Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-ospf-ospfv3-autoconfig-05.txt
Curtis Villamizar <curtis@ipv6.occnc.com> Fri, 07 February 2014 17:23 UTC
Return-Path: <curtis@ipv6.occnc.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FCAB1ACC91 for <ospf@ietfa.amsl.com>; Fri, 7 Feb 2014 09:23:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Level:
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4CTLfDAofvYM for <ospf@ietfa.amsl.com>; Fri, 7 Feb 2014 09:23:44 -0800 (PST)
Received: from maildrop2.v6ds.occnc.com (maildrop2.v6ds.occnc.com [IPv6:2001:470:88e6:3::232]) by ietfa.amsl.com (Postfix) with ESMTP id 0957D1ACCED for <ospf@ietf.org>; Fri, 7 Feb 2014 09:23:34 -0800 (PST)
Received: from harbor3.ipv6.occnc.com (harbor3.v6ds.occnc.com [IPv6:2001:470:88e6:3::239]) (authenticated bits=128) by maildrop2.v6ds.occnc.com (8.14.7/8.14.7) with ESMTP id s17HNUh6063047; Fri, 7 Feb 2014 12:23:31 -0500 (EST) (envelope-from curtis@ipv6.occnc.com)
Message-Id: <201402071723.s17HNUh6063047@maildrop2.v6ds.occnc.com>
To: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
From: Curtis Villamizar <curtis@ipv6.occnc.com>
In-reply-to: Your message of "Fri, 07 Feb 2014 08:58:34 +0000." <F3ADE4747C9E124B89F0ED2180CC814F23C61A44@xmb-aln-x02.cisco.com>
Date: Fri, 07 Feb 2014 12:23:30 -0500
Cc: OSPF List <ospf@ietf.org>
Subject: Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-ospf-ospfv3-autoconfig-05.txt
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: curtis@ipv6.occnc.com
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf/>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 17:23:47 -0000
In message <F3ADE4747C9E124B89F0ED2180CC814F23C61A44@xmb-aln-x02.cisco.com> "Les Ginsberg (ginsberg)" writes: > One other thing I forgot to mention. > > Using the mechanisms I define below, a modestly clever implementation > could implement a startup mode where it does not advertise any > reachability until it has formed at least one neighbor and acquired > the full LSA database. At this point it should know whether it has a > duplicate router-id or not and if so it can assign itself a new > router-id without affecting forwarding behavior at all. > > Les Good suggestion. Curtis > > -----Original Message----- > > From: OSPF [mailto:ospf-bounces@ietf.org] On Behalf Of Les Ginsberg > > (ginsberg) > > Sent: Friday, February 07, 2014 12:31 AM > > To: Acee Lindem; Curtis Villamizar > > Cc: OSPF List > > Subject: Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-ospf-ospfv3- > > autoconfig-05.txt > > > > So, I am one person who raised this concern to Acee - but the proposal > > outlined by Acee is not what I had in mind. There is no need to use "uptime" > > or to invent some unusual exchange of LSAs prior to Exchange state. > > > > Also, in regards to Curtis's comment - it is not DOS attacks that I am trying > > to mitigate here. As he says if an attacker is in your network and able to > > originate credible packets no strategy is safe. > > > > The motivating use case is to minimize disruption of a stable network when a > > new router is added or an existing router is replaced/rebooted. In other > > words non-disruptive handling of the common maintenance/upgrade scenarios. > > > > What I have in mind is this: > > > > 1)A router needs a way to advertise that it has been up and running for a > > minimum length of time - for the sake of discussion let's say 20 minutes. > > Routers then fall into two categories: > > > > o Old routers (up >= minimum time) > > o New routers (up < minimum time) > > > > 2)When a duplicate router-id is detected, the first tie breaker is between > > old routers and new routers. The old router gets to keep its router-id and > > the new router picks a new router-id. > > If both routers are "new" or both routers are "old" then we revert to the > > existing tie breakers defined in the document (link local address for > > directly connected routers and fingerprint info for non-neighbors). > > > > 3)Advertisement of the "old/new" state requires a single bit - but it has to > > be available both in hellos and the new AC-LSA. Adding it to the AC-LSA is > > easy to do. For hellos, there are two possibilities: > > > > o Use one of the Options Bits > > o Use LLS > > > > Be interested in how folks feel about this. > > > > Les > > > > > > > -----Original Message----- > > > From: OSPF [mailto:ospf-bounces@ietf.org] On Behalf Of Acee Lindem > > > Sent: Thursday, February 06, 2014 5:12 PM > > > To: Curtis Villamizar > > > Cc: OSPF List > > > Subject: Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-ospf-ospfv3- > > > autoconfig-05.txt > > > > > > Hi Curtis, > > > I agree and believe the significance of this use case where a new router is > > > inserted into an auto-configured domain has been greater exaggerated. > > > Thanks, > > > Acee > > > On Feb 5, 2014, at 3:58 PM, Curtis Villamizar <curtis@ipv6.occnc.com> > > wrote: > > > > > > > > > > > In message <CF17DD4E.2696B%acee.lindem@ericsson.com> > > > > Acee Lindem writes: > > > > > > > >> The OSPFv3 autoconfiguration draft was cloned and presented in the > > > >> ISIS WG (http://www.ietf.org/id/draft-liu-isis-auto-conf-00.txt). In > > > >> the ISIS WG, there was a concern that the resolution of a duplicate > > > >> system ID did not include the amount of time the router was > > > >> operational when determining which router would need to choose a new > > > >> router ID. With additional complexity, we could incorporate router > > > >> uptime into the resolution process. One way to do this would be to: > > > >> > > > >> 1. Add a Router Uptime TLV to the OSPFv3 AC-LSA. It would include > > > >> the uptime in seconds. > > > >> > > > >> 2. Use the Router Uptime TLV as the primary determinant in > > > >> deciding which router must choose a new OSPFv3 Router > > > >> ID. Router uptimes less than 3600 (MaxAge) seconds apart are > > > >> considered equal. > > > >> > > > >> 3. When an OSPFv3 Hello is received with a different link-local > > > >> source address but a different router-id, unicast the OSPFv3 > > > >> AC-LSA to the neighbor so that OSPFv3 duplicate router > > > >> resolution can proceed as in the case where it is received > > > >> through the normal flooding process. This is somewhat of a > > > >> hack as the we'd also need to accept OSPF Link State Updates > > > >> from a neighbor that is not in Exchange State or greater. > > > >> > > > >> An alternative to #3 would be to use Link-Local Signaling (LLS) for > > > >> signaling the contents of the OSPFv3 AC-LSA. However, you'd only want > > > >> to send the Router-Uptime and Router Hardware Fingerprint when a > > > >> duplicate Router-ID is detected. This requires implementing the > > > >> resolution two ways but may be preferable since it doesn't require > > > >> violating the flooding rules. > > > >> > > > >> In any case, I'd like to get other opinions as to whether this problem > > > >> is worth solving. > > > >> > > > >> Thanks, > > > >> Acee > > > > > > > > > > > > Acee, > > > > > > > > If the basis for router-id on boot up results in a fixed value, and if > > > > a duplicate will occur on a give network, then which of two duplicate > > > > routers gets that value may change after one of them reboots. If > > > > uptime is not considered, it will never change as long as one router > > > > stays up at any given time. > > > > > > > > We are talking about a very low probability event (a duplicate) except > > > > if this is a DoS attack and then either using or not using uptime > > > > won't matter since the attacker will claim an impossibly long uptime. > > > > > > > > Curtis
- [OSPF] OSPFv3 Autoconfiguration - draft-ietf-ospf… Acee Lindem
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Curtis Villamizar
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Acee Lindem
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Les Ginsberg (ginsberg)
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Les Ginsberg (ginsberg)
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Anton Smirnov
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Les Ginsberg (ginsberg)
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Anton Smirnov
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Curtis Villamizar
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Curtis Villamizar
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Les Ginsberg (ginsberg)
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Curtis Villamizar
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Les Ginsberg (ginsberg)
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Curtis Villamizar
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Les Ginsberg (ginsberg)
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Curtis Villamizar
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Acee Lindem
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Acee Lindem
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Acee Lindem
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Les Ginsberg (ginsberg)
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Les Ginsberg (ginsberg)
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Acee Lindem
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Russ White
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… RJ Atkinson
- Re: [OSPF] OSPFv3 Autoconfiguration - draft-ietf-… Curtis Villamizar