Re: [Rift] AD Review of draft-ietf-rift-rift-12 (Part 2a)
Jordan Head <jhead@juniper.net> Wed, 01 March 2023 15:04 UTC
Return-Path: <jhead@juniper.net>
X-Original-To: rift@ietfa.amsl.com
Delivered-To: rift@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAEF2C14CE33; Wed, 1 Mar 2023 07:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="1QsisiLX"; dkim=pass (1024-bit key) header.d=juniper.net header.b="AoPMpX7k"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJwMZeJAKe18; Wed, 1 Mar 2023 07:04:31 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A26C14CE30; Wed, 1 Mar 2023 07:04:27 -0800 (PST)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3218xpK3009940; Wed, 1 Mar 2023 07:04:26 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=fNvXkLx0r7rh2NSElUEHzr9ys/0dpD2HfOQwP3BzhlY=; b=1QsisiLXOFm1sMl2j5aNhm7d1x5OVQdGMhpQgmxf3unhvMabpopzZZbRmoXUCvCneSN6 bAMEcF9seTFRF2iHayHrkXT3QCclnKXpqvzBVXIdX+vy5x+/oGWv3Zz1/9Sq7gUy9Dqj 6zlGFwc/VAvKwiiMlOllLTcvYpWfFbYwwDM9xAR/KTCuNpYL4NU7tHJSHARQrFz709Gc oXIqo4/odtIDF3grF0+kPt89y7KIpZR51esQf3M1+lmVBbMTb/wyYM/vNAb/+DSKsqYe 87ukhqnZ7Hn3VkboWBMwcOyu75DiFJ77L32814l53+90eo5VR1ps42JTyCMTAZafJfP1 ug==
Received: from dm4pr02cu001-vft-obe.outbound.protection.outlook.com (mail-centralusazlp17012026.outbound.protection.outlook.com [40.93.13.26]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3p23pcgqvr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 01 Mar 2023 07:04:25 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HAZrgeKavjUN0O2P6h575KvltG5b5PZL6r5AkvjyiCX4U83/gWn9Fe5jBA5AZKWFlqp8fY/Lin/SlRl15uV30sYyB0VAGWb2O0BNknIfox63V/FB3mjOlsA8W2lu8u4yOV+KWr4ds8AlisnKC7wFRFnjG80KqywaY8LVlyLUyybR+c1gDErcZW5PNSvtzh8j2oEGnZbgVfzVNq2FR0VZ4ZkcwZcqLO3n40nadBthUXFBn4eSCehR5VOmTtqqM7Z0goP7qTO7GETH/Isb4PFYd36NFa3cER+Fffvmwn/Dv1nyey1aLPmJ7V4S/3JaQXUG90ZruT1n8QC8gWTFoCVmGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fNvXkLx0r7rh2NSElUEHzr9ys/0dpD2HfOQwP3BzhlY=; b=aqbzNhk0GvCYB5Qt2Rsha8n3pL/v1bosZ0To1Hu815IAF3rFcHd7NtdcDcocWeVk+U1WYHQVrQzFbnWwBGwlARJn3RRVjl+dxLemEBciXDym0G3qdJZLXdz9eQwnVJJYplFbNdIWpUwmyUAvg0UrcQf4ZFaavmwK+lj57xfMf3boqUQPLeq3oTVFIuvCzAGplk5qvgBVatpbxK3qTd16SPaGstEtjjjoEAAQyF4gC0HQNvaTWaW8Ir2alZ+cMzYnBvMHbTkOnrj56ZMCY4OVMLdsXuk/UVpMWJ3OuOlRQejJq2DX1DzJrDP258mtUX4HB1a5fCiwiL9QV95r9HMpbg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fNvXkLx0r7rh2NSElUEHzr9ys/0dpD2HfOQwP3BzhlY=; b=AoPMpX7k2ESkNRgAfwa2+j/P8su005FZHjZnoDeEZ4yLUcZMtoeQVNbKL5xHXCtpqt3+nxr3PSUfWF4otDsMWCDeWJAp5FZd6jtRN6UJSdziyMJ3zrXaBItcYYebjtUCPt2REqNMrbSB7W9Qzho052ldDUGZnjyvJDc1UCRkllE=
Received: from BL0PR05MB5362.namprd05.prod.outlook.com (2603:10b6:208:67::16) by CO1PR05MB8428.namprd05.prod.outlook.com (2603:10b6:303:e7::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.18; Wed, 1 Mar 2023 15:04:20 +0000
Received: from BL0PR05MB5362.namprd05.prod.outlook.com ([fe80::9aab:bbdf:73ae:82e6]) by BL0PR05MB5362.namprd05.prod.outlook.com ([fe80::9aab:bbdf:73ae:82e6%7]) with mapi id 15.20.6134.024; Wed, 1 Mar 2023 15:04:20 +0000
From: Jordan Head <jhead@juniper.net>
To: Alvaro Retana <aretana.ietf@gmail.com>
CC: "rift-chairs@ietf.org" <rift-chairs@ietf.org>, "rift@ietf.org" <rift@ietf.org>, "draft-ietf-rift-rift@ietf.org" <draft-ietf-rift-rift@ietf.org>, "EXT-zhang.zheng@zte.com.cn" <zhang.zheng@zte.com.cn>
Thread-Topic: [Rift] AD Review of draft-ietf-rift-rift-12 (Part 2a)
Thread-Index: AQHYncKY/ib1VR/PHUmzmLg6WRhTca3dW9CAgOp1hICAHz2HgA==
Date: Wed, 01 Mar 2023 15:04:20 +0000
Message-ID: <BC2A14CF-0005-4C78-93AD-3473C7A3DDDB@juniper.net>
References: <CAMMESsxBr0+UriSaTDVZMrFzU6DSiuC3-wO4+7HgX4nX7SLHmg@mail.gmail.com> <CA+wi2hPcFoGoTi=GFx9zyXeKFmM3WZi82YBX4WVjY2jYPW7Mig@mail.gmail.com> <CO1PR11MB488171455D0FD980DC4D4C39D8769@CO1PR11MB4881.namprd11.prod.outlook.com> <CAMMESsx1oCVofW1cNzr5xo60vw50P4iUEedzwQW54xKQ0zezjw@mail.gmail.com> <CA+wi2hNtSwEGHc8ySjEPTamvqJBBh7AFbbPngvjh07QJS=ttrw@mail.gmail.com> <CAMMESsxvp7MByOzoiNHWNNGNm9bp5aiUEgrhKriU7BYy=pYXLQ@mail.gmail.com> <CA+wi2hM7arcayCEh+9YN4bccp1ZB41EFK+7JijZ+TViFUWKtqQ@mail.gmail.com> <CAMMESsz=6HQLsQQVMW4QS_OLtnoTMgvpt3R3AXDdycTp4ig2EA@mail.gmail.com> <3B71A60A-A043-46B0-9A10-2604D177FCD6@juniper.net> <CAMMESsz9skqa7uBEbP36Ly3jtOb10GKDvbtkf_u__jpt9CB0WQ@mail.gmail.com>
In-Reply-To: <CAMMESsz9skqa7uBEbP36Ly3jtOb10GKDvbtkf_u__jpt9CB0WQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.70.23021201
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=e5e3f267-6a5b-4535-aa6f-8588390ad94c; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2023-03-01T15:03:41Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only;MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BL0PR05MB5362:EE_|CO1PR05MB8428:EE_
x-ms-office365-filtering-correlation-id: 8cc68c4a-463a-4edd-281a-08db1a663c4c
x-ld-processed: bea78b3c-4cdb-4130-854a-1d193232e5f4,ExtAddr
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0mQR34v0DXVj2wqx/Qoy7UpMqyFWRVGsoXkez/W7/0dESyXoeWrQhLqKh6Zfm7fdvzOPqr+v+DhJLShW9fomdK2QpqvStwmgQZhKIUQGgYQYu4KHCJKEq+Sw7SxhQwMyX0PLoMMulLyoqu4ySzoSZJ1YYeNUSS9OqQtx0F5xxahKdhoy0wb/NPAosMmVuzMBbcXUOVMFv33A+upPLl0GYg3VpHxlaTIVAfuebRUx/+Fv+qF0SedUGSL1SE4rHyPcmkTLjRDI6vDHp3WPEK1l9fsMi+X1fYkHOsOlsvE5YMVv3eE4VKbs/Xqyvn5Ppb+EfcOfi99+lk8YbLXohbPYaOnednzTGeMmomL4NCop7oB0+h+AQRB9QQGYMeGZJjZrZlURzqbaPw2UO+GJaLF89NyDAUImUFAB1A/Cdb81g/kLJJexXVqxUV2gfVgKrbrsNze1uJKicJ2icU2OAFxStBVIH7UyClE1m9PNoLozx6qwv5yPxB4OBwpvnOEMM80tnx/owhfzJkaes/nCbJXM8CHi5vN2wmMF4dFZxBG4z0O/46hHW1LeVqUpdG0aIdRGCZxenm8tPYipZrmxspdrQ968K4LhswTlYy7Zb4+dAI2gFRNqaeUm5vXqWV5TtJ/QK//IHjDdAB0rrCkO4UWl/thASupEf5LKWgBCVzUVVhmwotGdmzt2w/6w3TvVoldSG6BQNsduFXlghtdscPNmNGGVYQUf+6kyMuMbER1doLI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR05MB5362.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(346002)(396003)(39860400002)(376002)(366004)(136003)(451199018)(66899018)(122000001)(316002)(2906002)(5660300002)(33656002)(30864003)(36756003)(8936002)(86362001)(6506007)(26005)(6512007)(66446008)(76116006)(4326008)(66476007)(66556008)(66946007)(71200400001)(186003)(8676002)(6916009)(54906003)(64756008)(38100700002)(41300700001)(38070700005)(478600001)(83380400001)(2616005)(6486002)(45980500001)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +w0JlYhCTiCWT9X6cyKHWUqev8TpVCqSN9olg1ydMEOyw1tjr5ibHOJulfm9g6Us/97E1rOM2NcClJUoJgEUBUBNtp7VYqv0hOMHVDhg3vhzE44cXYV512LtTI4i+2GESVBZ/meiIgsxI/mUPR2oSWXr2n4+T5MikRYiKj4cdLWe5Hi/vzMo2JnpaKWO92kOnKi9ESnOaOXLDQrZiPlqg48aVAZ1/2Mfe0PjcjORHweM/Fo4Las/jtEZTIe3tJZsMTSizoZQW9LIYaXyfLZTDgYSHg5stuu/lq7zF8XSs6+oCiIBFBBab53UaMS0lOSSkmoa8j0+d8RmAWp0Q/9hBIRlfSUZt6sQjjd5F4ZitaF/atL002BlQkEGhTllnWlsTO+Gpzd1OHBkk1ji3oWcvoZwegggeJEF4WfuTyol2Y+3Jm4pLNS8dheAn88BSSEmg+kz71UwVr+/nhk47OR1Ug0ZLcth3liY/zh0rwwpjMe5K2rewwUNi724JiuW+I9xVbYOrbKYync1qlyaEo54HI6moPyIF//SEJWPLLiz5Ef50NtY6rBkvGzykxu912tQqZHI9UKvw/Z/TYms2ySj2l1A9JOZIgFlgK3j/2p0lC8lt+rJwmov5UfPSCValv+nYE/5H3Vl50wcm4rgvkRFv5cBd9eFSgE299D8q9A9ZRV71c5mcnuYSqIR7wFeh4QE3XjdqKmBLOVcHbLLy8pl2YNQ8lhV7hNmIUqmPiLsWhBH7+WW2auhDEBIWO4d352Tu6vFXZ5QGSCSF8LtPFtya2nylfjTSJp5y24Db/g5R88TduyN8jld/A7N2cqfxBW9yccG+0JLbwx6z4U06PSA6atgJPEAFMzTnkQrR7ZpMR5zT4GM/kkHAl4ppT9IinKi1TVBt0l2SnefOvT3M0Vp+tg9gODSK79pTr/L0xNmM4sj1uLPbA+7OOo4qSet14ajZILGXdAaAnRSCSYKJEbP9BIb7qH0wB7Dvh625Jq7F8dZoLGfxyd6iMP34It+InC5Dsv1RGOAk9RBcUKETn4QQKK1ln6KMkXzLI5+1MlWIsI0q8hr0BVeMW/3tDFoKDwLpa/LhLcX22JKaRX/b71wqVeIOSXe7ax9fT6wx2NefsCou6osUDeVPBYqzRdDrE/4pRA+i7vExIrC5K3bb4BWm5BCtLXps7pv3HZidkbOBnrsVQaKs4/i0+CaIUI25Oyu6yi+YECTuZo+oh94BxtQJBwbivh5zztbZNjzWV8RVpBBFGslvFq211IUDtC/ipAPrviKuCflhE/TpmXJPqW81cW6JoOMhR5sYKVdMoIUXovYJcV+5vOH1/7n/CF+sKcZpTE5YNz/eO5dVhdXO1eb9AtTNYgTPIkhOyMHUnOjSkcirLWCUwgGO9utuyNA6tuZYKsq+u2D22PzNLo77VIgc0/0EnX3c44x2hWsK9txhs6UMILQ/2qr3RDmMfzwKr6AdUGpU47jghfSeulDsDt24zqRZJhSNOp/W2T0C53k84gxrio0o+mZ5n6f6RhNwNtE9R7dS+b72cpTdARhh7zUluCnAQ2n73aC92o3yCUdtbopd1X68g1AV7LC9bvF+7ku
Content-Type: text/plain; charset="utf-8"
Content-ID: <9EBAEB1DC4CB054BBD83BE8E15F4322D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR05MB5362.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8cc68c4a-463a-4edd-281a-08db1a663c4c
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2023 15:04:20.3157 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ivaND7c6sNByCrRkdN+2Wol5o2hzx4UlDHSrElQm1mSqV4jeMmcB/QFY5upQ2DUsUAmvNhE62sZ4EERE129sxQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR05MB8428
X-Proofpoint-ORIG-GUID: XmAe-YWTj71JgSd9b6tsTYZq7wfA_Mk-
X-Proofpoint-GUID: XmAe-YWTj71JgSd9b6tsTYZq7wfA_Mk-
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-01_11,2023-03-01_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 adultscore=0 mlxlogscore=999 spamscore=0 malwarescore=0 suspectscore=0 mlxscore=0 impostorscore=0 bulkscore=0 clxscore=1015 priorityscore=1501 phishscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2303010125
Archived-At: <https://mailarchive.ietf.org/arch/msg/rift/1OK-Wtnl__fGo6NVdj06LWn0yXU>
Subject: Re: [Rift] AD Review of draft-ietf-rift-rift-12 (Part 2a)
X-BeenThere: rift@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of Routing in Fat Trees <rift.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rift>, <mailto:rift-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rift/>
List-Post: <mailto:rift@ietf.org>
List-Help: <mailto:rift-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rift>, <mailto:rift-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 15:04:35 -0000
Hi Alvaro,
Some of the e-mails got truncated as discussion went on. I'm using the original e-mail, but all feedback is based on the larger discussion and most recent comments.
Comments inline as jhead>>
[External Email. Be cautious of content]
On September 13, 2022 at 8:34:50 AM, Jordan Head wrote:
Hi!
...
> > > [minor] "IPv4 Time to Live (TTL) / IPv6 Hop Limit (HL) of 1" Was GTSM
> > > (rfc5082) considered? Several documents (for example, rfc8085 and
> > > draft-ietf-opsec-v6) suggest its use. You may be asked about it later. It
> > > would be good to preempt those questions by adding some text in the
> > > Security Considerations about any risks...or using it.
> >
> > There is a religious war about 255 vs. 1 since a long time. I personally in
> > deployment was hurt @ least twice by implementations ending up not checking
> > TTL/misprocessing and forwarding one-hop packets with 254 on unicast/
> > multicast. Also, having a buggy FIB looping tightly packets with TTL 255 is
> > seldom fun. I never saw a thing not decrementing TTL and dropping on 1. I
> > prefer the 1 with possibly a multi-hop spoof (never saw that in my life
> > frankly, such an attack is really, really hard to engineer) than a rogue
> > packet running away in the network or micro looping 255 times on fast links.
> >
> > What I saw were replay attacks and against those RIFT is extremely well
> > protected as far it's practically implementable. Plus, if one _really_ wants
> > security one configures adjacency keys (and RIFT allows a full plethora of
> > that) rather than rely on the 255 hack to have "kind of a little lick of
> > security".
> >
> > So if the security folks push on it we can always go to 255 or write that
> > the TLL received MUST be either 255 or 1 to satisfy both camps.
> ...
> > > 1500 LIEs arriving with IPv4 Time to Live (TTL) / IPv6 Hop Limit (HL)
> > > 1501 larger than 1 MUST be ignored.
> > >
> > > [major] "MUST be ignored" The specification of the sender (§4.2.2) says
> > > that "LIEs SHOULD be sent with an IPv4 Time to Live (TTL) / IPv6 Hop Limit
> > > (HL) of 1". This is a Normative conflict because it is only recommended to
> > > the sender, but required by the receiver.
> >
> > aha, yes, very good. I'm reluctant to say MUST since it's not always
> > possible on a platform to force TTL (this is UDP). So I make it SHOULD on
> > both sides.
> >
> > your comment on the 255/1 stands of course.
>
> The text in -15 says:
>
> LIEs SHOULD be sent with an IPv4 Time to Live (TTL) / IPv6 Hop
> Limit (HL) of either 1 or 255 to prevent RIFT information
> reaching beyond a single L3 next-hop in the topology.
>
> ...
>
> LIEs arriving with IPv4 Time to Live (TTL) / IPv6 Hop Limit (HL)
> different than 1 or 255 SHOULD be ignored.
>
>
> The good thing is that you removed the Normative conflict: both
> sentences now say SHOULD. The bad thing is that, even if providing
> more options, anything can be used (1, 2, 4, 56, 123, 254, 255, etc.)
> because neither the sender nor the receiver is required to do
> anything.
>
> In the reply (above) you suggested using MUST. That would be a good
> start. But then you also said you were reluctant...
>
> Note that in my original comment I was just asking whether GTSM was
> considered and to justify why not (if you had considered and didn't
> want to use it), not to add the cumbersome support for both cases.
> IOW, do it any way you want, please be clear about any requirement
> (MUST), and justify why you're not following what other documents
> recommend (if not using 255) and how any issues can be mitigated (or
> if they need to be -- see the Security Considerations in rfc5082).
>
> jhead>> Discussed with Tony and we're good with changing things to MUST for
> jhead>> sending and receiving a TTL/HL of 1 or 255 only.
> jhead>> Also made the same adjustments for how TIEs are exchanged.
Good!
I keep insisting on this because someone is going to ask.
(1) There's no guidance here (or in the applicability draft) about
when to use either option.
jhead>> I'll bring this up with the applicability authors.
(2) If using a TTL of 1, there are some security threats that are left
open. For example, it is (relatively) easy to spoof a packet remotely
so that it has a TTL of 1 locally. Please see the Security
Considerations in rfc5082. Please include (in the Security
Considerations of this document) how rift mitigates the use of TTL = 1
(if it does) or an acknowledgement that there are some unmitigated
risks.
jhead>> I've added the following text in the LIE Exchange section
For implementations that use a TTL or HL of 1, [RFC5082] describes the risks of packets being unintentionally forwarded within a network.
The same questions/concerns apply to TIEs of course.
jhead>> I've added the same language to the TIE Exchange section as well.
...
> 1520 A simplified version on platforms with limited multicast support MAY
> 1521 implement optional sending and reception of LIE frames on IPv4 subnet
> 1522 broadcast addresses and IPv6 all routers multicast address though
> 1523 such technique is less optimal and presents a wider attack surface
> 1524 from security perspective.
>
> [major] Ahhh...mmmm...
>
> Let's start with this: I'm not sure how to read this sentence, a few
> commas would help.
>
> You don't need to solve all the cases. What is "limited multicast
> support"? As I interpret the sentence, IPv6 seems to support
> multicast so the choice is simple: use IPv6. As you explain, the node
> doesn't have to use both.
>
> The phrase "MAY implement optional..." is a double indication that
> "sending and reception" is optional: you don't have to. Which seems
> to point to the obvious conclusion of use IPv6.
>
> In summary, I don't understand the value of this sentence, including
> the use of a normative MAY ... but maybe I just don't understand the
> sentence itself. :-(
>
> jhead>> I think the main solution here would be for us would be to convey
> jhead>> things more clearly. I think the "limited" gives an indication of
> jhead>> flexibility for those that want it. I think "with limited or no
> jhead>> multicast support" works better?
> jhead>>
> jhead>> Obviously most implementations would use IPv6, followed by some IPv4,
> jhead>> but there are platforms that only implement really simple IPv4 stacks
> jhead>> without multicast support (which could be described as "limited or
> jhead>> no"). IoT-style devices come to mind here as an example. My view of
> jhead>> this is that calling it out this way helps bridge the gap between
> jhead>> implicitly vs. explicitly supported and makes things clearer for some
> jhead>> implementors. As you know there are specifications where the language
> jhead>> _technically_ allows for something and others where the language
> jhead>> shows that authors _intentionally_ allow something. I think we fall
> jhead>> into the latter.
> jhead>>
> jhead>>
> jhead>> As a result, I've changed things to the following:
> jhead>>
> jhead>> "A simplified version MAY be implemented on platforms with limited or
> jhead>> no multicast support (e.g. IOT devices) by sending and receiving
> jhead>> LIE frames on IPv4 subnet broadcast addresses and IPv6 all routers
> jhead>> multicast address. However, this technique is less optimal and
> jhead>> presents a wider attack surface from a security perspective."
Ok -- I still don't see the value of this paragraph, but if you want
to include it:
(1) "IPv4 subnet broadcast addresses and IPv6 all routers multicast
address" : Did you want to use "and" here, or "or"?
jhead>> As Tony stated, it's an or. Text now reads:
A simplified version MAY be implemented on platforms with limited or no multicast support (e.g. IoT devices) by sending and receiving LIE frames on IPv4 subnet broadcast addresses or the IPv6 all routers multicast address.
(2) Given that the implementation is optional, but simpler, are there
other cases where this implementation may be used? This is probably a
topic for the applicability draft -- I didn't see anything explicit
there about this, even in the "IoT Applicability" section.
jhead>> I'll bring this up with the applicability authors.
(3) The converse question should also be answered: Given that this
technique is "less optimal", when would a node not want to implement
it (assuming it has all the resources needed for a full
implementation)? Also a topic for the applicability draft.
jhead>> I'll bring this up with the applicability authors.
(4) "presents a wider attack surface from a security perspective" --
Please include something in the Security Considerations section about
the wider attack surface.
jhead>> I've added a new sub-section to the "Security Considerations" section called "IPv4 Boradcast and IPv6 All Routers Multicast Implementations". It basically describes the fact that the attack _surface_ is wider, but the specific vectors themselves are already addressed by the preceding sub-sections.
...
> [major] "absence of IPv4 addresses...and advertising
> `ipv4_forwarding_capable`...MUST forward IPv4 packets using gateways
> discovered on IPv6-only links"
>
> jhead>> Allow me to preface a couple of things. I think it's obvious that
> jhead>> Table 1 caused some confusion outside of its own scope, and after
> jhead>> reading it in conjunction with your comments I realized that my
> jhead>> interpretation may not be the same as everyone elses. I've split this
> jhead>> table into two new tables, one to describe how LIE exchange ocurrs
> jhead>> over different address family combinations and another to factor in
> jhead>> `ipv4_forwarding_capable` in the same context. I may refer to those
> jhead>> new tables in some of my replies.
jhead>> In another part of this thread, you suggested the following:
s/mechanism to discover the corresponding IPv6 address/mechanism to discover the corresponding gateway
Agreed and fixed.
I'll comment on the new tables first (from -16):
1595 +==========+==========+==========================================+
1596 | Local | Remote | LIE Exchange Behavior |
1597 | Neighbor | Neighbor | |
1598 | AF | AF | |
1599 +==========+==========+==========================================+
1600 | IPv4 | IPv4 | LIEs and TIEs are exchanged over IPv4 |
1601 | | | only. TIEs are received on any of the |
1602 | | | LIE source addresses. |
1603 +----------+----------+------------------------------------------+
1604 | IPv6 | IPv6 | LIEs and TIEs are exchanged over IPv6 |
1605 | | | only. TIEs are received on any of the |
1606 | | | LIE source addresses. |
1607 +----------+----------+------------------------------------------+
1608 | IPv4, | IPv6 | The local neighbor sends LIEs for both |
1609 | IPv6 | | IPv4 and IPv6 while the remote neighbor |
1610 | | | only sends LIEs for IPv6. The resulting |
1611 | | | adjacency will exchange TIEs over IPv6 |
1612 | | | on any of the IPv6 LIE source addresses. |
1613 +----------+----------+------------------------------------------+
1614 | IPv4, | IPv4, | LIEs and TIEs are exchanged over IPv6 |
1615 | IPv6 | IPv6 | and IPv4. TIEs are received on any of |
1616 | | | the IPv4 and IPv6 LIE source addresses. |
1617 +----------+----------+------------------------------------------+
- "TIEs are received on any of the LIE source addresses."
I had to read this several times to understand that it means that the
remote neighbor sends TIEs to any of the local addresses used to send
LIEs.
jhead>> Well if you're reading it several times, others are too. I've adjusted the language slightly to better convey which node does what for items 1, 2, and, 4. See the new version of the table below:
+==========+==========+==========================================+
| Local | Remote | LIE Exchange Behavior |
| Neighbor | Neighbor | |
| AF | AF | |
+==========+==========+==========================================+
| IPv4 | IPv4 | LIEs and TIEs are exchanged over IPv4 |
| | | only. The local neighbor receives TIEs |
| | | from remote neighbors on any of the LIE |
| | | source addresses. |
+----------+----------+------------------------------------------+
| IPv6 | IPv6 | LIEs and TIEs are exchanged over IPv6 |
| | | only. The local neighbor receives TIEs |
| | | from remote neighbors on any of the LIE |
| | | source addresses. |
+----------+----------+------------------------------------------+
| IPv4, | IPv6 | The local neighbor sends LIEs for both |
| IPv6 | | IPv4 and IPv6 while the remote neighbor |
| | | only sends LIEs for IPv6. The resulting |
| | | adjacency will exchange TIEs over IPv6 |
| | | on any of the IPv6 LIE source addresses. |
+----------+----------+------------------------------------------+
| IPv4, | IPv4, | LIEs and TIEs are exchanged over IPv6 |
| IPv6 | IPv6 | and IPv4. TIEs are received on any of |
| | | the IPv4 or IPv6 LIE source addresses. |
| | | The local neighbor receives TIEs from |
| | | the remote neighbors on any of the IPv4 |
| | | or IPv6 LIE source addresses. |
+----------+----------+------------------------------------------+
- [nit] s/IPv4 and IPv6 LIE source addresses/IPv4 or IPv6 LIE source addresses
jhead>> Agreed and fixed.
1619 Table 1: Control Plane Behavior for Neighbor AF Combinations
1621 +==========+==========+=============================================+
1622 | Local | Remote | Forwarding Behavior |
1623 | Neighbor | Neighbor | |
1624 | AF | AF | |
1625 +==========+==========+=============================================+
1626 | IPv4 | IPv4 | Both nodes are required to set the |
1627 | | | `ipv4_forwarding_capable` flag to true. |
1628 | | | All traffic is forwarded over IPv4. |
1629 +----------+----------+---------------------------------------------+
1630 | IPv6 | IPv6 | If either neighbor sets |
1631 | | | `ipv4_forwarding_capable` to false, all |
1632 | | | traffic is forwarded over IPv6. If |
1633 | | | both neighbors set |
1634 | | | `ipv4_forwarding_capable` to true, IPv4 |
1635 | | | traffic can be forwarded. |
1636 +----------+----------+---------------------------------------------+
1637 | IPv4, | IPv6 | If either neighbor sets |
1638 | IPv6 | | `ipv4_forwarding_capable` to false, all |
1639 | | | traffic is forwarded over IPv6. If |
1640 | | | both neighbors set |
1641 | | | `ipv4_forwarding_capable` to true, IPv4 |
1642 | | | traffic can be forwarded. |
1643 +----------+----------+---------------------------------------------+
1644 | IPv4, | IPv4, | IPv4 and IPv6 traffic can be forwarded. |
1645 | IPv6 | IPv6 | The behavior is unspecified if either |
1646 | | | neighbor sets the |
1647 | | | `ipv4_forwarding_capable` to false. |
1648 | | | The behavior is also unspecified if |
1649 | | | IPv4 and IPv6 advertise different |
1650 | | | flags, as described previously. |
1651 +----------+----------+---------------------------------------------+
1653 Table 2: Forwarding Behavior for Neighbor AF Combinations
- Case 2: "If either neighbor sets `ipv4_forwarding_capable` to false,
all traffic is forwarded over IPv6."
Saying that "all traffic is forwarded over IPv6" gives the impression
that IPv4 traffic over IPv6 is possible. I think you mean that "only
IPv6 traffic can be forwarded." Right?
jhead>> Correct. Made the following change to both Case 2:
If either neighbor sets `ipv4_forwarding_capable` to false, only IPv6 traffic can be forwarded. If both neighbors set `ipv4_forwarding_capable` to true, IPv4 traffic is also forwarded via IPv6 gateways.
- In case 3, "If either neighbor sets `ipv4_forwarding_capable` to
false... If both neighbors set `ipv4_forwarding_capable` to true..."
Only the remote neighbor can change the setting. The local neighbor
is required to set `ipv4_forwarding_capable` to true in both LIEs.
jhead>> Okay, I see what you mean here. I don't think it benefits us to reitterate the fact that `ipv4_forwarding_capable` MUST be set in both LIEs (at least not here). That said, to keep things unambiguous, I adjusted Case 3 to mention the remote node:
If the remote neighbor sets `ipv4_forwarding_capable` to false, only IPv6 traffic can be forwarded. If both neighbors set `ipv4_forwarding_capable` to true, IPv4 traffic is also forwarded via IPv6 gateways.
- Case 4: Both sentences say the same thing.
jhead>> Case 4 now reads:
IPv4 and IPv6 traffic can be forwarded. If IPv4 and IPv6 LIEs advertise conflicting `ipv4_forwarding_capable` flags, the behavior is unspecified.
The related text, a couple of paragraphs above, is this:
If IPv4 forwarding is supported on an interface, `ipv4_forwarding_capable`
MUST be set to true when LIEs from an IPv4 address are sent and MAY be set
to true in LIEs on IPv6 address if no LIEs are sent from an IPv4 address.
If IPv4 and IPv6 LIEs indicate contradicting information, protocol behavior
is unspecified.
It may be good to clarify that "If IPv4 forwarding is supported on an
interface, `ipv4_forwarding_capable` MUST be set to true" for all
LIEs, not just IPv4 LIEs.
jhead>> Text now reads:
If IPv4 forwarding is supported on an interface, `ipv4_forwarding_capable` MUST be set to true for all LIEs advertised from that interface.
Going back to the text that I was originally commenting on:
A node, in case of absence of IPv4 addresses on such links and advertising
`ipv4_forwarding_capable` as true, MUST forward IPv4 packets using gateways
discovered on IPv6-only links advertising this capability.
> jhead>> The word choice here is intentional: "absence of IPv4 addresses" does
> jhead>> not mean IPv4 isn't configured on an interface. I think the new Table
> jhead>> 2 will help clear some of this confusion up.
>From Table 2, my guess is that "absence of IPv4 addresses" means that
no IPv4 LIEs were sent. Is that what you mean?
jhead>> Yes, that's accurate, no IPv4 addresses means no IPv4 LIEs. This is conveyed in a comment below.
> [major] "MUST forward IPv4 packets using gateways discovered on IPv6-only
> links"
>
> I assume that this means that the IPv4 packet is encapsulated in IPv6
> and sent to a link-local address -- is that what you mean? Using
> "gateways discovered" may give the impression that there's more
> involved. You may want to consider being explicit about the
> operation.
>
> Also, in Figure 1 the text (for the 3rd case: IPv4/IPv6 over IPv6)
> simply says "IPv4 is forwarded", giving the wrong impression that the
> IPv4 is natively (not encapsulated) forwarded.
>
> At some point we talked about the fact that forwarding is out of scope
> -- that's ok. I'm calling out this text because it requires
> forwarding ("MUST forward"). Please make the behavior non-normative
> and declare the specific mechanism to "forward IPv4 packets...on
> IPv6-only links" out of scope.
>
> jhead>> I'd like to point you to the new Table 2 again here. We are
> jhead>> describing the generic behavior in terms of how packets are
> jhead>> forwarded, not the implementation. I've added the following sentence:
> jhead>>
> jhead>> "The specific forwarding implementation to support the described
> jhead>> behavior is out of scope for this document."
> jhead>>
> jhead>> In other words, the behavior is normative (MUST), but the
> jhead>> implementation of it is not (and is out of scope).
Yes, the problem is that the "described behavior" is not fully
described. This is especially true for a required (MUST) behavior.
How about if we split the difference?
jhead>> Agreed, here's the resulting text:
In the absence of IPv4 LIEs with `ipv4_forwarding_capable` set to true, a node MUST forward IPv4 packets using gateways discovered on IPv6-only links advertising this capability. The mechanism to discover the corresponding IPv6 gateway is out of scope for this specification and may be implementation specific.
> 1623 4. the advertised MTUs in `LiePacket` element match on both sides
> 1624 *and*
>
> [major] This clause talks about the "advertised MTUs", but advertising
> the MTU is optional.
>
> Suggestion>
> the MTU on on the link (either advertised in the `LiePacket`
> element or the 'default_mtu_size') matches on both sides *and*
>
> jhead>> Added language to clarify.
The new text now says:
(either at least one of the nodes does not advertise MTU in the
`LiePacket` *or* the advertised MTU values in the `LiePacket`
element match on both sides) *and*
If one side doesn't advertise an MTU, default_mtu_size is used. The
other side may advertise anything else and the condition above would
be satisfied. Why is this ok?
jhead>> Yes. As Tony mentioned in another part of the thread:
excellent catch, yes, the “doesn’t advertise” really means we use default value obviously and that has match with the local side (based on normal thrift processing but yes, without making this mental jump it reads the wrong way), I suggest
jhead>> The resulting text from Tony's suggestion and your comments is:
(the advertised MTU values in the `LiePacket` element match on both sides while missing MTU in the `LiePacket` is interpreted `default_...`)
Later on, in §4.2.2.1, when defining PROCESS_LIE:
if both sides advertise MTUs and the LIE has non matching
MTUs as compared to MTU advertised by this system then
CLEANUP, PUSH UpdateZTPOffer, PUSH MTUMismatch else
This text also means that there would be a mismatch under the same
conditions as above. IOW, if advertising the MTU is optional, a node
with an MTU of default_mtu_size can elect to not advertise it (which
is perfectly fine) -- it's neighbors may see something else, but the
mismatch wouldn't be detected.
jhead>> LIE FSM now covers "missing as default", resulting text now reads:
if both sides advertise MTU values and the MTU in the received LIE does not match the MTU advertised by the local system *or* at least one of the nodes does not advertise an MTU value and the advertising node's LIE does not match the `default_mtu_size` of the system not advertising an MTU then
Juniper Business Use Only
- [Rift] AD Review of draft-ietf-rift-rift-12 (Part… Alvaro Retana
- [Rift] Fwd: Re: AD Review of draft-ietf-rift-rift… Alvaro Retana
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Alvaro Retana
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Antoni Przygienda
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Tony Przygienda
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Alvaro Retana
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Tony Przygienda
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Pascal Thubert (pthubert)
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Pascal Thubert (pthubert)
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Tony Przygienda
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Alvaro Retana
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Jordan Head
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Jordan Head
- [Rift] RIFT UDP Ports/Multicast Address Allocatio… Alvaro Retana
- Re: [Rift] RIFT UDP Ports/Multicast Address Alloc… Antoni Przygienda
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Alvaro Retana
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Antoni Przygienda
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Alvaro Retana
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Antoni Przygienda
- Re: [Rift] AD Review of draft-ietf-rift-rift-12 (… Jordan Head