Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)

Mach Chen <mach.chen@huawei.com> Sat, 10 October 2015 02:40 UTC

Return-Path: <mach.chen@huawei.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABE701B535B; Fri, 9 Oct 2015 19:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bo_hkE2ifDTe; Fri, 9 Oct 2015 19:40:14 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E0201B535A; Fri, 9 Oct 2015 19:40:13 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CCJ05502; Sat, 10 Oct 2015 02:40:11 +0000 (GMT)
Received: from SZXEMA411-HUB.china.huawei.com (10.82.72.70) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Sat, 10 Oct 2015 03:40:11 +0100
Received: from SZXEMA510-MBX.china.huawei.com ([169.254.3.229]) by szxema411-hub.china.huawei.com ([10.82.72.70]) with mapi id 14.03.0235.001; Sat, 10 Oct 2015 10:40:05 +0800
From: Mach Chen <mach.chen@huawei.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
Thread-Index: AQHQ+smnXGeV7WAYuE6rs4dLRLhHFZ5UWBhg//9+moCAAIfXwIAAW2CAgAwzrUCAAIAnAIACpaeQ
Date: Sat, 10 Oct 2015 02:40:04 +0000
Message-ID: <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B60CB82@SZXEMA510-MBX.china.huawei.com>
References: <20150929151503.2931.97454.idtracker@ietfa.amsl.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606E58@SZXEMA510-MBX.china.huawei.com> <562A4F65-2A63-4D75-BCF6-6F6ECC77CC41@gmail.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B606F0D@SZXEMA510-MBX.china.huawei.com> <CAHbuEH7WetBik3eJtUB1yyQSTRazpLimLhDov48Kym9miFrJsQ@mail.gmail.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28B60A73E@SZXEMA510-MBX.china.huawei.com> <CAHbuEH7MZ1tVK_XbpkrqE+4MpLcCZ9pSOxeP9dR=Hvk4MvUnwA@mail.gmail.com>
In-Reply-To: <CAHbuEH7MZ1tVK_XbpkrqE+4MpLcCZ9pSOxeP9dR=Hvk4MvUnwA@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.102.135]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/w9nWVCUwJg2bBXs_9PqsFyi9pMc>
Cc: "mpls@ietf.org" <mpls@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org" <draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org>, The IESG <iesg@ietf.org>, "rcallon@juniper.net" <rcallon@juniper.net>
Subject: Re: [mpls] Kathleen Moriarty's Discuss on draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Oct 2015 02:40:17 -0000

Hi Kathleen, Alvaro, Stephen and others,

Many thanks for your valuable comments and suggestions!

We have uploaded the verion-05 that addresses all the comments received so far, please take a look at it.

Best regards,
Mach

PS: 
https://tools.ietf.org/html/draft-ietf-mpls-lsp-ping-reply-mode-simple-05


> -----Original Message-----
> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> Sent: Friday, October 09, 2015 2:11 AM
> To: Mach Chen
> Cc: The IESG; draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> mpls-chairs@ietf.org; draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org; rcallon@juniper.net;
> mpls@ietf.org
> Subject: Re: Kathleen Moriarty's Discuss on
> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> 
> On Wed, Oct 7, 2015 at 10:34 PM, Mach Chen <mach.chen@huawei.com>
> wrote:
> > Hi Kathleen,
> >
> > Sorry for the delayed response, just returned from the National Day Holidays!
> >
> > We will upload the updated document that addresses all received DISSCUS
> and comments so far.
> 
> Thank you, I'll look for the update to come through.  I hope you enjoyed your
> holidays!
> Kathleen
> 
> 
> >
> > Thanks,
> > Mach
> >
> >> -----Original Message-----
> >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> >> Sent: Thursday, October 01, 2015 12:12 AM
> >> To: Mach Chen
> >> Cc: The IESG;
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> >> mpls-chairs@ietf.org;
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org;
> >> rcallon@juniper.net; mpls@ietf.org
> >> Subject: Re: Kathleen Moriarty's Discuss on
> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> >>
> >> On Tue, Sep 29, 2015 at 11:13 PM, Mach Chen <mach.chen@huawei.com>
> >> wrote:
> >> > Hi Kathleen,
> >> >
> >> > Thanks for your prompt response!
> >> >
> >> > Please see my reply inline...
> >> >
> >> >> -----Original Message-----
> >> >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> >> >> Sent: Wednesday, September 30, 2015 10:39 AM
> >> >> To: Mach Chen
> >> >> Cc: The IESG;
> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> >> >> mpls-chairs@ietf.org;
> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org;
> >> >> rcallon@juniper.net; mpls@ietf.org
> >> >> Subject: Re: Kathleen Moriarty's Discuss on
> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> >> >>
> >> >> Hi,
> >> >>
> >> >> Thanks for suggesting text quickly to address this.  Inline
> >> >>
> >> >> Sent from my iPhone
> >> >>
> >> >> > On Sep 29, 2015, at 10:28 PM, Mach Chen <mach.chen@huawei.com>
> >> >> wrote:
> >> >> >
> >> >> > Hi Kathleen,
> >> >> >
> >> >> > Thanks for reviewing the draft and the suggestion!
> >> >> >
> >> >> > Regarding the DISCUSS, how about the following update?
> >> >> >
> >> >> > OLD:
> >> >> > Beyond those specified in [RFC4379] and [RFC7110], there are no
> >> >> > further
> >> >> security measures required.
> >> >> >
> >> >> > NEW:
> >> >> > Those security considerations specified in [RFC4379] and
> >> >> > [RFC7110] apply for
> >> >> this document.
> >> >> > In addition, this document introduces the Reply Mode Order TLV.
> >> >> > It provides a
> >> >> new way for an unauthorized source to gather more network
> >> >> information, especially the potential return path(s) information
> >> >> of an LSP. To protect against unauthorized sources using MPLS echo
> >> >> request messages with the Reply Mode Order TLV to obtain network
> >> >> information, similar to [RFC4379], it is RECOMMENDED that
> >> >> implementations provide a means of checking the source addresses
> >> >> of MPLS echo request messages against an access list before
> >> >> accepting the
> >> message.
> >> >>
> >> >> If the message is not encrypted, this content is still exposed
> >> >> potentially,
> >> right?
> >> >
> >> > Yes, but it is exposed within the MPLS domain.
> >> >
> >> >> This helps, but also mentioning lack of confidentiality protection
> >> >> might be helpful too.
> >> >
> >> > I'm not sure whether this issue is specific to this document, seems
> >> > this is a
> >> common issue for MPLS OAM and control plane.
> >> >
> >> > If this is a concern, how about adding the following text:
> >> > "
> >> > Another potential security issue is that the MPLS echo request and
> >> >    reply messages are not encrypted, the content of the MPLS echo
> >> >    request and reply messages may be potentially exposed. Although the
> >> >    exposure is within the MPLS domain, if such exposure is a concern,
> >> >    some encryption mechanisms may be employed.
> >> > "
> >>
> >> This additional text puts int he caveat that you are concerned with
> >> and limits the scope to the MPLS domain, so I think that is helpful
> >> on both fronts.  The two combined would cover any additional
> >> considerations for this draft nicely, thank you.
> >>
> >> Please let me know when the updated text has been incorporated and I
> >> will clear.
> >>
> >> Thanks,
> >> Kathleen
> >> >
> >> > Best regards,
> >> > Mach
> >> >
> >> >>
> >> >> Thank you,
> >> >> Kathleen
> >> >>
> >> >> >
> >> >> >
> >> >> > Best regards,
> >> >> > Mach
> >> >> >
> >> >> >
> >> >> >> -----Original Message-----
> >> >> >> From: Kathleen Moriarty
> >> >> >> [mailto:Kathleen.Moriarty.ietf@gmail.com]
> >> >> >> Sent: Tuesday, September 29, 2015 11:15 PM
> >> >> >> To: The IESG
> >> >> >> Cc:
> >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.shepherd@ietf.org;
> >> >> >> mpls-chairs@ietf.org;
> >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple@ietf.org;
> >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple.ad@ietf.org;
> >> >> >> rcallon@juniper.net; mpls@ietf.org
> >> >> >> Subject: Kathleen Moriarty's Discuss on
> >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: (with DISCUSS)
> >> >> >>
> >> >> >> Kathleen Moriarty has entered the following ballot position for
> >> >> >> draft-ietf-mpls-lsp-ping-reply-mode-simple-04: Discuss
> >> >> >>
> >> >> >> When responding, please keep the subject line intact and reply
> >> >> >> to all email addresses included in the To and CC lines. (Feel
> >> >> >> free to cut this introductory paragraph, however.)
> >> >> >>
> >> >> >>
> >> >> >> Please refer to
> >> >> >> https://www.ietf.org/iesg/statement/discuss-criteria.html
> >> >> >> for more information about IESG DISCUSS and COMMENT positions.
> >> >> >>
> >> >> >>
> >> >> >> The document, along with other ballot positions, can be found here:
> >> >> >> https://datatracker.ietf.org/doc/draft-ietf-mpls-lsp-ping-reply
> >> >> >> -mo
> >> >> >> de-
> >> >> >> simple/
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> ---------------------------------------------------------------
> >> >> >> ---
> >> >> >> ---
> >> >> >> -
> >> >> >> DISCUSS:
> >> >> >> ---------------------------------------------------------------
> >> >> >> ---
> >> >> >> ---
> >> >> >> -
> >> >> >>
> >> >> >> This should be easy to resolve.  SInce this draft adds a new
> >> >> >> capability to include the return path, this provides another
> >> >> >> attack vector to observe path information that could be part of
> >> >> >> reconnaissance gathering to later attack the network or path.
> >> >> >> While the referenced RFC4379 mentions the following in the
> >> >> >> security
> >> >> considerations section:
> >> >> >>
> >> >> >>   The third is an
> >> >> >>   unauthorized source using an LSP ping to obtain information about
> the
> >> >> >>   network.
> >> >> >>
> >> >> >> The equivalent should be added for this new capability in this
> >> >> >> draft, since now it's possible to gather the path information
> >> >> >> from the new
> >> feature.
> >> >> >
> >>
> >>
> >>
> >> --
> >>
> >> Best regards,
> >> Kathleen
> 
> 
> 
> --
> 
> Best regards,
> Kathleen