Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
"lizho.jin@gmail.com" <lizho.jin@gmail.com> Thu, 12 March 2015 14:21 UTC
Return-Path: <lizho.jin@gmail.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8CBF1A1A92 for <mpls@ietfa.amsl.com>; Thu, 12 Mar 2015 07:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zXBVkF5bTYER for <mpls@ietfa.amsl.com>; Thu, 12 Mar 2015 07:21:28 -0700 (PDT)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F9841A1A7D for <mpls@ietf.org>; Thu, 12 Mar 2015 07:21:24 -0700 (PDT)
Received: by igbhn18 with SMTP id hn18so16995020igb.2 for <mpls@ietf.org>; Thu, 12 Mar 2015 07:21:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:references:mime-version:message-id :content-type; bh=tiKYUkDmGanAUIODfXBiaLM5Ewi/t/pmaBQ5zV8uHt8=; b=ER/PB0lfdbRfokkhcj/d+aYAaCXrcn/KXB3GVItitvr1VsAlkN26kF33X8MxJLdElU RpCIQ7mC7kfaqUSL3mWrCDYNv/WdCexlF+Gv3KcxOenvu6wKzB8u+bV43OAm0Nznj0IW sjl0+grAr5KMAMV1mYa4+nBtMihoe2Y8Kr42dlTnR9VkDaTH+msY+wb6iUTBA/oWsaYJ ejPHyQZaucrs2avWJRoifTTI+QW2sQ+nLDsdfNK8vLK/nEIfkv9liEAU3mrQEVepIPQf YIG3i0rb+H7gVBnwX8S9in+d6K3fKNLHNgZyah/wFk0rHv6adOOA8iH2mkui8sB6oJRJ w9bg==
X-Received: by 10.107.132.39 with SMTP id g39mr53404138iod.62.1426170083947; Thu, 12 Mar 2015 07:21:23 -0700 (PDT)
Received: from Lizhong ([118.134.35.52]) by mx.google.com with ESMTPSA id h19sm12001226igq.10.2015.03.12.07.20.25 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Mar 2015 07:21:23 -0700 (PDT)
Date: Thu, 12 Mar 2015 22:20:48 +0800
From: "lizho.jin@gmail.com" <lizho.jin@gmail.com>
To: Ronald Bonica <rbonica@juniper.net>, mpls-chairs <mpls-chairs@tools.ietf.org>, draft-bonica-mpls-self-ping <draft-bonica-mpls-self-ping@tools.ietf.org>, mpls-ads <mpls-ads@tools.ietf.org>
References: <54EC4776.5040402@pi.nu>, <2015031100220789189743@gmail.com>, <CO1PR05MB44294439D8B4C216054A1E5AE060@CO1PR05MB442.namprd05.prod.outlook.com>
X-Priority: 3
X-GUID: 15301DB9-2741-4A1B-97CA-1BE50AE90DF9
X-Has-Attach: no
X-Mailer: Foxmail 7, 2, 5, 140[en]
Mime-Version: 1.0
Message-ID: <201503122220311215427@gmail.com>
Content-Type: multipart/alternative; boundary="----=_001_NextPart410623187531_=----"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/zULmZxglDtlx8qZeRAIM6BRAd3w>
Cc: mpls <mpls@ietf.org>
Subject: Re: [mpls] MPLS-RT review of draft-bonica-mpls-self-ping
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 14:21:30 -0000
For section 6, originally ingress could identify the LSP ping packet with well-known UDP port, and configure ACL rule to reduce risk of attack. But now it is more difficult to filter the packet with access list, which may increase the risk.
Lizhong,
Implementation know the port(s) upon which they send MPLS Self-ping traffic. They can configure ACLs on that port or those ports. ACLs can protect dynamic ports, so long as they are predictable.
[Lizhong] yes, it is possible to install ACL ruls everytime when MPLS self-ping is initiated. That is different with original implementation which is static ACL rule with well-know port. So it is better to describe how to reduce the risk of DoS if MPLS self-ping is implemented.
Lizhong
Ron
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Carlos Pignataro (cpignata)
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Loa Andersson
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Eric Gray
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ron Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Gregory Mirsky
- [mpls] MPLS-RT review of draft-bonica-mpls-self-p… Mach Chen
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… lizho.jin@gmail.com
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… lizho.jin@gmail.com
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Adrian Farrel
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Gregory Mirsky
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Carlos Pignataro (cpignata)
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Gregory Mirsky
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Ronald Bonica
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Lizhong Jin
- Re: [mpls] MPLS-RT review of draft-bonica-mpls-se… Loa Andersson