Re: [OSPF] FYI on draft-kini-ospf-fast-notification-01
Sriganesh Kini <sriganesh.kini@ericsson.com> Wed, 30 March 2011 09:44 UTC
Return-Path: <sriganeshkini@gmail.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D823E3A6B41 for <ospf@core3.amsl.com>; Wed, 30 Mar 2011 02:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.866
X-Spam-Level:
X-Spam-Status: No, score=-2.866 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WFub-NFVTy37 for <ospf@core3.amsl.com>; Wed, 30 Mar 2011 02:44:10 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id C69E53A6B38 for <ospf@ietf.org>; Wed, 30 Mar 2011 02:44:10 -0700 (PDT)
Received: by qwg5 with SMTP id 5so794394qwg.31 for <ospf@ietf.org>; Wed, 30 Mar 2011 02:45:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:from :date:x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=arQkHemHwjkVR3pul66Xkaj/fe4OrlVUMNLF0brQbtI=; b=DHg0dnS6pyYudh9I9SMHrh0NPbhAkJa580lrJ9KSImagLJTdGWSOorCFiJSWlwR2ip JYtaR8VjTHrK0lDYj/mrtCenB423xdOQfeGNrwBFZ7dklvSaVYTOUrpc4jQO6ladZX89 42dIaspr4Tc39zuKz/qJQ6W3lmGmo7htU3ktA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=Q/FvUBiWfOaThbciz5drZfktsVuo7iCkBiNnnfcIkNNFlzZkM4d8+bW31mm2Uhvxie HXPgbSyV8wrc+sfnewRd2HCH8ISTALoFkZxSbV1GoTlOXK9FwfvPqBpUot0YRpY5Y2Ej IkKsHa+D5n7pWRel81/Pqm4LTVl9BmKWh+LsY=
Received: by 10.229.1.93 with SMTP id 29mr819179qce.66.1301478349102; Wed, 30 Mar 2011 02:45:49 -0700 (PDT)
MIME-Version: 1.0
Sender: sriganeshkini@gmail.com
Received: by 10.229.136.12 with HTTP; Wed, 30 Mar 2011 02:45:19 -0700 (PDT)
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350CFCF66A60@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <5A5E55DF96F73844AF7DFB0F48721F0F5701F43A9B@EUSAACMS0703.eamcs.ericsson.se> <7C362EEF9C7896468B36C9B79200D8350CFCF66A60@INBANSXCHMBSA1.in.alcatel-lucent.com>
From: Sriganesh Kini <sriganesh.kini@ericsson.com>
Date: Wed, 30 Mar 2011 02:45:19 -0700
X-Google-Sender-Auth: y7Eke1VdR4cwASzGPzQo_zn3TME
Message-ID: <AANLkTikBe9miKQr8cbmCT+Tp7GNVAhL8Xb3Kg0nRcwOs@mail.gmail.com>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] FYI on draft-kini-ospf-fast-notification-01
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 09:44:11 -0000
Hi Manav, see inline On Wed, Mar 30, 2011 at 12:54 AM, Bhatia, Manav (Manav) <manav.bhatia@alcatel-lucent.com> wrote: > Hi Sri, > > This is regarding the point that i had raised yesterday - If the routers > flood the "LSAs" in the data plane without verifying them, then we're > leaving a hole open for DoS attacks, as any packet masquerading as a > legitimate OSPF packet will get flooded on all routers. This is different > from data packets flooding as these packets will be occupying the higest > priority queues in both the ingress, egress and the CPU. Control pkts (not restricted to FN) though given high priority, the good implementations use throttling mechanisms to prevent (D)DoS. Root-causing of related alarms is also a high priority operational procedure. > > Second, what happens if the control packet is carrying an OSPF > authentication digest? Would you still flood it without verifying the > contents or would those be flooded regardless? I guess, you said that it > would be the former. If thats the case, then this is not easy to do it in > the HW as you would (i) need to parse the OSPF payload first to determine > that its carrying a digest (ii) you would then need to verify it, which > means you would be running HMAC-SHA in HW on the packet (given the Apad > stuff that we have added in RFC5709 i dont think you can easily do this in > HW) (iii) once the digest is verified you would need to flood it out on all > the valid OSPF interfaces. What I said is that verification before flooding is also an option we have considered (see draft-lu-fn-transport for details). In our prototyping experience the overhead of verifying auth in HW was not much. However we do recognize that this may not be true with all HW and all auth methods. It may introduce more delays in FN delivery in some architectures and implementations. So forwarding without verifying could get better convergence times at the expense of the invalid FN packet reaching more nodes. If a platform is capable of verifying without introducing a lot of delay then it should definitely do it and such a platform can mitigate the problem in the network where other platforms may not verifying before forwarding. > > Cheers, Manav > > ________________________________ > From: ospf-bounces@ietf.org [mailto:ospf-bounces@ietf.org] On Behalf Of > Sriganesh Kini > Sent: Tuesday, March 29, 2011 9.20 PM > To: ospf@ietf.org > Subject: [OSPF] FYI on draft-kini-ospf-fast-notification-01 > > Just an FYI to the list > > This draft > http://tools.ietf.org/html/draft-kini-ospf-fast-notification-01 was > presented at the OSPF WG mtg today. > > Thanks for the comments/questions at the mic. We will submit a new version > addressing the comments. > > Note that the other drafts related to Fast Notification (FN) are > draft-lu-fn-transport and draft-lu-fast-notification-framework. These were > presented in RTGWG. > > Thanks > > - Sri > > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www.ietf.org/mailman/listinfo/ospf > > -- - Sri
- [OSPF] FYI on draft-kini-ospf-fast-notification-01 Sriganesh Kini
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Greg Mirsky
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Sriganesh Kini
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Sriganesh Kini
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Wenhu Lu
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Wenhu Lu
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Wenhu Lu
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Wenhu Lu