Re: [OSPF] Stephen Farrell's No Objection on draft-ietf-ospf-te-metric-extensions-09: (with COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 05 January 2015 15:05 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87F271A8A3B; Mon, 5 Jan 2015 07:05:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dzpB2Eky2AxT; Mon, 5 Jan 2015 07:05:08 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D7601A8A3D; Mon, 5 Jan 2015 07:05:07 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 34920BEBC; Mon, 5 Jan 2015 15:05:05 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWfybWc_kiFQ; Mon, 5 Jan 2015 15:05:05 +0000 (GMT)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EE5E5BEB1; Mon, 5 Jan 2015 15:05:04 +0000 (GMT)
Message-ID: <54AAA820.5040000@cs.tcd.ie>
Date: Mon, 05 Jan 2015 15:05:04 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: John E Drake <jdrake@juniper.net>, "Acee Lindem (acee)" <acee@cisco.com>, "adrian@olddog.co.uk" <adrian@olddog.co.uk>, 'The IESG' <iesg@ietf.org>
References: <20150104020718.29256.7059.idtracker@ietfa.amsl.com> <00d301d02802$60ed8990$22c89cb0$@olddog.co.uk> <D0D008E5.B001%acee@cisco.com> <BLUPR05MB5622DD9BB73D19F1C1268E0C7580@BLUPR05MB562.namprd05.prod.outlook.com>
In-Reply-To: <BLUPR05MB5622DD9BB73D19F1C1268E0C7580@BLUPR05MB562.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ospf/B-IsjqH1Xemsuk0rwS_wIdh8Ams
Cc: "ospf@ietf.org" <ospf@ietf.org>, "ospf-chairs@tools.ietf.org" <ospf-chairs@tools.ietf.org>, "draft-ietf-ospf-te-metric-extensions.all@tools.ietf.org" <draft-ietf-ospf-te-metric-extensions.all@tools.ietf.org>
Subject: Re: [OSPF] Stephen Farrell's No Objection on draft-ietf-ospf-te-metric-extensions-09: (with COMMENT)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf/>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 15:05:13 -0000
Thanks all and sorry for being nitty:-) S On 05/01/15 15:00, John E Drake wrote: > Acee, > > I will take care of Stephen's nits and add the references you mention > to the Security Considerations. > > Yours Irrespectively, > > John > >> -----Original Message----- From: OSPF >> [mailto:ospf-bounces@ietf.org] On Behalf Of Acee Lindem (acee) >> Sent: Monday, January 05, 2015 9:51 AM To: adrian@olddog.co.uk; >> 'Stephen Farrell'; 'The IESG' Cc: ospf@ietf.org; >> ospf-chairs@tools.ietf.org; draft-ietf-ospf-te-metric- >> extensions.all@tools.ietf.org Subject: Re: [OSPF] Stephen Farrell's >> No Objection on draft-ietf-ospf-te- metric-extensions-09: (with >> COMMENT) >> >> Hi Stephen, Adrian, >> >> On 1/4/15, 4:39 AM, "Adrian Farrel" <adrian@olddog.co.uk> wrote: >> >>> Hi Stephen, >>> >>> I'd like the authors and shepherd to pitch in, but... >>> >>>> - I'd have thought that these TLVs would be sent more often >>>> than others, and that (if enormous amounts of money are in >>>> play) then use of OSPF authentication might be more likely >>>> needed (or some equivalent security mechanisms). I'd even >>>> speculate that if enormous amounts of money are in play, then >>>> confidentiality may become a requirement (since if I can >>>> observe say A bit settings then that might give me insight into >>>> traffic levels - sort of a lights burning at night in central >>>> bank implies interest-rate change attack). Can you say why none >>>> of that needs to be mentioned at all? Was any of that >>>> considered by the WG? (Can you send a relevant link to the >>>> archive?) >>> >>> I think you are raising two points: 1. Are the TLVs sent more >>> often than others and what are the implications? 2. What can be >>> learned from sniffing these TLVs? >>> >>> To the first point, I don't think they are sent more often than >>> other TE TLVs. Indeed metrics for loss and delay may be more >>> stable than others, and Section 5 addresses measurement intervals >>> and projects that on to announcement thresholds. >>> >>> So the risk is that changes in bandwidth availability will cause >>> rapid or frequent announcement of those metrics. However, just >>> like the original bandwidth metrics, implementations apply >>> thresholds so that small changes don't trigger re-announcement in >>> order to avoid stressing the >> network. >>> Section 6 discusses this. >>> >>> Thus, I think we can discard 1. >> >> >> Agreed. This is covered in sections 5 and 6. >> >>> >>> The second point is important: you can find out a lot about a >>> network by sniffing the IGP, and if your plan is to understand >>> the state of your competitor's network or to find the week spots >>> to attack, then this is a powerful tool. But in this matter I >>> would argue that these no TLVs are no more sensitive than other, >>> pre-existing TLVs, although (of course) the more TLVs, the more >>> information is available to be sniffed. >>> >>> So, the question is how do we protect IGP information as it is >>> advertised within a network. There are four elements: - IGP >>> information is retained within an administrative domain. - If a >>> router is compromised it has access to all of the information and >>> there is nothing we can do. - If a node attempts to join a >>> network to access the information it will be unknown and will not >>> be able to peer. - If a link is sniffed (which is a somewhat more >>> sophisticated attack) protection relies on encryption of the >>> messages most probably at layer 2, but potentially at IP (which >>> is an option for OSPF) or within the OSPF messages themselves. >>> >>> I think all of this is just "IGP security as normal", was >>> discussed by KARP, and is everyday business for network >>> operators. >> >> >> I agree. I can¹t see that delay/loss would be more sensitive than >> reachability information. I guess the premise is that one might >> want to target better for links for DDoS attacks? I do not recall >> this coming up in the discussions on either the OSPF or ISIS lists >> (there is an ISIS draft advertising the same TLVs). >> >> >>> >>> [snip] >>> >>>> - The security considerations of RFC 3630, from 2003, is 11 >>>> lines long. Has nothing affected OSPF security in the last >>>> decade+ that would be worth noting here? >>> >>> That is a good point. There is plenty of newer security work. >> >> This should include RFC 6863 for analysis, RFC 5709 for protection, >> and draft-ietf-ospf-security-extension-manual-keying-11 for >> protection. John? >> >> Thanks, Acee >> >> >>> >>> Adrian >>> >> >> _______________________________________________ OSPF mailing list >> OSPF@ietf.org https://www.ietf.org/mailman/listinfo/ospf >
- [OSPF] Stephen Farrell's No Objection on draft-ie… Stephen Farrell
- Re: [OSPF] Stephen Farrell's No Objection on draf… Adrian Farrel
- Re: [OSPF] Stephen Farrell's No Objection on draf… Stephen Farrell
- Re: [OSPF] Stephen Farrell's No Objection on draf… John E Drake
- Re: [OSPF] Stephen Farrell's No Objection on draf… Acee Lindem (acee)
- Re: [OSPF] Stephen Farrell's No Objection on draf… Stephen Farrell
- Re: [OSPF] Stephen Farrell's No Objection on draf… John E Drake