[OSPF] Adrian Farrel's Discuss on draft-ietf-ospf-ospfv3-autoconfig-13: (with DISCUSS and COMMENT)
"Adrian Farrel" <adrian@olddog.co.uk> Sun, 01 February 2015 19:44 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60481A9123; Sun, 1 Feb 2015 11:44:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.2
X-Spam-Level:
X-Spam-Status: No, score=-99.2 tagged_above=-999 required=5 tests=[BAYES_50=0.8, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5XBPMCevRdf; Sun, 1 Feb 2015 11:44:20 -0800 (PST)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D65D1A9118; Sun, 1 Feb 2015 11:44:20 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Adrian Farrel <adrian@olddog.co.uk>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.10.1.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150201194420.2776.10244.idtracker@ietfa.amsl.com>
Date: Sun, 01 Feb 2015 11:44:20 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/ospf/FMzZXMZdeYwf4OsCjD2W-jMy460>
Cc: ospf@ietf.org, ospf-chairs@tools.ietf.org, Ing-Wher Chen <ing-wher.chen@ericsson.com>, draft-ietf-ospf-ospfv3-autoconfig.all@tools.ietf.org
Subject: [OSPF] Adrian Farrel's Discuss on draft-ietf-ospf-ospfv3-autoconfig-13: (with DISCUSS and COMMENT)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.15
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf/>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Feb 2015 19:44:23 -0000
Adrian Farrel has entered the following ballot position for draft-ietf-ospf-ospfv3-autoconfig-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-ospf-ospfv3-autoconfig/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I almost didn't place a Discuss on this document, but as my list of larger comments grew to four, I decided that together they merit some discussion and resolution. ==== Does this document really update 5340? There is no mention of what this update is or why it is considered a part of the standard implementation of OSPFv3 to include the features described in this document. I suggest either dropping the update or clarifying how it works. (Note that idnits should have flagged this to you, but the shepherd write-up says that this document doesn't change the status of any existing RFCs.) --- I think that the effect of sections 4 and 8 is that auto-config as specified in this document is not suitable for deployment in service provider networks. Did I miss something, or are you saying that the best you offer is a single, network-wide password to cover all adjacencies? If this is fine for the home network environment, you should be able to point at a homenet document that says so. If you agree that this is not fine for a service provider (and probably for most enterprises) you need to call this out more strongly and recommend limits on the applicability of this spec. --- Isn't the duplicate Router ID detection an attack vector? If I can inject an LSA purporting to be from the same Router ID but with a numerically larger router hardware fingerprint, I can cause some other router in the network to reset all of its adjacencies. In theory I can do this over and over, and I can do it automatically on receipt of an OSPFv3 Router Auto-Configuration LSA. I think you should at least call that out as a specific risk. Ideally, you would find a way to mitigate it. --- Section 7.4. is titled: Change to RFC 2328 Section 13.4, 'Receiving Self-Originated LSAs' Are you really changing 2328? Or are you trying to say that an implementation of this spec will do something different from 2328? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- The remaining points are normal review Comments that you can take or leave as you wish: --- Section 1 has OSPFv3 [OSPFV3] is a candidate for deployments in environments where auto-configuration is a requirement. Its operation is largely unchanged from the base OSPFv3 protocol specification [OSPFV3]. If you parse this down, it says "OSPFv3 is largely unchanged from OSPFv3" which may not be as helpful as you intended it to be! Perhaps... OSPFv3 [OSPFV3] is a candidate for deployments in environments where auto-configuration is a requirement. This document describes extensions to OSPFv3 to enable it to operate in these environments. In this mode of operation, the protocol is largely unchanged from the base OSPFv3 protocol specification [OSPFV3]. --- Section 1 The following aspects of OSPFv3 auto-configuration are described: s/described:/described in this document:/ --- Section 1.2 Is there a reason to diverge fromt he RFC Editor's Style Guide in placing the Acknowledgements at the top of the document? --- Section 2 has 2. OSPFv3 SHOULD be auto-configured for IPv6 on all interfaces intended as general IPv6-capable routers. Optionally, an interface MAY be excluded if it is clear that running OSPFv3 on the interface is not required. For example, if manual configuration or another condition indicates that an interface is connected to an Internet Service Provider (ISP) and there is no Border Gateway Protocol (BGP) [BGP] peering, there is typically no need to employ OSPFv3. The first sentence is garbled since it says that an interface could be intended as a router. Do you mean... OSPFv3 SHOULD be auto-configured on all IPv6-capable interfaces of a router. "Optionally an interface MAY" is tautology. Suggest "An interface MAY". I am wondering why the fact that you have a BGP peering on an interface configured to connect to an ISP would mean that you would want to run OSPFv3 on that interface. You are possibly saying that the interface, in that case, may need to be auto-configured and present in the OSPFv3 advertisements. But this is not what you have said. --- Section 2 Can you point me to the spec for "vanilla Wi-Fi"? :-) --- Section 2 bullet 4 Of course, an identical HelloInterval and RouterDeadInterval will still be required to form an adjacency with an OSPFv3 router not supporting auto-configuration [OSPFV3]. Of course, but how is this achieved? How does a router with auto-config determine that its neighbor does not have auto-config and then discover the correct intervals to use? I think you can detect that your neighor is not doing auto-config by the absence of the OSPFv3 Router Auto-Configuration LSA, but what should an auto-config router do once this has been detected? --- Maybe it is obvious, but in the process of selecting a new Router ID in 7.3, the router MUST NOT select a value that it knows (through LSAs received before the duplicate was detected) is already in use in the network. It is even possible that the router SHOULD maintain some memory of Router IDs seen in the network recently so as to not pick an ID of a router that is temporarily down or disconnected. --- 7.2 The Router-Hardware-Fingerprint TLV contains a variable length value that has a very high probability of uniquely identifying the advertising OSPFv3 router. So, the first time you run live at a customer site, you know that the fingerprints will match on two devices and that they will both select the same Router ID. I think this is actually all OK so long as you indicate that this case will be handled as a self-originated LSA and include a forward-pointer to section 7.4. --- 7.2.1 The TLV is padded to 4-octet alignment; padding is not included in the length field (so a 3-octet value would have a length of 3, but the total size of the TLV would be 8 octets). Nested TLVs are also 32-bit aligned. Nice mixture of units :-) Why 32 bits when everything previous was in octets? --- 7.2.1 The new LSA is designated for information related to OSPFv3 Auto- configuration and, in the future, can be used other auto- configuration information. You already said that. --- 7.2.2 The Router-Hardware-Fingerprint TLV is the first TLV defined for the OSPFv3 Auto-Configuration (AC) LSA. It will have type 1 and MUST be advertised in the LSID OSPFv3 AC LSA with an LSID of 0. So, if absent... ? --- 7.2.2 The contents of the hardware fingerprint MUST be some combination of MAC addresses, CPU ID, or serial number(s) that provides an extremely high probability of uniqueness. It is RECOMMENDED that one or more available universal tokens (e.g., IEEE 802 48-bit MAC addresses or IEEE EUI-64 Identifiers [EUI64]) associated with the OSPFv3 router be included in the hardware fingerprint. It MUST be based on hardware attributes that will not change across hard and soft restarts. I think you mean... The contents of the hardware fingerprint MUST have an extremely high probability of uniqueness. It SHOULD be constructed from the concatenation of a number of local values that themselves have a high likelihood of uniqueness, such as MAC addresses, CPU ID, or serial numbers. It is RECOMMENDED that one or more available universal tokens (e.g., IEEE 802 48-bit MAC addresses or IEEE EUI-64 Identifiers [EUI64]) associated with the OSPFv3 router be included in the hardware fingerprint. It MUST be based on hardware attributes that will not change across hard and soft restarts. Although I am a little puzzled as to what would happen if I changed my MAC address. --- Is there a reason to allow IESG Approval for your new registry? Is this to make it look like all of the other OSPFv3 registries, or is it because you anticipate specific problems?
- [OSPF] Adrian Farrel's Discuss on draft-ietf-ospf… Adrian Farrel
- Re: [OSPF] Adrian Farrel's Discuss on draft-ietf-… Jari Arkko
- Re: [OSPF] Adrian Farrel's Discuss on draft-ietf-… Adrian Farrel
- Re: [OSPF] Adrian Farrel's Discuss on draft-ietf-… Acee Lindem (acee)