Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)

Mach Chen <mach.chen@huawei.com> Wed, 30 September 2015 03:13 UTC

Return-Path: <mach.chen@huawei.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADE231B5AB3; Tue, 29 Sep 2015 20:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07wH5is3GfNX; Tue, 29 Sep 2015 20:13:18 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B54221B5A6A; Tue, 29 Sep 2015 20:13:16 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BYE53085; Wed, 30 Sep 2015 03:13:14 +0000 (GMT)
Received: from SZXEMA414-HUB.china.huawei.com (10.82.72.73) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 30 Sep 2015 04:13:13 +0100
Received: from SZXEMA510-MBX.china.huawei.com ([169.254.3.229]) by SZXEMA414-HUB.china.huawei.com ([10.82.72.73]) with mapi id 14.03.0235.001; Wed, 30 Sep 2015 11:13:07 +0800
From: Mach Chen <mach.chen@huawei.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
Thread-Index: AQHQ+smnXGeV7WAYuE6rs4dLRLhHFZ5UWBhg//9+moCAAIfXwA==
Date: Wed, 30 Sep 2015 03:13:06 +0000
Message-ID: <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606F0D@SZXEMA510-MBX.china.huawei.com>
References: <20150929151503.2931.97454.idtracker@ietfa.amsl.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606E58@SZXEMA510-MBX.china.huawei.com> <562A4F65-2A63-4D75-BCF6-6F6ECC77CC41@gmail.com>
In-Reply-To: <562A4F65-2A63-4D75-BCF6-6F6ECC77CC41@gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.102.135]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/uedq1FeMXReGxGKS5WTIJ_nzoug>
Cc: "mpls@ietf.org" <mpls@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org>, The IESG <iesg@ietf.org>, "rcallon@juniper.net" <rcallon@juniper.net>
Subject: Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 03:13:20 -0000

Hi Kathleen,

Thanks for your prompt response!

Please see my reply inline...

> -----Original Message-----
> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> Sent: Wednesday, September 30, 2015 10:39 AM
> To: Mach Chen
> Cc: The IESG; draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> mpls-chairs@ietf.org; draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org; rcallon@juniper.net;
> mpls@ietf.org
> Subject: Re: Kathleen Moriarty's Discuss on
> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> 
> Hi,
> 
> Thanks for suggesting text quickly to address this.  Inline
> 
> Sent from my iPhone
> 
> > On Sep 29, 2015, at 10:28 PM, Mach Chen <mach.chen@huawei.com>
> wrote:
> >
> > Hi Kathleen,
> >
> > Thanks for reviewing the draft and the suggestion!
> >
> > Regarding the DISCUSS, how about the following update?
> >
> > OLD:
> > Beyond those specified in [RFC4379] and [RFC7110], there are no further
> security measures required.
> >
> > NEW:
> > Those security considerations specified in [RFC4379] and [RFC7110] apply for
> this document.
> > In addition, this document introduces the Reply Mode Order TLV. It provides a
> new way for an unauthorized source to gather more network information,
> especially the potential return path(s) information of an LSP. To protect against
> unauthorized sources using MPLS echo request messages with the Reply Mode
> Order TLV to obtain network information, similar to [RFC4379], it is
> RECOMMENDED that implementations provide a means of checking the source
> addresses of MPLS echo request messages against an access list before
> accepting the message.
> 
> If the message is not encrypted, this content is still exposed potentially, right?

Yes, but it is exposed within the MPLS domain. 

> This helps, but also mentioning lack of confidentiality protection might be
> helpful too.

I'm not sure whether this issue is specific to this document, seems this is a common issue for MPLS OAM and control plane. 

If this is a concern, how about adding the following text:
"
Another potential security issue is that the MPLS echo request and
   reply messages are not encrypted, the content of the MPLS echo
   request and reply messages may be potentially exposed. Although the
   exposure is within the MPLS domain, if such exposure is a concern,
   some encryption mechanisms may be employed.
"

Best regards,
Mach

> 
> Thank you,
> Kathleen
> 
> >
> >
> > Best regards,
> > Mach
> >
> >
> >> -----Original Message-----
> >> From: Kathleen Moriarty [mailto:Kathleen.Moriarty.ietf@gmail.com]
> >> Sent: Tuesday, September 29, 2015 11:15 PM
> >> To: The IESG
> >> Cc: draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> >> mpls-chairs@ietf.org;
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org;
> >> rcallon@juniper.net; mpls@ietf.org
> >> Subject: Kathleen Moriarty's Discuss on
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> >>
> >> Kathleen Moriarty has entered the following ballot position for
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: Discuss
> >>
> >> When responding, please keep the subject line intact and reply to all
> >> email addresses included in the To and CC lines. (Feel free to cut
> >> this introductory paragraph, however.)
> >>
> >>
> >> Please refer to
> >> https://www.ietf.org/iesg/statement/discuss-criteria.html
> >> for more information about IESG DISCUSS and COMMENT positions.
> >>
> >>
> >> The document, along with other ballot positions, can be found here:
> >> https://datatracker.ietf.org/doc/draft-ietf-mpls-lsp-ping-reply-mode-
> >> simple/
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> DISCUSS:
> >> ---------------------------------------------------------------------
> >> -
> >>
> >> This should be easy to resolve.  SInce this draft adds a new
> >> capability to include the return path, this provides another attack
> >> vector to observe path information that could be part of
> >> reconnaissance gathering to later attack the network or path.  While
> >> the referenced RFC4379 mentions the following in the security
> considerations section:
> >>
> >>   The third is an
> >>   unauthorized source using an LSP ping to obtain information about the
> >>   network.
> >>
> >> The equivalent should be added for this new capability in this draft,
> >> since now it's possible to gather the path information from the new feature.
> >