11 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CBW61806; Wed, 30 Sep 2015 02:28:10 +0000 (GMT)
Received: from SZXEMA412-HUB.china.huawei.com (10.82.72.71) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 30 Sep 2015 03:28:08 +0100
Received: from SZXEMA510-MBX.china.huawei.com ([169.254.3.229]) by SZXEMA412-HUB.china.huawei.com ([10.82.72.71]) with mapi id 14.03.0235.001; Wed, 30 Sep 2015 10:28:02 +0800
From: Mach Chen <mach.chen@huawei.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
Thread-Index: AQHQ+smnXGeV7WAYuE6rs4dLRLhHFZ5UWBhg
Date: Wed, 30 Sep 2015 02:28:02 +0000
Message-ID: <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606E58@SZXEMA510-MBX.china.huawei.com>
References: <20150929151503.2931.97454.idtracker@ietfa.amsl.com>
In-Reply-To: <20150929151503.2931.97454.idtracker@ietfa.amsl.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.102.135]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/uZfRc_z9pEv98GRzZ5934WhgkQU>
Cc: "mpls@ietf.org" <mpls@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org>, "rcallon@juniper.net" <rcallon@juniper.net>
Subject: Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 02:28:14 -0000
Hi Kathleen, Thanks for reviewing the draft and the suggestion! Regarding the DISCUSS, how about the following update? OLD: Beyond those specified in [RFC4379] and [RFC7110], there are no further security measures required. NEW: Those security considerations specified in [RFC4379] and [RFC7110] apply for this document. In addition, this document introduces the Reply Mode Order TLV. It provides a new way for an unauthorized source to gather more network information, especially the potential return path(s) information of an LSP. To protect against unauthorized sources using MPLS echo request messages with the Reply Mode Order TLV to obtain network information, similar to [RFC4379], it is RECOMMENDED that implementations provide a means of checking the source addresses of MPLS echo request messages against an access list before accepting the message. Best regards, Mach > -----Original Message----- > From: Kathleen Moriarty [mailto:Kathleen.Moriarty.ietf@gmail.com] > Sent: Tuesday, September 29, 2015 11:15 PM > To: The IESG > Cc: draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org; > mpls-chairs@ietf.org; draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org; > draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org; rcallon@juniper.net; > mpls@ietf.org > Subject: Kathleen Moriarty's Discuss on > draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS) > > Kathleen Moriarty has entered the following ballot position for > draft-ietf-mpls-lsp-ping-reply-mode-simple-04: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-mpls-lsp-ping-reply-mode-simple/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > This should be easy to resolve. SInce this draft adds a new capability to > include the return path, this provides another attack vector to observe path > information that could be part of reconnaissance gathering to later attack the > network or path. While the referenced RFC4379 mentions the following in the > security considerations section: > > The third is an > unauthorized source using an LSP ping to obtain information about the > network. > > The equivalent should be added for this new capability in this draft, since now > it's possible to gather the path information from the new feature. > > >
- [mpls] Kathleen Moriarty's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Mach Chen
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Mach Chen
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Mach Chen
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [mpls] Kathleen Moriarty's Discuss on draft-i… Mach Chen