Re: [OSPF] Adrian Farrel's Discuss on draft-ietf-ospf-ospfv3-autoconfig-13: (with DISCUSS and COMMENT)
"Adrian Farrel" <adrian@olddog.co.uk> Mon, 02 February 2015 20:30 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1611A8AD7; Mon, 2 Feb 2015 12:30:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyGKZTEXXePU; Mon, 2 Feb 2015 12:30:50 -0800 (PST)
Received: from asmtp1.iomartmail.com (asmtp1.iomartmail.com [62.128.201.248]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 063C11A8AD4; Mon, 2 Feb 2015 12:30:47 -0800 (PST)
Received: from asmtp1.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp1.iomartmail.com (8.13.8/8.13.8) with ESMTP id t12KUih0014665; Mon, 2 Feb 2015 20:30:44 GMT
Received: from 950129200 (089144232000.atnat0041.highway.a1.net [89.144.232.0]) (authenticated bits=0) by asmtp1.iomartmail.com (8.13.8/8.13.8) with ESMTP id t12KUfc0014648 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 2 Feb 2015 20:30:42 GMT
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Jari Arkko' <jari.arkko@piuha.net>
References: <20150201194420.2776.10244.idtracker@ietfa.amsl.com> <6B702F75-EBF5-4427-A4C7-E561AEEB1AF9@piuha.net>
In-Reply-To: <6B702F75-EBF5-4427-A4C7-E561AEEB1AF9@piuha.net>
Date: Mon, 02 Feb 2015 20:30:41 -0000
Message-ID: <016001d03f27$1ebd20d0$5c376270$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQE+4XTVDJ86kLnHVb5GPlGlOEIyNwHc1cUEnfGVBoA=
Content-Language: en-gb
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1576-7.5.0.1018-21300.002
X-TM-AS-Result: No--27.351-10.0-31-10
X-imss-scan-details: No--27.351-10.0-31-10
X-TMASE-MatchedRID: 8HTFlOrbAtGnykMun0J1wi2EzAlnB8oRLi2dwKiMR9ye9toQ6h6LE7y+ AbgLgbEprICr+5uCDzDLjGt7P0LPoU5GqmwdJt7CbMGKOuLn5FXj5lyuq8IOQVnDUAu1mqvNBQ2 kKVIynPAx3b0UBmLVttf7imMs6Bd8falnNvZDQnypV166Tst6tJZ6zKu0q4rt10wPNIuvyi+E56 XP4AVSc8on/eu0nLWZtlYlTTNZdz80NWoXn4NXTp3iEJrvFJmhE21NSmBqEKcUl9bvAS7WQBmzb knjanDfkKqwFPZQ4OCLFwHgeCEHJMmhusiWudICbQ9aoPSmWJGgo7yEQ1t1y3e9QDr8+LTcFdsi 1cqiGAwpYtwcKJmmRst9TbsDC1cyGesUQyhGzGguLk8NfSpYeh0PsyMp50OO6I5wrkPkhsaeMls z0QP1EX61eUOVbbs1fa5RHTTKNaHv1qcON0saDxIRh9wkXSlFYY0tNGdvli1FRkv0B4bwgvrg7l MowIm8GqTtGcghBlX3c89Q9YhL5AewcbdwAgnWc+QhWKJM04NwvHbihvLS1SG8WMGwsRk0XCwa8 arbuf5Zb+4arbnC9s9fuxSQqqSyVgtvnWpD9FOGwT67eecJ8EDwlkRNC6PCymP/1piI/6EhQ14n IbdImAVqOeU33dGZyZdvoLpmnXX0GGSQQaBfEcRS0pbiOfKbSipwJQ5yg7qVEMx1gSjhQNmNxQG 4f7tnRL/fhGgICgmvAp6H0nQgYriapZUOrFu0VF7yOiu4q2m+JGWINXafLCbVQ7VtNJwd079j1E wNbJQa1vxMG/WVN/3d1Pjm2VqyE2Px0QhWm3SeAiCmPx4NwLTrdaH1ZWqCpvI8UZOf47jUZxEAl FPo846HM5rqDwqtlExlQIQeRG0=
Archived-At: <http://mailarchive.ietf.org/arch/msg/ospf/7Gbp9xu8Lbwm4KbDRpKIq2SUigo>
Cc: ospf@ietf.org, ospf-chairs@tools.ietf.org, 'Ing-Wher Chen' <ing-wher.chen@ericsson.com>, 'The IESG' <iesg@ietf.org>, draft-ietf-ospf-ospfv3-autoconfig.all@tools.ietf.org
Subject: Re: [OSPF] Adrian Farrel's Discuss on draft-ietf-ospf-ospfv3-autoconfig-13: (with DISCUSS and COMMENT)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf/>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 20:30:52 -0000
Hi Jari, Thanks for engaging! I've cut down to the open issues. Recall that Comments are just for you and your AD to think about. Adrian > > Does this document really update 5340? > > There is no mention of what this update is or why it is considered a > > part of the standard implementation of OSPFv3 to include the features > > described in this document. > > > > I suggest either dropping the update or clarifying how it works. > > I am fine with dropping the update. I think the original reason for updating > was to be considered as a part of basic functionality. In retrospect, I am > not sure it is needed. Acee? I'd be OK with that. If you all *do* think that it was intended that this be considered part of the core function of OSPFv3, then clearly it is an update and some statements will be needed. > > I think that the effect of sections 4 and 8 is that auto-config as > > specified in this document is not suitable for deployment in service > > provider networks. Did I miss something, or are you saying that the > > best you offer is a single, network-wide password to cover all > > adjacencies? > > The document says in Section 4 (my emphasis): > > it is RECOMMENDED that OSPFv3 routers supporting this specification > *minimally offer an option* to explicitly configure a single password Perhaps this is an American thing? Are you saying that the text means that the implementations should include at least an option to configure a single password, but may include more security? I read it to mean that the implementations should include the minimal option of a single password (implying this or nothing). Perhaps a few more words would help clarify. However... > and Section 8: > > However, auto-configuration can also be combined with > password configuration (see Section 4) or future extensions for > automatic pairing between devices. These mechanisms can help provide > an automatically configured, securely routed network. I saw this and thought it was a classic dodge. "Yeah the security sucks, but a future extension might make it OK." From the perspective of this specification, that means that there isn't a mechanism for automatic security pairing so we must fall back on the other mechanisms when assessing the utility of the spec. > In deployments where stronger authentification or encryption is > required, OSPFv3 IPsec [OSPFV3-IPSEC] or stronger OSPFv3 > Authentication trailer [OSPFV3-AUTH-TRAILER] algorithms *MAY be used > at the expense of additional configuration*. The configuration and > operational description of such deployments is beyond the scope of > this document. > > I think the intent is that existing functionality is not removed. There is > a recommendation for a single-password simple version, but that > does not mean it is the only option. Of course, the additional security > configuration effort may make the situation such that auto configuration > as a whole is no longer worthwhile. Well, I read "The configuration and operational description of such deployments is beyond the scope of this document" to say that there is no description of how to use the mechanisms in this document combined with any better security than domain-wide password. And your note here seems to confirm the view that you might be in the position of either using autoconfig or using decent security, but not both. And that led to my Discuss point that this appears to make the solution inadvisable for SPs and larger enterprises. In other words it is predominately a homenet or small enterprise solution. That needs to be called out. Perhaps you don't need to go as far as making a statement about the target network, if you make a clearer statement about the level of security you can get with this solution. (see below) (BTW, lots of people would *really* like a carrier-class autoconfig solution.) > > If this is fine for the home network environment, you should be able to > > point at a homenet document that says so. > > > > If you agree that this is not fine for a service provider (and probably > > for most enterprises) you need to call this out more strongly and > > recommend limits on the applicability of this spec. > > Given the above, what words would you suggest? How about (in the Introduction) The solution described in this document is not consistent with advanced routing protocol security. Such per-peer security mechanisms require the manual configuration of security associations, and that configuration is in contrast to the objectives of this document to reduce per-router configuration. Although some security can be achieved by using common security credentials across a whole auto-configuration domain, that might not provide sufficient security for some deployment scenarios. Operators should carefully consider ther security requirements of their network before deploying the solution described in this document. > > Section 7.4. is titled: > > Change to RFC 2328 Section 13.4, 'Receiving Self-Originated LSAs' > > > > Are you really changing 2328? Or are you trying to say that an > > implementation of this spec will do something different from 2328? > > My understanding is that it is really is a difference. OK. Just wordsmith. It's only a Comment. > > I am wondering why the fact that you have a BGP peering on an interface > > configured to connect to an ISP would mean that you would want to run > > OSPFv3 on that interface. You are possibly saying that the interface, in > > that case, may need to be auto-configured and present in the OSPFv3 > > advertisements. But this is not what you have said. > > I think the rest of the paragraph are saying exactly the opposite, i.e., > NOT want to run OSPFv3 on that case. OK. Suggest you re-read the paragraph. The wording of the example implies that opposite of the example will be true, but that is not the message you seem to want to deliver. It's only a Comment. > > Section 2 bullet 4 > > > > Of course, an > > identical HelloInterval and RouterDeadInterval will still be > > required to form an adjacency with an OSPFv3 router not > > supporting auto-configuration [OSPFV3]. > > > > Of course, but how is this achieved? How does a router with auto-config > > determine that its neighbor does not have auto-config and then discover > > the correct intervals to use? > > > > I think you can detect that your neighor is not doing auto-config by the > > absence of the OSPFv3 Router Auto-Configuration LSA, but what should an > > auto-config router do once this has been detected? > > Not be auto configured on that interface? So you could say this? If a router attempting to perform auto-configuration as described in this document does not receive an OSPFv3 Router Auto-Configuration LSA from a peer, it MUST not attempt to bring the adjacency up, and MUST NOT advertise any links to that peer until manual configuration of the adjacency has been activated. It's only a Comment. Adrian
- [OSPF] Adrian Farrel's Discuss on draft-ietf-ospf… Adrian Farrel
- Re: [OSPF] Adrian Farrel's Discuss on draft-ietf-… Jari Arkko
- Re: [OSPF] Adrian Farrel's Discuss on draft-ietf-… Adrian Farrel
- Re: [OSPF] Adrian Farrel's Discuss on draft-ietf-… Acee Lindem (acee)