Re: rtg-dir review: ross, russ: draft-ietf-mpls-lsp-ping-09.txt
Ross Callon <rcallon@juniper.net> Mon, 13 June 2005 14:08 UTC
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA15509 for <rtg-dir-archive@ietf.org>; Mon, 13 Jun 2005 10:08:27 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DhpyN-0007Au-PF for rtg-dir-archive@ietf.org; Mon, 13 Jun 2005 10:31:32 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dhpbb-0004hx-CF; Mon, 13 Jun 2005 10:07:59 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DhpbZ-0004hn-7v for rtg-dir@megatron.ietf.org; Mon, 13 Jun 2005 10:07:57 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA15433 for <rtg-dir@ietf.org>; Mon, 13 Jun 2005 10:07:55 -0400 (EDT)
Received: from colo-dns-ext2.juniper.net ([207.17.137.64]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Dhpxq-00079x-An for rtg-dir@ietf.org; Mon, 13 Jun 2005 10:30:59 -0400
Received: from merlot.juniper.net (merlot.juniper.net [172.17.27.10]) by colo-dns-ext2.juniper.net (8.12.3/8.12.3) with ESMTP id j5DE7TBm057469; Mon, 13 Jun 2005 07:07:33 -0700 (PDT) (envelope-from rcallon@juniper.net)
Received: from rcallon-lt1.juniper.net ([172.28.4.239]) by merlot.juniper.net (8.11.3/8.11.3) with ESMTP id j5DE7Se57843; Mon, 13 Jun 2005 07:07:28 -0700 (PDT) (envelope-from rcallon@juniper.net)
Message-Id: <5.0.0.25.2.20050613095716.037455d8@zircon.juniper.net>
X-Sender: rcallon@zircon.juniper.net
X-Mailer: QUALCOMM Windows Eudora Version 5.0
Date: Mon, 13 Jun 2005 10:07:26 -0400
To: Alex Zinin <zinin@psg.com>
From: Ross Callon <rcallon@juniper.net>
In-Reply-To: <13610704709.20050603121737@psg.com>
References: <5.0.0.25.2.20050602223948.049834c8@zircon.juniper.net> <177295214.20050601221810@psg.com> <5.0.0.25.2.20050602223948.049834c8@zircon.juniper.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d185fa790257f526fedfd5d01ed9c976
Cc: rcallon@juniper.net, rtg-dir@ietf.org, riw@cisco.com
Subject: Re: rtg-dir review: ross, russ: draft-ietf-mpls-lsp-ping-09.txt
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
Sender: rtg-dir-bounces@ietf.org
Errors-To: rtg-dir-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b280b4db656c3ca28dd62e5e0b03daa8
On the most part the document looks quite good. My one substantial issue is the lack of a defined mechanism for authentication in draft-ietf-mpls-lsp-ping-09.txt. One point might be the computational cost of this: However, this would seem to be just as much an issue for BFD, which is after all supposed to be do-able at a very rapid rate and which does authentication. Also, LSP Ping is potentially useful at an "interact with a human trying to debug things" rate, which would imply that authentication should be fast enough for at least this common case. Also, making authentication work at a very high rate is an implementation issue, and is possible (at least if planned for in future products). The most obvious authentication methods (password, MD5, SHA1) are defined for BFD (see section 6.6 of draft-ietf-bfd-base-02.txt), and probably should also be available for LSP Ping. Other points: The security considerations section does discuss authentication. For example: "Authentication will help reduce the number of seemingly valid MPLS echo requests, and thus cut down the Denial of Service attacks;" First of all, I don't see how you can state that authentication could be used for this purpose, when there is no authentication defined. Secondly, authentication only helps prevent DoS for those parts of the system which are *after* the packets with bad authentication are discarded. For whatever part of the system has to actually check the authentication and discard bad packets, authentication can make DoS *worse*, due to the fact that checking authentication itself requires work. Whether this is a win or a loss for the specific case of DoS attacks therefore depends upon a variety of details (such as whether checking the authentication is done in software on a central CPU, or is done in some sort of dedicated hardware). Possibly the security section should explain this. Also there are other more clearly positive advantages of authentication, such as preventing a hacker from initiating a ping, which also might be worth discussing in the security section. Thanks, Ross At 12:17 PM 6/3/2005 -0700, Alex Zinin wrote: >Ross, > > Thanks. Within a week should be fine. > >-- >Alex >http://www.psg.com/~zinin > >Thursday, June 2, 2005, 7:43:35 PM, Ross Callon wrote: > > Okay. I can look at this. > > > When do you want the review? > > > thanks, Ross > > > At 10:18 PM 6/1/2005 -0700, Alex Zinin wrote: > >>skill-specific: Ross (MPLS) > >>round-robin: Russ > >> > >>This one is out of the MPLS WG, on its way to the IETF LC, which I'm > >>starting. > >> > >>http://www.ietf.org/internet-drafts/draft-ietf-mpls-lsp-ping-09.txt > >> > >> > Abstract > >> > > >> > This document describes a simple and efficient mechanism that can be > >> > used to detect data plane failures in Multi-Protocol Label Switching > >> > (MPLS) Label Switched Paths (LSPs). There are two parts to this > >> > document: information carried in an MPLS "echo request" and "echo > >> > reply" for the purposes of fault detection and isolation; and > >> > mechanisms for reliably sending the echo reply. > >> > >>Thank you. > >>-- > >>Alex > >>http://www.psg.com/~zinin
- rtg-dir review: ross, russ: draft-ietf-mpls-lsp-p… Alex Zinin
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Ross Callon
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Russ White
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Alex Zinin
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Alex Zinin
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Russ White
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Ross Callon
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Alex Zinin