Re: Comments on draft-lindem-ospfv3-dest-filter-01.txt

Acee Lindem <acee@REDBACK.COM> Wed, 12 May 2004 02:28 UTC

References: <8D260779A766FB4A9C1739A476F84FA401F79A2D@daebe009.americas.nokia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <023d01c437c8$c97f8160$0202a8c0@aceeinspiron>
Date: Tue, 11 May 2004 22:28:17 -0400
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Acee Lindem <acee@REDBACK.COM>
Subject: Re: Comments on draft-lindem-ospfv3-dest-filter-01.txt
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Content-Transfer-Encoding: 7bit

Hi Mukesh,

Thanks much for reviewing the document.

----- Original Message -----
> From: <Mukesh.Gupta@NOKIA.COM>
> To: <OSPF@PEACH.EASE.LSOFT.COM>
> Sent: Tuesday, May 11, 2004 3:29 AM
> Subject: Comments on draft-lindem-ospfv3-dest-filter-01.txt
>

> Hi Anand/Acee,
>
>I finally got the chance to review the second version of
>the draft draft-lindem-ospfv3-dest-filter-01.txt.
>
> I don't have any objections about the draft but I am still
> not convinced about the usefulness of the solution.  Why
>couldn't someone just install some ACL rules to do the
>same.  Moreover, the solution does not work with the virtual
> links (I agree that they are not widely used but..).  I
>think, it is really an implementation detail about where
>to drop these packets.

It's true the same could be accomplished with one or more
ACL(s). However, if the same approach is taken for every
protocol/service one could end up having to configure and maintain
quite an extensive administrative ACL (i.e., an ACL applied to packets
to be delivered locally as opposed to all packets received on an interface).
One thing that started us thinking about the problem and the elegance of
simply rejecting all packets without a link-local destination was the OSPF
vulnerabilities work going on in the RPSEC group. With that work in mind, it
seemed natural to have a single mechanism built into OSPFv3. One could use
a knob (so you'd know whether or not virtual link could be configured) or simply
always have the check in force when no virtual links are configured at the
level of application. Finally, dependent on the implemenation and where/how
the ACL(s) is/are applied this solution could be cheaper and simpler (I know I've
opened myself up to all of those who are going to tell me how well they've
implemented their ACLs ;^).

> Ofcourse, I have no objection in
>publishing this as an informational or BCP.
>
> Editorial comments:
>- Every sentense should start with 2 spaces after the "."
>   (general rule about the IETF documents)

And I always thought this was a spacing mistake.
I'll fix it in this draft.

> - In the references section, the names should be listed
>   as "Gill, V., J. Heasley, and D. Meyer" (first author
>  is last-name first-initial and other authors are first-
>   initial last-name.)

Will fix this as well.

>- "This document is an Internet-Draft and is in full
>   conformance with all provisions of Section 10 of
>   RFC2026." is now "By submitting this Internet-Draft, I
>   certify that any applicable patent or other IPR claims
>   of which I am aware have been disclosed, and any of
>   which I become aware will be disclosed, in accordance
>   with RFC 3668."

Will add. To the best of my knowledge, there are no IPR
claims on this mechanism. We have no intention of making
any.

>- s/the propsed destination/the proposed destination
>  in section 2.1

Got it.

Thanks again,
Acee

Comments on draft-lindem-ospfv3-dest-filter-01.txt Mukesh.Gupta
Re: Comments on draft-lindem-ospfv3-dest-filter-0… Acee Lindem
Re: Comments on draft-lindem-ospfv3-dest-filter-0… Mukesh.Gupta
Re: Comments on draft-lindem-ospfv3-dest-filter-0… Acee Lindem
Re: Comments on draft-lindem-ospfv3-dest-filter-0… Mukesh.Gupta