IETF Logo Mail Archive

Re: Zaheduzzaman Sarker's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)

John Scudder <jgs@juniper.net> Tue, 18 April 2023 16:15 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7D49C151B0D; Tue, 18 Apr 2023 09:15:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="cZonGd/8"; dkim=pass (1024-bit key) header.d=juniper.net header.b="OZ534FyV"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1ozpmndddl5; Tue, 18 Apr 2023 09:15:43 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08F09C151707; Tue, 18 Apr 2023 09:15:42 -0700 (PDT)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33I8TGAc003788; Tue, 18 Apr 2023 09:15:39 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=KzsnuLeYaRSoLrfdNrI8FAuuuUk8RjGzlHA+xYNTZqg=; b=cZonGd/8Vx0oVgEx9CcL8TvDb6iMXOqiF+gAyVVL0gH9vocBA2jHxsu6s868QUAIlPeI JFL0gv1cely70bgP3KQMXnpYbLPsZlBY6B+Nn3X0XkmHeF3ZzI9+IUhaWB5I14Gg7eSG HBmix7taLbYJRJ7DLObBPNBYm6Bbb6PWShOHvNdl2jRQwbm2VAgGtORZdE/7f8bj1wkQ aNNuNBP7h+gU3iQUJXt0RlhwALtbR4h+vcnw6zUEIG8abl3AI5wHX3Yhja43cttNvcOV EI4otyOzWjAqe9+EVuatQdrmVVubrGHY7kUgOrHNvQLBJLuj8A8C/Kz7zCFAqWtwAzJq 6w==
Received: from bl0pr02cu006.outbound.protection.outlook.com (mail-eastusazlp17013032.outbound.protection.outlook.com [40.93.11.32]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3q1ks6heyw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 18 Apr 2023 09:15:39 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FqbOTX3S/NpWXkZNvfcJNyqZrI/rbYlZKPPKVlXqnR01pnKcjnO9WD6mrS8c4gwQmslpTLvupc1TdmfPc3Slk8JvaXLq8r2k7esbFiczKSqx0KbiX9eiDeSREtfUlzLocA6UgFAlhTCGedsG3s5UOwAM3KZZbLsSS+V0N42wlBBuopLglZW/zK+NCi1hGPaWqlZjZIcH+a5biohpzVVfXm93ADao1IEnOFdUr6ZzTWXaSdS9T961wyRlclAlILKJEZOeMilmP1m4059nswck4V1KDNZomkBrxjTLr8H4Z35RB2CxVfp8fThPerDb4hRh8ub6GR12XN/sByhjOMHP8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KzsnuLeYaRSoLrfdNrI8FAuuuUk8RjGzlHA+xYNTZqg=; b=WxJMUbWV4ZoZBMk2jMKWOreyPHZTNmAm02D7YB829qUt+I4i6/12bXAULD5wtnI/A34d6PmYCRrfDZGYifgb6OYca+uFF7w0cSzjZ8h93KWBxS/yirD4xqP+ZU+gQbnUasyo5PVh/exDdR+LwA8VPVOsCl47TcGEnLNmuiSJvw/A/I7sBHE4lG+r7CmuKOIN2z4g8NkmCSvsc4WuXoYbHGj1cWzzi9WLtDaGHejAOn7/JtH6yC4Smru3jD9G7XVO/HKXqIz2xErOQPZicDa64fJCIj6j6BwJzPrNnUOchpaYTFZALk6xwR+zZBW/gyOQxiTvCDmwBR/AF1p25Qloew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KzsnuLeYaRSoLrfdNrI8FAuuuUk8RjGzlHA+xYNTZqg=; b=OZ534FyVfCMr6okNaKyOTeh5Wg8Zs83XwZidZ5Z7dHK3PRc5QT/3HwSnFlQZNNw35BiuRMewhBLaHvtkHhsZRqk0VJcTSs8+vNvv7gWVnkh88/9Kv8zmS0oCxOBDGvjUe+FcmmuQUW/f8qH3XUUuCHff5WeUwF01RDBVwY5+U0s=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by BN7PR05MB4210.namprd05.prod.outlook.com (2603:10b6:406:89::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.20; Tue, 18 Apr 2023 16:15:37 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::666b:83f6:e10c:65a3]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::666b:83f6:e10c:65a3%7]) with mapi id 15.20.6298.045; Tue, 18 Apr 2023 16:15:37 +0000
From: John Scudder <jgs@juniper.net>
To: Jeffrey Haas <jhaas@pfrc.org>, Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>
CC: Reshad Rahman <reshad@yahoo.com>, The IESG <iesg@ietf.org>, "draft-ietf-bfd-unsolicited@ietf.org" <draft-ietf-bfd-unsolicited@ietf.org>, "bfd-chairs@ietf.org" <bfd-chairs@ietf.org>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
Subject: Re: Zaheduzzaman Sarker's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)
Thread-Topic: Zaheduzzaman Sarker's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)
Thread-Index: AQHZYFgAsShJH4X0vECh8GZNb8iGTq8xJkSAgAA19oCAAAUaAA==
Date: Tue, 18 Apr 2023 16:15:37 +0000
Message-ID: <CCD4BF6D-58FA-4C64-A263-FAD2F48EE442@juniper.net>
References: <167104636614.47387.14544637650303450586@ietfa.amsl.com> <20221215223922.GD23286@pfrc.org> <437097223.585815.1679885856359@mail.yahoo.com> <AM6PR07MB39920946F22521797E66B2B29F9C9@AM6PR07MB3992.eurprd07.prod.outlook.com> <20230418155721.GA20798@pfrc.org>
In-Reply-To: <20230418155721.GA20798@pfrc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.2)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR05MB6109:EE_|BN7PR05MB4210:EE_
x-ms-office365-filtering-correlation-id: b78faf08-805b-4ef4-53bc-08db4028255d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MdDEq+FfAA5/v3Y6GQnlSjE9NhnC5ja5OzY2sH0TvIXG0LwPXq1o0DMMvK96pqTtzXOI8SeZZB1CSNY3/WP4CbEDIu/pcpoyJLVoajc0g76d3qe/1YW9WV8MnnV/I1e7xICjkwuxUCpT+vuvk8cBGh1PaHkznSiF3z4QKHl0ZHHx1GjgDAtneuo4OHCTztD8ZTGhbMOakrSyt9hQurfSbGbNBQ80BjwOcdoutjkveeSiYmmDl3EhzH+N+KKM9PHKt4v4qkLQDHgGNXXvmp8BSPZhFVOI5eQ7YC7tw4oRTR8R5odJBrV01aJGFd1j7GrHqV+QVpljzyGb7ompd7JdI0Tb/AKjA59ItX/lgAZNQO7SZu18++VIr6Ta9xzeiA0mZx5zO14+CvIYvsrpslhKbr/8s6KVwcfuT4booGLiPHkfmZVSLieHZOs2VHhQDUo8JXHfLiPOZyVygBV61Q2Fh7GA9rERRbQHrJvKGg4l/zQ6LKBwJibm4wtCpKJgH07asYpVCez50CQTPc7BL8d8FiUeyHp6X7VPOfy2Bkgmf/Fpd3IRY14xaBBq4aCNhCiC1pbJlEdB57ucY8vCTl24U9PHfgaEjbv4S4JhPsQ1K7ALCYKdc5KO15f/PD++TrmFMDe3HviZF67gUeraUB1oLPDwj/BOefDZfnU8UkkUPEJsgw8oS2+a8QkTANA+W/BABaUVEeRbPZvWOqFxl0yvHA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(346002)(366004)(39860400002)(396003)(376002)(451199021)(91956017)(4326008)(316002)(66946007)(66556008)(66476007)(66446008)(64756008)(76116006)(478600001)(110136005)(54906003)(8676002)(8936002)(5660300002)(122000001)(41300700001)(38100700002)(186003)(53546011)(83380400001)(2616005)(6486002)(71200400001)(6512007)(6506007)(26005)(86362001)(36756003)(33656002)(38070700005)(2906002)(66899021)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BE6uiPhb7s59BxbVX/NYtgukgIZGsWLvbi/WC3NxCcnjSoQQ54y5vVd6BpcS5KRUaEiDMfOnxHOya4VhcnSFZR4zO1H0xo/L/4X6yxN35mpesxQlfpAqq6KIhzE7mESISVJZfaD66Ho6p8s1+FwVoG06hZveuSxcHmxwucHrbId45lQJwp90b/A533bzzMooij0szekJfpz32nT5deCcp72KR4Epww7W/1kyna0oAK8eGHkudMcT1Rm8LVBQw3NRf2RQqUxrCqSGIPqxQyUOoDyjNMTxCaKjKGbpEYqi5ZcynyNHhMNL40e/Mkpgv3zIgKyKWUz1S7tx/W9hLK1RCFJADDRMjC201oCDVRNLLl7qUDYyPcgNsVEpaSO7G8zeahK3Cf8jibb9oDrKXSecgFDdqkg+XHoz2Fr1a+28xaTv4HuBLk35+bhwGB6D6jNKdOv/0UQSgolr1goyczQUQY+xxqUx6OTb3Y35ctiO1NwSjCQVj/3ayxfnUFnnpaA1mcDTSemoV0p4Z0Le49WxkVGMicN2Mq1KbHtz+eJ2oxcGhZQyh3kO7qrv9NOkkHVbYy58o9RwAsQYhT9kY1pDljj9FgwWqZm/1XZ9zwyL1fsfiX3N1LQ+sJ/Ds4qg2WXB7W5RTM6lW0eZVJ3K2GBCc6mKFQONUNPVz2kWFaQbPQu7/z53otkThp+yLPQWDUnfQe+ejcoqffPj+ibJOe9oKt3XpPJ24ns/QjtD34B5010XEcY97QvQJBMGPeFes2VFG/D0fkVrxvRMgS3iGChZqUfyhPuyB3u0FVVLG3f5WmNdZlK/Rt9LQ4XYjkRlcLi25VtuhXwPAil9O0w4pNRWddFeqZLWCQq2XbgIcYd0L1aso5MnIQKYLzoCJzDyvHr9845wOskp1/yncMjwbDIokzjRT3ZNMZ2hxkXaVABLxHbUtVVUW6UNOq5X+zeCc792ZcLtE9X7wHe2FsaOsf6XtXjVJmwUz1o4hLYl5dgPcSOVUTeL8eLUvz4k980dQUiRaVuw/NAYT+iSQaNEbw55S5nyJWuqGKu49TOlSZa3ZxckkwbkqDV6KTpjuPL9bi0IZyI109UhxwMRwxeHJ+1mNHsbx5XaENvsgQaJvrqsgfI9N6zpB6+sCJoi6NowPPf947Uuv1X8ueIqbiBtqTKGYZZ+g3DB/GP3pz5iiE9PJj5upBPfKjqiM++8Z0n4PJoORfn04YpqQKY9uCS4XZliReJb5v06mj6LIK2VrfR57o3gXs+eOoN74t/8VRreZyLvTo5MYw+9YkzX9vtkWbqSTdmkxTVdCERCLbNb3oEa3qgf8sx7o7aDa//vHCvdbIKQjtwYTgsIg/TEJD9lH5FAE/8qyQUnnFfEs40mgM+d5lIled+jXqKO6VBGDSiuED/WXpIwdcNq1xplAjjzFsoC/8HZPcJsPv+5a6//lMPC6Qac8qmAIKrQ5oFAj7l2xJjwbrRuCZxhgP/Jni3uRgW7nnAuiVfqpWrRjw7BqJD4QsnfFFByjs0Vu3Lc5anOU7vVlHBS4blrxVj/WCFtXRAkHCvrKScv2Lbw+wmBZ+MuZUWcMx/sCMEwETcBntAYLht3
Content-Type: text/plain; charset="utf-8"
Content-ID: <2EC6E6AE1D94C04BBD8DE24168CD0F26@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b78faf08-805b-4ef4-53bc-08db4028255d
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2023 16:15:37.2241 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: H8HNwDM/JesIVGKIkEy1ywsLK+1H/wBg8j3b4l1nKqS7tKIsFd7voItkURgh6pMe
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR05MB4210
X-Proofpoint-GUID: ZikONzBWTOqNQwJIWr-xATowvAYfGsfx
X-Proofpoint-ORIG-GUID: ZikONzBWTOqNQwJIWr-xATowvAYfGsfx
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-18_11,2023-04-18_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 suspectscore=0 adultscore=0 priorityscore=1501 phishscore=0 mlxscore=0 mlxlogscore=720 spamscore=0 impostorscore=0 malwarescore=0 clxscore=1011 bulkscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304180136
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/lRJgZ-OQSo1TiON8SuyzW0nxLmw>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 16:15:46 -0000

Top-posting to avoid the nest of dueling quoting conventions :-( and since there’s only one residual point to settle.

I believe the draft text in question is:

OLD:
   *  Deploy the feature only in certain "trustworthy" environment,
      e.g., at an IXP, or between a provider and its customers.

Based on the conversation so far, let me throw out a suggestion for discussion.

NEW:
   *  Deploy the feature only in an environment that does not 
      offer anonymous participation. Examples include an IXP, 
      where the IXP operator will have a business relationship with 
      all IXP participants, or between a provider and its customers. 

Zahed, would that work for you?

Authors, any problems with that?

Thanks,

—John

> On Apr 18, 2023, at 11:57 AM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> 
> Zahed,
> 
> Oddly enough, it appears that mail from ietf.org delivered one of the two
> copies of mail from you in a corrupted form.  This message replies to the
> missing piece of your question:
> 
> On Tue, Apr 18, 2023 at 12:44:13PM +0000, Zaheduzzaman Sarker wrote:
>>> The environment must be under reasonable operational control to satisfy the
>>> scaling of the impacted system.  What words would you prefer to have there
>>> instead?  How would those words change if you want to permit this feature to
>>> be utilized when the operational environment spans multiple entities, such
>>> as at an exchange point (IXP)?
>> 
>> Calling it something else would not resolve the issue until that “something else” is we defined or described. I have no issue with calling it trustworthy when it is described well to that we can understand it, like you attribute it as – “The environment must be under reasonable operational control to satisfy the scaling of the impacted system”. I suggest we put some descriptive text to explain what is makes the environment trustworthy.
> 
> I don't believe that it will be possible to tersely state such a thing,
> partially because BFD is simply one element in a deep stack of such
> considerations.  As an example, unsecured ARP may be utilized in an IXP
> environment.  You can do far more damage by spoofing ARP than you can in
> BFD.  Same for discovery components like LLDP.
> 
> If you're looking for a particular term of art for such a trustworthy
> environment where multiple potentially semi-trustworthy parties are
> involved, we'll likely need to have such a thing supplied by current
> security practitioners.
> 
>> From a general networking standpoint, some properties of such an environment
> seem obvious:
> - The network element that can be attacked is expected to be attacked by a
>  device one IP hop away. (See GTSM considerations in the draft.)
> - Attackers must either be directly connected to the network element or on
>  shared media with the network element, thus limiting the set of attackers.
> - Layer 2 control mechanisms such as 802.1X may limit the viability of
>  attackers to known parties.
> 
> In such circumstances, attackers in many circumstances are indistinguisable
> from misconfigured or misbehaving parties.  When things go wrong, the IXP
> operator will simply chase it down.  It's not like this would be the first
> such malfunction.
> 
> Active attackers who are breaking into your racks just to mess with you
> imply security issues far beyond the scope of this protocol extension.
> 
> -- Jeff
>

v2.23.0 | Report a Bug | By Email