Re: [Rift] Jim raised the concern about TTL issue at IETF118 and require to add some text to rift-applicability draft
Antoni Przygienda <prz@juniper.net> Tue, 26 December 2023 19:47 UTC
Return-Path: <prz@juniper.net>
X-Original-To: rift@ietfa.amsl.com
Delivered-To: rift@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3768C14F73E; Tue, 26 Dec 2023 11:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.005
X-Spam-Level:
X-Spam-Status: No, score=-7.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="ZtmCHkUI"; dkim=pass (1024-bit key) header.d=juniper.net header.b="AWpLkBG5"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gi53SiQ1X1HR; Tue, 26 Dec 2023 11:47:19 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A73B7C14F715; Tue, 26 Dec 2023 11:47:18 -0800 (PST)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 3BQIBKLB024127; Tue, 26 Dec 2023 11:47:15 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=PPS1017; bh=hVby3mOf5vtsN/cE1nKQj+ U/GC69FggFnuN91YSPS8Q=; b=ZtmCHkUIrN9uVqfCH33py5WSTl65G+plumJOcq B12nFaeu7HGuqQSeSWVTllK1iiPihl7P3UjOboOVnilIfKd/cKhyh+ZpzU1VxyZ0 qZ7IlF+1NzCeCO/I+ya0X1YOUSWpia9tmtugTKqfe9ktdakQPCHmbkzQZbqcPgt9 2+TpaRFJ8EJnyWY4YWY5AvvTOFQ0DZvxqGvSHKG9n9mfJJfbBF4ubaCv03tau7on Q7H9jL3IwBTaXAE3Irt3zZH8E5hL0avwu/owR9mpM4OQ1/vE8nVCoZzMpH9LpyJP Hnw1vCDB4BIrvRVRTgW/kqHMAs3c/kU26ww37nVb2/j/BLHQ==
Received: from co1pr02cu001.outbound.protection.outlook.com (mail-westus2azlp17011013.outbound.protection.outlook.com [40.93.10.13]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3v83vwr6yx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Dec 2023 11:47:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EN72KCWjp8dMdl7C9vhhT7fAEMgQFydAVCXfgYf8reZictnOVI/uALCt5AvhqwMBQPCAXn2savZuLhQrCNp3huPF7imDiTS8VXybvzRsoQ++zKvJDEPD8GAVn4Akdd4e7XCQ3tRPOeEPcMMP9T2Wt3HhTkm4YN/tx1u3nx9Hn028dgLnb2Yp078ylM80pvZOummE1mihHpv/Zeeespfzyllmsu2HnRNyG9+udwv72tehEdD5K0BGgOLDngbCqoeVqJ5Nowx64NzglueK9rSeyaHPue3zJHAzHWkpFuT+2NCsgI79/3h9Bugn5pv6CbQdHImCTbQN2G2O7mtxm07tLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hVby3mOf5vtsN/cE1nKQj+U/GC69FggFnuN91YSPS8Q=; b=JPD+qLbkwABi5dzl4PypXcgbdbbCDbYSK2xs4WNygoCLBbf0ZrwP4aMCPOpNH+qE552tG7JMmT/B0+GspBrXBOOEXiuh4+ycdGFBGoxRjf8c0hjckAv7e3QLhISXJel+bFO0aAIx1HHR9AaIZinUsqMFmcpptimWHodpUbhUAKu3E1sESv5hKxjglgLKg61PqYyffczgVjmBL5ov5hb2Z8T2GXQ49iGjx1y+xBr+gj5uztxPuw0PIt9wihpckJYktBgHNKmMKMTYfrQTOXkkstmJztCim0tsl3wAEUMcrysG9QQF4GrSZRl5Wn9Vay7RNDGDVNzABdCGfV5lbla9Rg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hVby3mOf5vtsN/cE1nKQj+U/GC69FggFnuN91YSPS8Q=; b=AWpLkBG5X6GlOS5LVoRQifBGFs7/+ke0N4mbKbLOO4emeU4idwnWMtn+n678y4VhNhCtnx1Y6FiaBk2/Ok5YzkYbQQZN5CkQdgBhajbBtJsOTSoPnwxJ74PIgwcbhRPkWZjeNsi5uVHaMrp0RkRVriF7YpZIRVEo+JBw8kLv0GE=
Received: from SN7PR05MB7807.namprd05.prod.outlook.com (2603:10b6:806:103::8) by PH0PR05MB8057.namprd05.prod.outlook.com (2603:10b6:510:76::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.27; Tue, 26 Dec 2023 19:47:11 +0000
Received: from SN7PR05MB7807.namprd05.prod.outlook.com ([fe80::847e:5bc3:e0f1:95eb]) by SN7PR05MB7807.namprd05.prod.outlook.com ([fe80::847e:5bc3:e0f1:95eb%4]) with mapi id 15.20.7113.027; Tue, 26 Dec 2023 19:47:11 +0000
From: Antoni Przygienda <prz@juniper.net>
To: "wei.yuehua@zte.com.cn" <wei.yuehua@zte.com.cn>, "alvaro.retana@futurewei.com" <alvaro.retana@futurewei.com>, "james.n.guichard@futurewei.com" <james.n.guichard@futurewei.com>, Jordan Head <jhead@juniper.net>
CC: "draft-ietf-rift-applicability.shepherd@ietf.org" <draft-ietf-rift-applicability.shepherd@ietf.org>, "jefftant.ietf@gmail.com" <jefftant.ietf@gmail.com>, "Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net>, "draft-ietf-rift-applicability.authors@ietf.org" <draft-ietf-rift-applicability.authors@ietf.org>, "rift@ietf.org" <rift@ietf.org>
Thread-Topic: Jim raised the concern about TTL issue at IETF118 and require to add some text to rift-applicability draft
Thread-Index: AQHaLwcnYXXOk41V5EKsBBDzokef8LCqxtBQgACy4oCAA/DTAIALiKwAgAEXHTs=
Date: Tue, 26 Dec 2023 19:47:11 +0000
Message-ID: <SN7PR05MB78070F6C239DDB774D943E7CAC98A@SN7PR05MB7807.namprd05.prod.outlook.com>
References: 202312161448290183570@zte.com.cn, etPan.65809680.293a9c4e.148c9@futurewei.com <202312261107143654996@zte.com.cn>
In-Reply-To: <202312261107143654996@zte.com.cn>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2023-12-26T19:46:12.9926197Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR05MB7807:EE_|PH0PR05MB8057:EE_
x-ms-office365-filtering-correlation-id: f2d6791d-009c-4cbb-27d5-08dc064b7392
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cciIkrkP8RMI33nrByX/jPi0Xx+60HRYjQsifpauXplrylmGYGUlIidhboParuxrT8ZFsuUGS8jBvOOHCKkpWXSE2/xttqxl2UI0Laom3przorr3PFDsPYiWIGQ6F3akM8Z+o6rXhx32SB500HD9671WaHL7+nKH1EH3i9VkXaeirNWqG0viamkw5fxZ+XTxFLR5RfmlzoM56MVGJJht/vErnEijjOwOhV7XO3EyL+bAYITjOTVGzEedENCpyxTugGJ6+bqDHatZteON5jkmqnygE7x3cgV9ayHomu3KWoeYO4QnGqi+Z2T/8/rP4trgY4OYXvjPtIKqWBo00D/9kkgo3uNOfJhfl06hb0Q0qtg3c6iXmMmixWOJsvR3TF9F2AA6m86iLfkAW2agtA6Orj6NZpRS4jEtk7Fqz7cWLufJfQViygUiagwNsg6oXAGzpXJaiCQSSNECv2dTHgxwpOftubAMdmH+1pwMolvHhFJ/7aLps8ovL0UsT1sD2WsUBKMEPJi/+/6nbgEHoJnppTlWpOFl+lW1mWn0gd19NDZCkY9hE7AEjViSE6Kc6MlhyRg64BHcr0Gfu9yVtbQ+j8fAAiSig+J4uGCszwWol9K3EsrRD822CVq8gJlM2zqQQr+NH9lVo7e3IHUlRhhb58+BrqYg5f9r4K7wFu6UU/2aIHHE83/OQDjhytqFvYjV
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR05MB7807.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(346002)(136003)(39860400002)(396003)(376002)(230922051799003)(230273577357003)(230173577357003)(186009)(64100799003)(1800799012)(451199024)(2906002)(66476007)(6636002)(66556008)(64756008)(66946007)(76116006)(66446008)(5660300002)(55016003)(4326008)(52536014)(8936002)(316002)(54906003)(110136005)(41300700001)(38070700009)(9686003)(53546011)(478600001)(33656002)(7696005)(71200400001)(6506007)(966005)(26005)(86362001)(122000001)(38100700002)(66574015)(83380400001)(166002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9Uj4M89jKyzmk8TC1f6esqHbjOYJ/x6ZXcX7wG6uyRon5XLCOUhhecOaVFq4WTLb3a6t0NHwjVox14z0lYZncjQ+G/6kUz8yPFdiqzyqTQeNoM7y/21O7r/BWcAxHyJPnrTfZ8xvymudbff7UO2yTjyCy27rblh/Q7wG1N2YhEIDe8cV+BICuoyzaSnK7XExyLI3qy8R4D6dEk9XbmTnZI7naJ0vJAiwdxzT43hVN3TFiHfUqIwezBDHNxdNyU9LLk/WTE3qW30+pPv2OdcEewGRBXI6jT2kEAscqBQYkhUBYAnmdWnrlDPWUCiymRESXgfKZ/4hhL/me5SfXB2toj7pilrymEiBXUlKtRCT2ljeZhJq1s18duzYUO4AG2brbX0FFBX+HJnA+BXC87UC0zc0NGCd6lrhzIQKJvQl5U5w3Nc662SHqJt4mBWPqNL9aCGWDP6SFu1ZAlwRN2AuH5ZXTlnKrULbSkQ27hbrskSvtp4ZlOZBeQV9pSfc+ZrFKNW6ZLh0N+Fn6KhyhnQAJ1IQ9MlslUijdmeBoievqzBJMIswXSEDKLlBn5QZgn0JxiZJPannsK7o38nujLi+JAaVXA40qCHwLWy2oVyNA5oCxR2JNUZXs9lIoV4Web6YWJtcZY/ETpe65dPjeQucXTiy3asKH7QYL43hjmKpHgiPlbJ0d5cZsCLXC50stUqzhBN8jwyKNy98l8rmeklc7KrtzWykBqf++gHj3Uy2LA2NyUcJ9DWC79NfX0Wvnlg+DlsLQoV7T58bqt0GboilLT51FQkLGiS2qYgVoDd8jjYm+3TFibaBX76Yaxpn7MIt8soRF2/lg/JzrElFYOORXabFxl3V36je3j3K7oWhKjPuuSRhgC90onqm4PQPhS4OKrIRA5O8o44B3f2NcAhwf36seD8cJL0gPEsOd4mRT5kSZ0+NZ8TXWIfwlaQx0oMtsYhDS/KYhdbo8A+nW5lE7FdAd0nSBQ0aqJGAh5oHGCpN6pHMMBpiJVH0oQKTEC426pH/csUOCh2RE8mEyi5Mez6jUCCYP9ZcdH32IXCwGm9eZWiDAVy6ZMQB1T0VevA6HRdGnJ9qY+ybgj8Gasm+hci8ErmXtDjPJOIryXJmTJO/5dD9uaJ/etqoUJDgUA6SJL+dIzHm6z+s2Ffn+ZGtjAkz6ouBQjEEPgB4Ck3T2h2mAzaraCN31B86zKREhlTs+pkd3JkIiYsxrt5J7KLgCus1c4/XKQQj+5T/lBY4WROl/cACOi/Y4/q1zIQ3/XOaprj+btwnKeQS20BOkZqg7wWK1D+q5fXDDw9pG1LhBCsz10VO4V7Lo2wSFArE/OxC7/AARwGQca4Z36yyY/HixSdmvOCFSutHdsh+I7cNx6v1Su1QchM9zeaalnNMVF5MS9lzrjfi4coaeTIjJytwaHrTgf5372UneC0s53WnFv6U8uJBdRNevgP0mgdgv4diJc8BxDXmlqME3pECmuairrYL5vWmSbDdvAEh2q/4hdeYzt9NU4JvL1N+QB/m2FcidTag+qqUkk7MAp2E9aRcE4tZknqJo3jw5BQgIiE/yySttb2xHdV5hA1Fy2JI9Oz1
Content-Type: multipart/alternative; boundary="_000_SN7PR05MB78070F6C239DDB774D943E7CAC98ASN7PR05MB7807namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR05MB7807.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f2d6791d-009c-4cbb-27d5-08dc064b7392
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Dec 2023 19:47:11.0982 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QfKFRMwKzJKxBWAC8x4qWDqQ47S9HM1heLbkCjm7Xq7aX+aOUZA7lwY+JMMu7418
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR05MB8057
X-Proofpoint-GUID: hOIa3OCzM0ZF3TARrLja1PU42NRUBMgj
X-Proofpoint-ORIG-GUID: hOIa3OCzM0ZF3TARrLja1PU42NRUBMgj
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-09_02,2023-12-07_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 impostorscore=0 phishscore=0 clxscore=1011 suspectscore=0 mlxlogscore=999 spamscore=0 lowpriorityscore=0 mlxscore=0 adultscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2312260151
Archived-At: <https://mailarchive.ietf.org/arch/msg/rift/MQ7bpS2paw0QUgrP2_BO25ffxHA>
Subject: Re: [Rift] Jim raised the concern about TTL issue at IETF118 and require to add some text to rift-applicability draft
X-BeenThere: rift@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of Routing in Fat Trees <rift.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rift>, <mailto:rift-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rift/>
List-Post: <mailto:rift@ietf.org>
List-Help: <mailto:rift-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rift>, <mailto:rift-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Dec 2023 19:47:22 -0000
thanks, happy holidays back. There maybe more overflow from recent reviews on rift towards the applicability draft BTW once they’re resolved by Jordan and me so I’d expect at least one more version … * tony Juniper Business Use Only From: wei.yuehua@zte.com.cn <wei.yuehua@zte.com.cn> Date: Tuesday, 26 December 2023 at 04:07 To: alvaro.retana@futurewei.com <alvaro.retana@futurewei.com>, james.n.guichard@futurewei.com <james.n.guichard@futurewei.com>, Jordan Head <jhead@juniper.net> Cc: Antoni Przygienda <prz@juniper.net>, draft-ietf-rift-applicability.shepherd@ietf.org <draft-ietf-rift-applicability.shepherd@ietf.org>, jefftant.ietf@gmail.com <jefftant.ietf@gmail.com>, Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>, draft-ietf-rift-applicability.authors@ietf.org <draft-ietf-rift-applicability.authors@ietf.org>, rift@ietf.org <rift@ietf.org> Subject: Re: Jim raised the concern about TTL issue at IETF118 and require to add some text to rift-applicability draft [External Email. Be cautious of content] Hi, Happy holidays! Your comments are resolved, and a new version was just uploaded. https://mailarchive.ietf.org/arch/msg/rift/zPJ3XaPD7tYWX_q2wBUmyRn37r4/<https://urldefense.com/v3/__https:/mailarchive.ietf.org/arch/msg/rift/zPJ3XaPD7tYWX_q2wBUmyRn37r4/__;!!NEt6yMaO-gk!BTGp6nZBR23NdqtM2LKl2F2fpAPOJMHnJM-rL8HgjdthDTL6br5_nIgSFJjZCb29L7h9k-I6YW6c7NlKUQ$> Best Wishes, Yuehua Wei Original From: AlvaroRetana <alvaro.retana@futurewei.com> To: prz@juniper.net <prz@juniper.net>;Alvaro Retana <alvaro.retana@futurewei.com>;魏月华00019655; Cc: jhead@juniper.net <jhead@juniper.net>;draft-ietf-rift-applicability.shepherd@ietf.org <draft-ietf-rift-applicability.shepherd@ietf.org>;jefftant.ietf@gmail.com <jefftant.ietf@gmail.com>;zzhang@juniper.net <zzhang@juniper.net>;draft-ietf-rift-applicability.authors@ietf.org <draft-ietf-rift-applicability.authors@ietf.org>;James Guichard <james.n.guichard@futurewei.com>; Date: 2023年12月19日 02:59 Subject: Re: Jim raised the concern about TTL issue at IETF118 and require to add some text to rift-applicability draft Works for me. Thanks! On December 16, 2023 at 1:48:42 AM, wei.yuehua@zte.com.cn (wei.yuehua@zte.com.cn<mailto:wei.yuehua@zte.com.cn>) wrote: hi,Tony and Alvaro, Based on your comments, the text is amended as following: ----- 5.17 TTL/HopLimit of 1 vs. 255 on LIEs/TIEs The use of a packet's Time to Live (TTL) (IPv4) or Hop Limit (IPv6) to verify whether the packet was originated by an adjacent node on a connected link has been used in RIFT. LIEs/TIEs MUST be sent with an IPv4 Time to Live (TTL) or an IPv6 Hop Limit (HL) of either 1 or 255 to prevent RIFT information reaching beyond a single L3 next-hop in the fabric. LIEs/TIEs arriving with IPv4 Time to Live (TTL) or an IPv6 Hop Limit (HL) different than 1 or 255 MUST be ignored. RIFT explicitly requires the use of a TTL/HL value of 1 *or* 255 when sending/receiving LIEs and TIEs so that implementors have a choice between the two. TTL (or HL) = 1 protects against the information disseminating more than 1 hop in the fabric and should be the default unless configured otherwise. TTL (or HL) = 255 can lead RIFT TIE packet propagation to more than one hop (multicast address is already local subnetwork range) in case of implementation problems but does protect against a remote attack as well, and the receiving remote router will ignore such TIE packet unless the remote router is exactly 254 hops away and accepts only TTL=1. [RFC5082] defines a Generalized TTL Security Mechanism (GTSM). The GTSM is applicable to LIEs/TIEs implementations that use a TTL or HL of 255. It provides a defense from infrastructure attacks based on forged protocol packets from outside the fabric. For implementations that use a TTL or HL of 1, there are some security threats that are left open. For example, it is relatively easy to spoof a packet remotely so that it has a TTL of 1 within the fabric. Please see the Security Considerations in [RFC5082]. I appreciate your comments. Best Regards, Yuehua Wei From: AntoniPrzygienda <prz@juniper.net> To: 魏月华00019655;Jordan Head <jhead@juniper.net>;james.n.guichard@futurewei.com <james.n.guichard@futurewei.com>; Cc: draft-ietf-rift-applicability.authors@ietf.org <draft-ietf-rift-applicability.authors@ietf.org>;draft-ietf-rift-applicability.shepherd@ietf.org <draft-ietf-rift-applicability.shepherd@ietf.org>;alvaro.retana@futurewei.com <alvaro.retana@futurewei.com>;jefftant.ietf@gmail.com <jefftant.ietf@gmail.com>;Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>; Date: 2023年12月16日 04:19 Subject: Re: Jim raised the concern about TTL issue at IETF118 and require to add some text to rift-applicability draft okey, 1. I fully support adding this to applicability draft with amedments below 2. here the comment as to correctness * TTL=1 protects against the information disseminating more than 1 hop in the fabric and should be the default unless configured otherwise * TTL=255 can lead to more than one hop RIFT TIE packet propagation (multicast address is already local subnetwork range) in case of implementation problems but does protect against a remote attack as well and the receiving remote router will ignore such unless the remote router is exactly 254 hops away and accepts only TTL=1. * the ‘MUST be ignored’ should be amended (unless explicitly configured otherwise). Just like in case of MTU mismatch a knob is always necessary due to some deployment corner cases AFAIS this can be still discussed, we’re not RFC yet and implementations can be knob’ed to accept anyting and send anything (just like the ‘OSPF security check’ knob so common today … * tony Juniper Business Use Only From: wei.yuehua@zte.com.cn <wei.yuehua@zte.com.cn> Date: Friday, 15 December 2023 at 04:31 To: Jordan Head <jhead@juniper.net>, james.n.guichard@futurewei.com <james.n.guichard@futurewei.com> Cc: Antoni Przygienda <prz@juniper.net>, draft-ietf-rift-applicability.authors@ietf.org <draft-ietf-rift-applicability.authors@ietf.org>, draft-ietf-rift-applicability.shepherd@ietf.org <draft-ietf-rift-applicability.shepherd@ietf.org>, alvaro.retana@futurewei.com <alvaro.retana@futurewei.com>, jefftant.ietf@gmail.com <jefftant.ietf@gmail.com>, Jeffrey (Zhaohui) Zhang <zzhang@juniper.net> Subject: Jim raised the concern about TTL issue at IETF118 and require to add some text to rift-applicability draft [External Email. Be cautious of content] hi Jordan and Jim, Jim raised the concern about TTL issue at IETF118 (https://datatraker.ietf.org/doc/minutes-118-rift/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/minutes-118-rift/__;!!NEt6yMaO-gk!HGLMCQkOeNQPYB5USujn9eoduM4VodBQRKyHegktAily7qb2P5tpJU4nRRSes7RltZMxWPWfTNd1WjjRpA$>), and require to add some text to the rift-applicability draft to wrap up the draft with base spec together. The following text is proposed to add to new version of draft-ietf-rift-applicability as a section of "5. Operational Considerations", please review and comment, thanks! 5.17 TTL/HopLimit of 1 vs. 255 on LIEs/TIEs The use of a packet's Time to Live (TTL) (IPv4) or Hop Limit (IPv6) to verify whether the packet was originated by an adjacent node on a connected link has been used in RIFT. LIEs/TIEs MUST be sent with an IPv4 Time to Live (TTL) or an IPv6 Hop Limit (HL) of either 1 or 255 to prevent RIFT information reaching beyond a single L3 next-hop in the fabric. LIEs/TIEs arriving with IPv4 Time to Live (TTL) or an IPv6 Hop Limit (HL) different than 1 or 255 MUST be ignored. RIFT explicitly requires the use of a TTL/HL value of 1 *or* 255 when sending/receiving LIEs and TIEs so that implementors have a choice between the two. [RFC5082] defines a Generalized TTL Security Mechanism (GTSM). The GTSM is applicable to LIEs/TIEs implementations that use a TTL or HL of 255. It provides a defense from infrastructure attacks based on forged protocol packets from outside the fabric. For implementations that use a TTL or HL of 1, there are some security threats that are left open. For example, it is relatively easy to spoof a packet remotely so that it has a TTL of 1 within the fabric. Please see the Security Considerations in [RFC5082]. Best Regards, Yuehua Wei Non-Junipe
- Re: [Rift] Jim raised the concern about TTL issue… wei.yuehua
- Re: [Rift] Jim raised the concern about TTL issue… Antoni Przygienda
- Re: [Rift] Jim raised the concern about TTL issue… wei.yuehua
- Re: [Rift] Jim raised the concern about TTL issue… Jordan Head
- Re: [Rift] Jim raised the concern about TTL issue… wei.yuehua