Re: [RTG-DIR] RtgDir review: draft-ietf-bfd-multipoint-active-tail-08.txt

Greg Mirsky <gregimirsky@gmail.com> Mon, 18 June 2018 01:27 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7979130E71; Sun, 17 Jun 2018 18:27:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbdgyPm0w2pd; Sun, 17 Jun 2018 18:27:53 -0700 (PDT)
Received: from mail-lf0-x243.google.com (mail-lf0-x243.google.com [IPv6:2a00:1450:4010:c07::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1408126CC7; Sun, 17 Jun 2018 18:27:52 -0700 (PDT)
Received: by mail-lf0-x243.google.com with SMTP id g21-v6so22140394lfb.4; Sun, 17 Jun 2018 18:27:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3nJ2B/qUmycyys0DCRgXquEDTmTKzPBez5PhmtwfU1I=; b=JB257V4B4LjSX6NOU33qI2OXk64CIEE35+SdeYpMh4vOGk7TFR8ZGdCM3amfSlkW7L UVS0Pt6HKkHFDLhzREPaJFbxFNexeHPRNRAy00dP74RSDqrMCq1cBzbZWkd+RYiFXtE+ EIixVWpgm8RQ3QMoUBbYqwESW+wCrSwcD0xxi/t8boI3cZbPlB//88aj0Yp6xcExV+BO +2d8g7HeOWZDITZdnY35hgK+2/4HhoOhBrQeswvWFNA1ljOipGAIPcfYyHQ/dInmUi5g 7DR9tsWBAn0g4RlbOiTp6j75auQnNcrDb13JInz59QDigem6214XvsaOYL3fgshp8Ne3 tf4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3nJ2B/qUmycyys0DCRgXquEDTmTKzPBez5PhmtwfU1I=; b=ljxIn/E4suIJ8Y3X5VUtBpSjzp2Lr1NckOIV+c333IsyCxi/U3CBliqs3ilb3Its1F gGdOSjrNrQtlfmESCodcuhESs4z9lQJeg+BKjqTq3aKY3FkQ5qGNZJhNlHajzb++lGTf juZrITDs0RUCQoVpfZS7eYKSXo0yEpbDLVc2iXvatLrTxagjPKyZt1tGMjRlahyMV0Kb LRkmHg4KQossNugZ0JEUgSWivPgjyhRyDNcoCl8fwFL0o2KcAGgMR4RE4AHt4UOnI0da dEeQRMhvv4UebhlH3mUVmBObC70A8VMbtXIqrEYa0rOsIcgGFdO6u0Xa4QbvOoiKLhU8 J23Q==
X-Gm-Message-State: APt69E2DC1fb2KMEeTWW48Bq9aCW6tC2o47fzzlJ4CqZPJoZEbLZhCwP jzigFgrcySA8bIorDNEOwjRz7xCaYKvCp1R4xOgVXA==
X-Google-Smtp-Source: ADUXVKJbUtoX0nKegq5Av6DDap3Nxz9aNIrAj8KcfE1yj6FsDAbyHBNecFZeBr+X5a70vTpE1igrDirl2MZl4i93riQ=
X-Received: by 2002:a19:ae11:: with SMTP id f17-v6mr5834366lfc.143.1529285270924; Sun, 17 Jun 2018 18:27:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:6e08:0:0:0:0:0 with HTTP; Sun, 17 Jun 2018 18:27:49 -0700 (PDT)
In-Reply-To: <CAHANBt+ZwsMfdknrnExY60UuyDWZ_2u6Gp-9mg=5gApo+UqMpQ@mail.gmail.com>
References: <CAHANBt+ZwsMfdknrnExY60UuyDWZ_2u6Gp-9mg=5gApo+UqMpQ@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Sun, 17 Jun 2018 18:27:49 -0700
Message-ID: <CA+RyBmX96gBOxz+E5TPTFbf77KBV04cpzWFH3G0YravBksgtXg@mail.gmail.com>
To: Stig Venaas <stig@venaas.com>
Cc: "<rtg-ads@ietf.org>" <rtg-ads@ietf.org>, draft-ietf-bfd-multipoint-active-tail.all@ietf.org, bfd@ietf.org, rtg-dir@ietf.org
Content-Type: multipart/alternative; boundary="000000000000557289056ee0797e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/C5VOGk-oL-NjsQWzDbBS8NmZN2Y>
Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-bfd-multipoint-active-tail-08.txt
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 01:27:56 -0000

Hi Stig,
thank you for the review and the most detailed technical comments.
Please find my answers and proposed updates in-line tagged GIM>>.

Regards,
Greg

On Fri, Jun 15, 2018 at 2:16 PM, Stig Venaas <stig@venaas.com> wrote:

> Hello,
>
> I have been selected as the Routing Directorate reviewer for this
> draft. The Routing Directorate seeks to review all routing or
> routing-related drafts as they pass through IETF last call and IESG
> review, and sometimes on special request. The purpose of the review is
> to provide assistance to the Routing ADs. For more information about
> the Routing Directorate, please see
> http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir
>
> Although these comments are primarily for the use of the Routing ADs,
> it would be helpful if you could consider them along with any other
> IETF Last Call comments that you receive, and strive to resolve them
> through discussion or by updating the draft.
>
> Document: draft-ietf-bfd-multipoint-active-tail-08.txt
> Reviewer: Stig Venaas
> Review Date: date 2018-06-15
> IETF LC End Date: 2018-06-18
> Intended Status: Standards Track
>
> Summary:
> I have some minor concerns about this document that I think should be
> resolved before publication.
>
> Comments:
>
> The document is in a good shape and almost ready for publication. I
> only have some minor issues and a couple of nits. The main one is
> perhaps the security considerations.
>
> Major Issues:
> No major issues found.
>
>
> Minor Issues:
>
> I found 5.2.3 last paragraph a bit confusing:
>    If the multipoint path and the reverse unicast path both stay up but
>    the forward unicast path fails, neither side will notice so long as a
>    unicast Poll Sequence is never sent by the head.  If the head sends a
>    unicast Poll Sequence, the head will see the BFD session fail, but
>    the state of the multipoint path will be unknown to the head.  The
>    tail will continue to receive multipoint data traffic.
>
> It says here that the state of the multipoint path is unknown, which is
> true if it only does unicast polling. But the assumption is 5.2.3 is
> that multipoint polling is also done. So it might be good to point out
> that the state of the multipoint path will determined by the multipoint
> pull.
>
GIM>> Please consider the updated text below:
OLD TEXT:
   If the multipoint path and the reverse unicast path both stay up but
   the forward unicast path fails, neither side will notice so long as a
   unicast Poll Sequence is never sent by the head.  If the head sends a
   unicast Poll Sequence, the head will see the BFD session fail, but
   the state of the multipoint path will be unknown to the head.  The
   tail will continue to receive multipoint data traffic.
NEW TEXT:
   If the multipoint path and the reverse unicast path both stay up but
   the forward unicast path fails, neither side will notice this failure
   so long as a unicast Poll Sequence is never sent by the head.  If the
   head sends a unicast Poll Sequence, the head will detect the failure
   in the forward unicast path.  The state of the multipoint path will
   be determined by multipoint Poll.  The tail will continue to receive
   multipoint data traffic.


> The security considerations could need more details. Is there some way an
> attacker can send forged multipoint polls getting clients to send a
> large number of responses to the head?

GIM>> In TSVART review of the Multipoint BFD draft Bob Briscoe brought up
similar, as I think of it, question of sppofing attack on tails. This is the
last mail of the discussion
<https://mailarchive.ietf.org/arch/msg/rtg-bfd/tTcSBcUUOmaeF4J67cwUTMnCEA0>.
Very much interested to hear your view on the three scenarios we've
discussed: IP mcast tree, directly connected IP mcast, and MPLS p2mp and
mp2mp LSPs. I think that for mp BFD with active tails even the second
scenario is not realistic as there's little benefit, in my opinion, to run
active tails in this environment.

> Also how hard would it be to use
> any address for the head?

GIM>> Demultiplexing BFD Control packets changed in mp BFD when comparing
with RFC 5880 and it now uses not only value in Your Discriminator field
but, as defined in Section 5.7 draft-ietf-bfd-multipoint:
   IP and MPLS multipoint tails MUST demultiplex BFD packets based on a
   combination of the source address, My Discriminator and the identity
   of the multipoint path which the Multipoint BFD Control packet was
   received from.  Together they uniquely identify the head of the
   multipoint path.
Thus the tail must be bootstrapped for the given mp BFD session with source
address, head's My Discriminator value, and identity of the multipoint path.

Would clients only accept a certain address
> for the head?

GIM>> Yes, as I've noted above, the tail MUST demultiplex BFD Control
packets using three value tuple that includes source address of the BFD
control packet.

It should perhaps be emphasized that BFD authentication
> mechanisms are important?

GIM>>  Per Bob Briscoe suggestions, in Section 6 of
draft-ietf-bfd-multipoint stated:
   Shared keys in multipoint scenarios allow any tail to spoof the head
   from the viewpoint of any other tail.  For this reason, using shared
   keys to authenticate BFD Control packets in multipoint scenarios is a
   significant security exposure unless all tails can be trusted not to
   spoof the head.  Otherwise, asymmetric message authentication would
   be needed, e.g., protocols that use Timed Efficient Stream Loss-
   Tolerant Authentication (TESLA) as described in [RFC4082].

   If authentication is in use, the head and all tails may be configured
   to have a common authentication key in order for the tails to
   validate multipoint BFD Control packets.

It should be possible to restrict a client to
> only respond to authenticated polls.

GIM>> Currently BFD doesn't have standard procedure to authenticated some
of the packets. BFD WG is working
on draft-ietf-bfd-optimizing-authentication for p2p BFD sessions.

> Also perhaps have some rate
> limiting in clients in case the head polls at an unreasonably high rate?
>
>
> Nits:
> In the Introduction it says:
>    This document effectively modifies and adds to Sections 5.12 and 5.13
>    of the base BFD multipoint document [I-D.ietf-bfd-multipoint].
> This should be 4.12 and 4.13, right?
>
GIM>> Section enumeration changed in version -17. Section Protocol Details
in draft-ietf-bfd-multipoint used to be #4 and now is #5.

>
> 6.13.1 and 6.13.2
> Refer to 5.13.x, but should be 4.13.x.
>
GIM>> As above.

>
> One of the authors is listed in the Acknowledgments section.
>
GIM>> Will update the Acknowledgments section accordingly.

>
> Regards,
> Stig
>