Re: [OSPF] FYI on draft-kini-ospf-fast-notification-01
"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Wed, 30 March 2011 12:03 UTC
Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 88D4228C13D for <ospf@core3.amsl.com>; Wed, 30 Mar 2011 05:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.806
X-Spam-Level:
X-Spam-Status: No, score=-6.806 tagged_above=-999 required=5 tests=[AWL=-0.208, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9BMJCeLDMent for <ospf@core3.amsl.com>; Wed, 30 Mar 2011 05:03:20 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by core3.amsl.com (Postfix) with ESMTP id 5688F28C118 for <ospf@ietf.org>; Wed, 30 Mar 2011 05:03:20 -0700 (PDT)
Received: from inbansmailrelay1.in.alcatel-lucent.com (h135-250-11-31.lucent.com [135.250.11.31]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id p2UC4rZf013116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 30 Mar 2011 07:04:56 -0500 (CDT)
Received: from INBANSXCHHUB01.in.alcatel-lucent.com (inbansxchhub01.in.alcatel-lucent.com [135.250.12.32]) by inbansmailrelay1.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p2UC4qrw000536 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 30 Mar 2011 17:34:52 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.50]) by INBANSXCHHUB01.in.alcatel-lucent.com ([135.250.12.32]) with mapi; Wed, 30 Mar 2011 17:34:52 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Wenhu Lu <wenhu.lu@ericsson.com>, Sriganesh Kini <sriganesh.kini@ericsson.com>
Date: Wed, 30 Mar 2011 17:34:53 +0530
Thread-Topic: [OSPF] FYI on draft-kini-ospf-fast-notification-01
Thread-Index: AcvuKPPJkEhNbNnJQRC0V7XzEph3oQAhNhvgAAjMLrAAAFgioA==
Message-ID: <7C362EEF9C7896468B36C9B79200D8350CFCF66AF9@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <5A5E55DF96F73844AF7DFB0F48721F0F5701F43A9B@EUSAACMS0703.eamcs.ericsson.se> <7C362EEF9C7896468B36C9B79200D8350CFCF66A60@INBANSXCHMBSA1.in.alcatel-lucent.com> <8249B703AE8442429AF89B86E8206AA26EF567C38D@EUSAACMS0703.eamcs.ericsson.se>
In-Reply-To: <8249B703AE8442429AF89B86E8206AA26EF567C38D@EUSAACMS0703.eamcs.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_7C362EEF9C7896468B36C9B79200D8350CFCF66AF9INBANSXCHMBSA_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] FYI on draft-kini-ospf-fast-notification-01
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 12:03:21 -0000
Hi Wenhu, I never asserted they would - If you claim to do auth verification in HW then you would presumably take care of this as well. I'm saying that either ways you have an issue. Cheers, Manav ________________________________ From: Wenhu Lu [mailto:wenhu.lu@ericsson.com] Sent: Wednesday, March 30, 2011 5.31 PM To: Bhatia, Manav (Manav); Sriganesh Kini Cc: ospf@ietf.org Subject: RE: [OSPF] FYI on draft-kini-ospf-fast-notification-01 Hi Manav, How would the data-plane auth verification prevent such DoS attacks? Any replayed packets will go through. Thanks, -wenhu ________________________________ From: ospf-bounces@ietf.org [mailto:ospf-bounces@ietf.org] On Behalf Of Bhatia, Manav (Manav) Sent: Wednesday, March 30, 2011 12:55 AM To: Sriganesh Kini Cc: ospf@ietf.org Subject: Re: [OSPF] FYI on draft-kini-ospf-fast-notification-01 Hi Sri, This is regarding the point that i had raised yesterday - If the routers flood the "LSAs" in the data plane without verifying them, then we're leaving a hole open for DoS attacks, as any packet masquerading as a legitimate OSPF packet will get flooded on all routers. This is different from data packets flooding as these packets will be occupying the higest priority queues in both the ingress, egress and the CPU. Second, what happens if the control packet is carrying an OSPF authentication digest? Would you still flood it without verifying the contents or would those be flooded regardless? I guess, you said that it would be the former. If thats the case, then this is not easy to do it in the HW as you would (i) need to parse the OSPF payload first to determine that its carrying a digest (ii) you would then need to verify it, which means you would be running HMAC-SHA in HW on the packet (given the Apad stuff that we have added in RFC5709 i dont think you can easily do this in HW) (iii) once the digest is verified you would need to flood it out on all the valid OSPF interfaces. Cheers, Manav ________________________________ From: ospf-bounces@ietf.org [mailto:ospf-bounces@ietf.org] On Behalf Of Sriganesh Kini Sent: Tuesday, March 29, 2011 9.20 PM To: ospf@ietf.org Subject: [OSPF] FYI on draft-kini-ospf-fast-notification-01 Just an FYI to the list This draft http://tools.ietf.org/html/draft-kini-ospf-fast-notification-01 was presented at the OSPF WG mtg today. Thanks for the comments/questions at the mic. We will submit a new version addressing the comments. Note that the other drafts related to Fast Notification (FN) are draft-lu-fn-transport and draft-lu-fast-notification-framework. These were presented in RTGWG. Thanks - Sri
- [OSPF] FYI on draft-kini-ospf-fast-notification-01 Sriganesh Kini
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Greg Mirsky
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Sriganesh Kini
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Sriganesh Kini
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Wenhu Lu
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Wenhu Lu
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Wenhu Lu
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Bhatia, Manav (Manav)
- Re: [OSPF] FYI on draft-kini-ospf-fast-notificati… Wenhu Lu