Re: rtg-dir review: ross, russ: draft-ietf-mpls-lsp-ping-09.txt
Alex Zinin <zinin@psg.com> Tue, 14 June 2005 06:34 UTC
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA14093 for <rtg-dir-archive@ietf.org>; Tue, 14 Jun 2005 02:34:57 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Di5NB-0006IM-GO for rtg-dir-archive@ietf.org; Tue, 14 Jun 2005 02:58:09 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Di50U-0004jp-DO; Tue, 14 Jun 2005 02:34:42 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Di50S-0004jI-Td for rtg-dir@megatron.ietf.org; Tue, 14 Jun 2005 02:34:41 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA14084 for <rtg-dir@ietf.org>; Tue, 14 Jun 2005 02:34:39 -0400 (EDT)
Received: from psg.com ([147.28.0.62] ident=mailnull) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Di5Mt-0006I2-TB for rtg-dir@ietf.org; Tue, 14 Jun 2005 02:57:52 -0400
Received: from [147.28.0.62] (helo=usmovnazinin.alcatel.com) by psg.com with esmtp (Exim 4.50 (FreeBSD)) id 1Di50P-00050m-0F; Tue, 14 Jun 2005 06:34:37 +0000
Date: Mon, 13 Jun 2005 23:34:33 -0700
From: Alex Zinin <zinin@psg.com>
X-Priority: 3 (Normal)
Message-ID: <1847300379.20050613233433@psg.com>
To: Ross Callon <rcallon@juniper.net>
In-Reply-To: <5.0.0.25.2.20050613095716.037455d8@zircon.juniper.net>
References: <5.0.0.25.2.20050602223948.049834c8@zircon.juniper.net> <177295214.20050601221810@psg.com> <5.0.0.25.2.20050602223948.049834c8@zircon.juniper.net> <5.0.0.25.2.20050613095716.037455d8@zircon.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.8 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Content-Transfer-Encoding: 7bit
Cc: rtg-dir@ietf.org, riw@cisco.com
Subject: Re: rtg-dir review: ross, russ: draft-ietf-mpls-lsp-ping-09.txt
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Alex Zinin <zinin@psg.com>
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
Sender: rtg-dir-bounces@ietf.org
Errors-To: rtg-dir-bounces@ietf.org
X-Spam-Score: 0.8 (/)
X-Scan-Signature: 8de5f93cb2b4e3bee75302e9eacc33db
Content-Transfer-Encoding: 7bit
Ross, Russ- Thanks for reviewing, guys. I'll send your comments to the WG cc'ing the rtg-dir. Ross, regarding lack of authentication per se, I can see how an argument can be made that this is not worse than what the current IP ping/tracert have. I does seem strange that the doc tells what the authentication can do while there is none. -- Alex http://www.psg.com/~zinin Monday, June 13, 2005, 7:07:26 AM, Ross Callon wrote: > On the most part the document looks quite good. My one substantial > issue is the lack of a defined mechanism for authentication in > draft-ietf-mpls-lsp-ping-09.txt. > One point might be the computational cost of this: However, this would > seem to be just as much an issue for BFD, which is after all supposed > to be do-able at a very rapid rate and which does authentication. Also, > LSP Ping is potentially useful at an "interact with a human trying to > debug things" rate, which would imply that authentication should be fast > enough for at least this common case. Also, making authentication > work at a very high rate is an implementation issue, and is possible (at > least if planned for in future products). > The most obvious authentication methods (password, MD5, SHA1) are > defined for BFD (see section 6.6 of draft-ietf-bfd-base-02.txt), and probably > should also be available for LSP Ping. > Other points: The security considerations section does discuss > authentication. For example: > "Authentication will help reduce the number of seemingly valid > MPLS echo requests, and thus cut down the Denial of Service > attacks;" > First of all, I don't see how you can state that authentication could > be used for this purpose, when there is no authentication defined. > Secondly, authentication only helps prevent DoS for those parts of > the system which are *after* the packets with bad authentication are > discarded. For whatever part of the system has to actually check the > authentication and discard bad packets, authentication can make > DoS *worse*, due to the fact that checking authentication itself > requires work. Whether this is a win or a loss for the specific case of > DoS attacks therefore depends upon a variety of details (such as > whether checking the authentication is done in software on a central > CPU, or is done in some sort of dedicated hardware). Possibly the > security section should explain this. Also there are other more clearly > positive advantages of authentication, such as preventing a hacker > from initiating a ping, which also might be worth discussing in the > security section. > Thanks, Ross > At 12:17 PM 6/3/2005 -0700, Alex Zinin wrote: >>Ross, >> >> Thanks. Within a week should be fine. >> >>-- >>Alex >>http://www.psg.com/~zinin >> >>Thursday, June 2, 2005, 7:43:35 PM, Ross Callon wrote: >> > Okay. I can look at this. >> >> > When do you want the review? >> >> > thanks, Ross >> >> > At 10:18 PM 6/1/2005 -0700, Alex Zinin wrote: >> >>skill-specific: Ross (MPLS) >> >>round-robin: Russ >> >> >> >>This one is out of the MPLS WG, on its way to the IETF LC, which I'm >> >>starting. >> >> >> >>http://www.ietf.org/internet-drafts/draft-ietf-mpls-lsp-ping-09.txt >> >> >> >> > Abstract >> >> > >> >> > This document describes a simple and efficient mechanism that can be >> >> > used to detect data plane failures in Multi-Protocol Label Switching >> >> > (MPLS) Label Switched Paths (LSPs). There are two parts to this >> >> > document: information carried in an MPLS "echo request" and "echo >> >> > reply" for the purposes of fault detection and isolation; and >> >> > mechanisms for reliably sending the echo reply. >> >> >> >>Thank you. >> >>-- >> >>Alex >> >>http://www.psg.com/~zinin
- rtg-dir review: ross, russ: draft-ietf-mpls-lsp-p… Alex Zinin
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Ross Callon
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Russ White
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Alex Zinin
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Alex Zinin
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Russ White
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Ross Callon
- Re: rtg-dir review: ross, russ: draft-ietf-mpls-l… Alex Zinin