Re: Benjamin Kaduk's No Objection on draft-ietf-bfd-multipoint-active-tail-09: (with COMMENT)

Greg Mirsky <gregimirsky@gmail.com> Tue, 03 July 2018 17:58 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA0B130DC7; Tue, 3 Jul 2018 10:58:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.402
X-Spam-Level:
X-Spam-Status: No, score=0.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvb-6WpwPLSZ; Tue, 3 Jul 2018 10:58:36 -0700 (PDT)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 168CC12E039; Tue, 3 Jul 2018 10:58:35 -0700 (PDT)
Received: by mail-lj1-x244.google.com with SMTP id i125-v6so2248729lji.2; Tue, 03 Jul 2018 10:58:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=p72wibQuwG6Q4GM/aqafuYqSmW2vArVxR55jNKloVMo=; b=l16LUQoOxzpDzL6ARGoX8VqFGHBzKHh8RNCYbabthT1hpPFsDyfa0891TKPCzKD0BI kcWpEG9vQPdIeN8Hbib4YlQF7fvfs/60mLHBqWV8MEjwoiTygAlbjWY7kOY5ZFp9qeFq lcVsrXejQ5kuSFpWkRAhcUMhJ724QjxFglziQfiTZOvsi8Ek2Rbq6O3ejonajhLoII/I 8s4R+8jdWOSOcMmHIBanexBPgHEZYH5vP9y3MllWXLljbjDhrEGZljeY7hliy3/gnCaO PP7ZZbvMQefj+qmVdd2uYuKO6Mzr4M8EnbufNEHD1pJqEOkpd0Ap8IkDydFre1PsVhfw BW8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=p72wibQuwG6Q4GM/aqafuYqSmW2vArVxR55jNKloVMo=; b=rgt5OURvOZkGk/XYexf3nrGOyHb9knMl2z4Z7BAiHrjXOJpUWgaVXJP3gUSFBK/xxE uGNCJ82mWUNliJ7/B3rmhL3PJKtVKpwQn7+DskPPAuyzLt7bde+pbkMF4lD/5l9AX0AK 0l0d85prg+sa4sonNGEmXwyX0m/Yi8O8DlIeSr1+PYWIBsVxM2kufyzkrjOvmUCw1CZI txmpCAhJsWodRvyLL8VvvWju0QoWT0XMriup/Ou/cmkw4ozcZOZn66s6EA16kgH9pE+U bwX6EGGApoibychvcw/bj9VtOvEcRospecaVjGPWoKyidh2lec8hHNKQjQPXY70W4Afp Uztg==
X-Gm-Message-State: APt69E2M2bk0hZNHdfVl4Eg23grkxKyti3Zxam59Yk5A7NvIruI/AYlb UK51zLiKS/1md6gvpKp1lzO2JqfJROkVG1eB7Lw=
X-Google-Smtp-Source: AAOMgpemd/c79u5SiYRT1m4+A/YoKpgVz6+IfP6sFY8yrV2FCOpSANTDuuHBf9GO100ykz0dQTOUfFsutFKOZvZHsfs=
X-Received: by 2002:a2e:89c5:: with SMTP id c5-v6mr5342183ljk.19.1530640713103; Tue, 03 Jul 2018 10:58:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:6e08:0:0:0:0:0 with HTTP; Tue, 3 Jul 2018 10:58:31 -0700 (PDT)
In-Reply-To: <153056369226.16131.1820577378221314886.idtracker@ietfa.amsl.com>
References: <153056369226.16131.1820577378221314886.idtracker@ietfa.amsl.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Tue, 03 Jul 2018 10:58:31 -0700
Message-ID: <CA+RyBmUteBVt4LtyKqz_wdSGxdO0juBKhoLsca_MSfZiBt=inQ@mail.gmail.com>
Subject: Re: Benjamin Kaduk's No Objection on draft-ietf-bfd-multipoint-active-tail-09: (with COMMENT)
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-bfd-multipoint-active-tail@ietf.org, Reshad Rahman <rrahman@cisco.com>, bfd-chairs@ietf.org, rtg-bfd@ietf.org
Content-Type: multipart/mixed; boundary="000000000000fc50bb05701c0fb8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/8wOsF-Cu1MW2sf_DIvIH14Ioi3Y>
X-Mailman-Approved-At: Tue, 03 Jul 2018 12:01:28 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 17:58:44 -0000

Hi Benjamin,
thank you for the review and your kind words. Please find my answers
in-line and tagged GIM>>.
The new working version and the diff are attached.

Regards,
Greg

On Mon, Jul 2, 2018 at 1:34 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-bfd-multipoint-active-tail-09: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-bfd-multipoint-active-tail/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thanks for the clear explanations throughout; they made this document
> pretty easy to read.
>
> When the head sends both a multipoint poll and a unicast poll, does the
> MultipointClient session have a way to tell whether a received reply is
> replying to the multipoint message or the unicast one?
>
GIM>> There's no information that a tail includes in the Final poll message
to distinguish between the Poll from the head. I believe that the head
paces the messages apart to guarantee that the response to the earlier have
arrived or must be considered as lost.

>
> For variables that "MUST be initialized based on configuration", do we need
> to provide a default value?
>
GIM>> Interesting question, thank you. I think that the default for:

   - bfd.SilentTail may be 1 so that enabling responses to polling requires
   explicit configuration action;
   - bfd.ReportTailDown may be 1, as that is the goal of using active tail
   mode.

Others certainly will have different preferences. It may be that leaving
the defaults for these two local variables to implementation is acceptable.
What do you think?

>
> Section 4
>
>    A head may wish to be alerted to the tails' connectivity (or lack
>    thereof), there are a number of options.
>
> This is a comma splice and should be reworded.
>
GIM>>
OLD TEXT:
   A head may wish to be alerted to the tails' connectivity (or lack
   thereof), there are a number of options.
NEW TEXT:
   A head may wish to be alerted to the tails' connectivity (or lack
   thereof), and there are a number of options to achieve that.

>
> Section 5.1
>
>    [...]  This mode emulates the behavior
>    described in [I-D.ietf-bfd-multipoint].  In this mode for
>    bfd.SessionType is MultipointTail, variable bfd.SilentTail (see
>    Section 6.3.1) MUST be set to 1.
>
> nit: I think the "for" is spurious (and could maybe even be replaced by a
> comma)?  The existing comma could be replaced by a semicolon or "and" to
> avoid a comma splice.
>
GIM>> Modified to:
 In this mode, bfd.SessionType is MultipointTail and the variable
bfd.SilentTail (see Section 6.3.1) MUST be set to 1.

>
> Section 5.2
>
>    o  if bfd.SessionType is MultipointTail, variable bfd.SilentTail (see
>       Section 6.3.1) MUST be set to 0;
>
> nit: "the variable"
>
GIM>> Thanks, done.

>
> Section 6.3.1
>
>    Few state variables are added in support of Multipoint BFD active
>    tail.
>
> nit: "A few"
>
GIM>> Done.

>
>       bfd.UnicastRcvd
>
>          Set to 1 if a tail receives a unicast BFD Control packet from
>          the head.  This variable MUST be set to zero if the session
>          transitions from Up state to some other state.
>
> Is there ambiguity about "the session" being MultipointHead/MultipointTail
> vs. MultipointClient/MultipointTail (i.e., multipoint or unicast)?
>
GIM>> I had to refresh my memory of how the value of bfd.UnicastRcvd
controlled. My understanding of text in 6.13.1 is that more accurate
definition of bfd.UnicastRcvd may be with the following text:
      bfd.UnicastRcvd

         Set to 1 if a tail has received a unicast BFD Control packet
         from the head while being in Up state.  This variable MUST be
         set to zero if the session transitions from Up state to some
         other state.

>
> Section 6.4
>
>    If the head wishes to request a notification from the tails when they
>    lose connectivity, it sets bfd.ReportTailDown to 1 in either the
>    MultipointHead session (if such notification is desired from all
>    tails) or in the MultipointClient session (if notification is desired
>    from a particular tail).  Note that the setting of this variable in a
>    MultipointClient session for a particular tail overrides the setting
>    in the MultipointHead session.
>
> It seems like this property (MultipointClient overrides MultipointHead) is
> fairly general and would apply to other variables as well.  Should it be
> stated in a more general location?
>
GIM>> I agree and section 6.1 Multipoint Client Session seems to me as the
appropriate place for such statement. A new sentense to append the
paragraph:
   Note that the settings of all BFD
   variables in a MultipointClient session for a particular tail
   override the corresponding settings in the MultipointHead session.

>
> Section 6.7
>
>    When the tails send BFD Control packets to the head from the
>    MultipointTail session, the contents of Your Discr (the discriminator
>    received from the head) will not be sufficient for the head to
>    demultiplex the packet, since the same value will be received from
>    all tails on the multicast tree.  In this case, the head MUST
>    demultiplex packets based on the source address and the value of Your
>    Discr, which together uniquely identify the tail and the multipoint
>    path.
>
> I just want to double-check my understanding: is My Discr used at all for
> BFD Control messages from the tail to the head?
>
GIM>> The spec does not specify how the head uses My Discriminator from a
tail.

>
> Section 6.8
>
>    The value of Required Min Rx Interval received by a tail in a unicast
>    BFD Control packet, if any, always takes precedence over the value
>    received in Multipoint BFD Control packets.
>
> Do we need to scope this down to the "associated" sessions?  (If so,
> probably someone should review the whole draft with an eye for it, as I
> have not done so.)
>
GIM>> A tail receives all BFD poll messages, multicast or unicast, on the
same MultipointTail session. The head, on the other hand, sends multicast
poll messages from MultipointHead session and unicast polls - from
associated MultipointClient session(s).

>
> Section 6.9, 6.10
>
> In "If the head wishes to [...] session MAY send [...]", the 2119 MAY does
> not seem especially appropriate?
>
GIM>> s/MAY/can/ on both occasions?

>
> Section 6.13.1
>
>    [...] In
>    addition to that, if tail tracking is desired by the head, below
>    procedure MUST be applied.
>
> nit: "the following procedure"
>
GIM>> Thanks, done.

>
> Section 6.13.2
>
> Do we need to say if this "addition" happens at the beginning or end of the
> bfd-multipoint procedure, or is it supposed to replace part of it, or what?
>
GIM>> My understanding of this is that a tail must delay sending any packet
to the head during mpBFD session coming up (yes, it is vague). As this is
relevant only for active tail, it is addition rather than replacement of
any procedure in mpBFD spec.

>
> Section 6.13.3
>
>    If bfd.SessionType value is MultipointTail and periodic the
>    transmission of BFD Control packets is just starting (due to Demand
>    mode not being active on the remote system), the first packet to be
>    transmitted MUST be delayed by a random amount of time between zero
>    and (0.9 * bfd.RemoteMinRxInterval).
>
> Should "periodic the" be "the periodic"?
>
GIM>> Right, done.

>
> Also, this seems like a situation where cryptographic randomness is not
> required; it may be appropriate to note this.
>
GIM>> Sorry, missed the point. Could you please clarify RE: " cryptographic
randomness".

>
>    [...] A system MAY limit the rate at
>    which such packets are transmitted.  If rate limiting is in effect,
>    the advertised value of Desired Min TX Interval MUST be greater than
>    or equal to the interval between transmitted packets imposed by the
>    rate limiting function.
>
> How does this MUST get enforced?  Is it a matter of a software
> implementation refusing to allow local configuration to effect such
> behavior, or is it a global property of the system (e.g., that would
> require the administrator to enforce the MUST)?
>
GIM>> I see it as the property of implementation.

>
>    Contents of transmitted packet MUST be as explained in section 5.13.3
>    of [I-D.ietf-bfd-multipoint].
>
> nit: There's a singular/plural mismatch here between "Contents" (plural)
> and "transmitted packet" (singular).
>
GIM>> Since the mpBFD describes only transmission of periodic BFD Control
packet, the following seems logical:
    Content of the transmitted packet MUST be as explained in section
   5.13.3 of [I-D.ietf-bfd-multipoint].

>
> Section 9
>
> "infinite" is, well, infinite.  Implementations that create
> MultipointClient sessions on demand need to have more reasonable
> expectations on prevention (the listed points do a better job than this
> text would indicate).
>
GIM>> Would this re-wording stand:
   Additionally, implementations that create MultpointClient sessions
   dynamically upon receipt of BFD Control packet from a tail MUST
   implement protective measures to prevent a number of MultipointClient
   sessions being created growing out of control.

>
> As the rtgdir early review, the risk of spoofed packets causing
> tail-->MultpointClient traffic (including creation of MultipointClient
> sessions based on the received traffic) should probably be called out more
> directly.

GIM>> tail->MultipointClient, i.e.,head traffic is unidiractional. The
head, I expect sane implementation, will drop all packets that cannot be
matched to outstanding poll. I don't see it as new atack vector, but, of
course, I may be missing something.


> It seems like an attacker that can insert spoofed multipoint
> traffic would be able to effect some level of traffic amplification over
> time, though the jitter makes it harder to create large spikes.

GIM>> If understand the scenario you've described, the attacker transmits
multicast poll messages but tails send unicast packets to the real head. I
think that will not cause explosion of MultipointClient sessions because
the head would not have outstanding poll. I expect that all packets will be
discarded.

> (Even
> on-path attacks are still worth documenting, IMO.)  I see there was some
> conversation about the other security related points raised by that review,
> but on a quick read it seemed like maybe there was still some room to add
> more text to the security considerations.
>
>
>