Re: [RTG-DIR] [mpls] Rtgdir last call review of draft-ietf-mpls-bfd-directed-26
Greg Mirsky <gregimirsky@gmail.com> Thu, 04 April 2024 21:26 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 572F4C1C3D7C; Thu, 4 Apr 2024 14:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l24cMsyn9mvX; Thu, 4 Apr 2024 14:26:07 -0700 (PDT)
Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55AB4C151995; Thu, 4 Apr 2024 14:26:07 -0700 (PDT)
Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-6152be7c58bso16183987b3.0; Thu, 04 Apr 2024 14:26:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712265966; x=1712870766; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ai1rTRHOeQZttcDWF1kuaWVqLDSCZ/Mtd3aDiOelRVs=; b=Po/TEepF3LAHqz5cLGkNnUJAlL10XtaKpV1KZiqD2lZ9aISdbRtXY5bnTkEUE63SpD 9866MhKci9frWzBCi5NI+XcutfZmVJTVM4gmzwgnhW0Y0DAO2lMMfCuJlfhQstarogmj +N9ahXMdm51NmzWUX+2XieHtuuQSp6j4s6fAw/oJfOtB6MOQx4bQScYGE5OPWrdy8N0r 4FlfTyBPiTgschcs8vc/vnCJXdFXZmRzNAXiWDv7RLgdT7HSYDlRcRf/izExyDpMsqqY i/YtZk2/6TQH7LNKRh14WTsN5UgbdyroJepOWdZCTWWufmX11hr6OKBRxWffFNTyoyLI 47Tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712265966; x=1712870766; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ai1rTRHOeQZttcDWF1kuaWVqLDSCZ/Mtd3aDiOelRVs=; b=w6RnSk2ZXmjbrGFJYcqHPG2ucbck2+++j2teUzxiw2QtEf588IbM1DGYUqnjKQ0NID hV9kPHivj7txjs/wyC+cd9meCW19VcOuX5ZQ4JTxvo8OlpehbhXlFFk3fvlpf6eHtyRU ORDujr2iwYTaPSehcbigCWbqix7mtvOncpduF1s7730idQXb07oMjqmfJAoJ6fe9OhNm yfPPMV6oLTJ1Qw6Vd/WWFfhLoV7D4IPORQ/Ud8pku0IC5h3TJoCkDThGzfLGU09KLcmU Hz3tAbQ596b6/hQhva7LVk2X4IsJyMHv8sXgULBtwGkuaQiPIVVhT/f95mkvq+mklg1l 3WKA==
X-Forwarded-Encrypted: i=1; AJvYcCWjiu9TA2P5UkfvvO6BRIbRemhaosEP3e0QpQEEf1CFwD2UE95MdOUL+bLGCuU3c3XluipOEL8W577qBQ0B9DeB8eDS/vb5DKwI6PxW371M6Bf0W6j61fm/zQvuTEE3a7bz+xSNpzViHQPUCq0B6+KTD8rxjuIUTK2Xx7xL83IteWT4xGDusH8BQEjxPdIn3suacOTgzqIiDtHkA6zQcTDa
X-Gm-Message-State: AOJu0YzRqviNkJ7c2Ut4gtn4MQsHr+SWMIiykMbE/uHlmEdSXrHghYyk Jc2BRUMQ/tJoAYIg3giquoEEKtM7vh/EwcR7CEC3TeXpjZclNaBNI0rBWxqmivgMaUhnQL+/qq7 10Ixq18Z9o5brexoAqfPadbgev5c=
X-Google-Smtp-Source: AGHT+IEyQ8Y4vRVW5BXSSaw8sSJfkXNCTMusm/g3nIzWNriPdnmWI1wEhfdQPO6/R4+wXYz0I8F491BulbiIbjI0C0g=
X-Received: by 2002:a81:480b:0:b0:611:1e35:e5d8 with SMTP id v11-20020a81480b000000b006111e35e5d8mr3629589ywa.32.1712265966150; Thu, 04 Apr 2024 14:26:06 -0700 (PDT)
MIME-Version: 1.0
References: <171220661785.52439.11310530719909954079@ietfa.amsl.com> <CA+RyBmUwL2RwvP0agYWLw+6AEDUx_62K93A7=L3QMnuF11+5Rg@mail.gmail.com> <DU5PR03MB1056394A876995BD8B72D0301EE3C2@DU5PR03MB10563.eurprd03.prod.outlook.com> <CA+RyBmWFsKeocngZ70P8C98YJcPmyckFZ+x2Qkm-FkXMYBS5uw@mail.gmail.com> <DU5PR03MB10563A7DC13B5E991D5BA3261EE3C2@DU5PR03MB10563.eurprd03.prod.outlook.com>
In-Reply-To: <DU5PR03MB10563A7DC13B5E991D5BA3261EE3C2@DU5PR03MB10563.eurprd03.prod.outlook.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Thu, 04 Apr 2024 14:25:55 -0700
Message-ID: <CA+RyBmX7XoXk79bVg9r9+4OkpvrBPNkg3cbuxKhNeh5AkkAxkQ@mail.gmail.com>
To: Andrew Alston <Andrew.Alston@liquidtelecom.com>
Cc: Andrew Alston - IETF <andrew-ietf@liquid.tech>, "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "draft-ietf-mpls-bfd-directed.all@ietf.org" <draft-ietf-mpls-bfd-directed.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "mpls@ietf.org" <mpls@ietf.org>, "rtg-ads@ietf.org" <rtg-ads@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ac6c4b06154bfc18"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/vhRx3ET0nYWHYgwzjzyTzKToET0>
Subject: Re: [RTG-DIR] [mpls] Rtgdir last call review of draft-ietf-mpls-bfd-directed-26
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 21:26:11 -0000
Hi Andrew, thank you for your comments and the discussion. I've uploaded the new version that includes both updates. Now the current version is available for comments and questions. Regards, Greg On Thu, Apr 4, 2024 at 1:58 PM Andrew Alston < Andrew.Alston@liquidtelecom.com> wrote: > I’m ok with this if the working group is. I chatted to Jim as the relevant > AD regarding the new text and the implementation of a limit and asked if > this would cause the need for a whole other last call. He agreed that if > the chairs agree we can simply poll the working group to ensure everyone is > happy and the results of the last call will then stand. > > So if the chairs are ok to proceed in that manner I’m good with that. > > Thanks > > Andrew > > Get Outlook for iOS <https://aka.ms/o0ukef> > > Internal All Employees > ------------------------------ > *From:* Greg Mirsky <gregimirsky@gmail.com> > *Sent:* Thursday, April 4, 2024 11:50:27 PM > *To:* Andrew Alston <Andrew.Alston@liquidtelecom.com> > *Cc:* Andrew Alston - IETF <andrew-ietf@liquid.tech>; rtg-dir@ietf.org < > rtg-dir@ietf.org>; draft-ietf-mpls-bfd-directed.all@ietf.org < > draft-ietf-mpls-bfd-directed.all@ietf.org>; last-call@ietf.org < > last-call@ietf.org>; mpls@ietf.org <mpls@ietf.org>; rtg-ads@ietf.org < > rtg-ads@ietf.org> > *Subject:* Re: [mpls] Rtgdir last call review of > draft-ietf-mpls-bfd-directed-26 > > CAUTION: This email has originated from a free email service commonly used > for personal email services, please be guided accordingly especially if > this email is asking to click links or share information. > > Hi Andrew, > thank you for further clarifying your concern. After discussing this > scenario, I propose the following update in Section 3.1: > OLD TEXT: > None, one or more sub-TLVs > MAY be included in the BFD Reverse Path TLV. > NEW TEXT: > None, one or more sub-TLVs > MAY be included in the BFD Reverse Path TLV. However, the number of > sub-TLVs in the Reverse Path field MUST be limited. The default > limit is 128, but an implementation MAY be able to control that > limit. > > Do you find this update reasonably addressing your concern? > > Regards, > Greg > > On Thu, Apr 4, 2024 at 12:26 PM Andrew Alston < > Andrew.Alston@liquidtelecom.com> wrote: > > Hi Greg, > > I’m more concerned about the potential load of that search for path in the > path sent is ridiculously long basically the current text works - but I’m > concerned it opens a potential denial of service vector by forcing the > receiving router to do a search against a path that could contain a > thousand sub-tlvs without exceeding the mtu length. > > For example - a generic ipv4 tlv in the registry as defined by 8029 - > which is in the type 1/16/29 registry - is 8 bytes long - a 9000 byte > packet could pack these a thousand deep and the receiver would then be > trying to match that to a local LSP - which could potentially create a huge > resource issue. > > It may be that the working group doesn't view this as a viable problem - > but since I spotted it - it's necessary to raise it and see what people > think > > Thanks > > Andrew > > Get Outlook for iOS <https://aka.ms/o0ukef> > > Internal All Employees > ------------------------------ > *From:* mpls <mpls-bounces@ietf.org> on behalf of Greg Mirsky < > gregimirsky@gmail.com> > *Sent:* Thursday, April 4, 2024 8:04:56 PM > *To:* Andrew Alston - IETF <andrew-ietf@liquid.tech> > *Cc:* rtg-dir@ietf.org <rtg-dir@ietf.org>; > draft-ietf-mpls-bfd-directed.all@ietf.org < > draft-ietf-mpls-bfd-directed.all@ietf.org>; last-call@ietf.org < > last-call@ietf.org>; mpls@ietf.org <mpls@ietf.org>; rtg-ads@ietf.org < > rtg-ads@ietf.org> > *Subject:* Re: [mpls] Rtgdir last call review of > draft-ietf-mpls-bfd-directed-26 > > CAUTION: This email has originated from a free email service commonly used > for personal email services, please be guided accordingly especially if > this email is asking to click links or share information. > > Hi Andrew, > thank you for your thorough review and constructive comments. As we > discussed, the new working version includes the update addressing your > first question. Please find my notes in response to the second scenario > below under the GIM>> tag. > > Regards, > Greg > > On Wed, Apr 3, 2024 at 9:57 PM Andrew Alston via Datatracker < > noreply@ietf.org> wrote: > > Reviewer: Andrew Alston > Review result: Has Issues > > RtgDir Last Call review: draft-ietf-mpls-bfd-directed > > Hello, > > I have been selected as the Routing Directorate reviewer for this draft. > The > Routing Directorate seeks to review all routing or routing-related drafts > as > they pass through IETF last call and IESG review, and sometimes on special > request. The purpose of the review is to provide assistance to the Routing > ADs. > For more information about the Routing Directorate, please see > https://wiki.ietf.org/en/group/rtg/RtgDir > > Although these comments are primarily for the use of the Routing ADs, it > would > be helpful if you could consider them along with any other IETF Last Call > comments that you receive, and strive to resolve them through discussion > or by > updating the draft. > > Document: draft-ietf-mpls-bfd-directed-26 > Reviewer: Andrew Alston > Review Date: 04-04-2024 > IETF LC End Date: 16-04-2024 > Intended Status: Experimental > > Summary: > > I have some minor concerns about this document that I think should be > resolved > before publication. > > Comments: > > The draft itself was well written and clear. I found no major issues in > either > the text of the draft or it's content, beyond the two issues noted below > > Major Issues: > > In Section 3.1 the BFD Reverse Path field TLV Type and Length fields are > both 2 > octets (16bits) in length. The document goes on to state that the Reverse > path > field contains none, one, or more sub-TLV's. It further states that these > sub-TLV types may be any sub-TLV type defined for TLV Type 1, 16 or 21 in > the > MPLS LSP Ping Parameters registry. > > There is no limitation on the length that can be specified in the length > field. > > This raises the possibility that a length could be used - with stacked > sub-TLV's in the reverse path, to create a very large packet, which could > potentially create a denial of service issue / MTU issue on the path. I've > discussed this with the authors prior to sending this review (and my > thanks to > them for their timely responses to my queries) and it is proposed that an > update to the first paragraph of the Operational Considerations section of > the > documented be updated from: > > OLD TEXT: > When an explicit path is set either as Static or RSVP-TE LSP, > corresponding sub-TLVs, defined in [RFC7110], MAY be used to identify > the explicit reverse path for the BFD session. > > To NEW TEXT: > When an explicit path is set etierhet as Static or RSVP-TE LSP, > corresponding sub-TLVs, defined in [RFC7110], MAY be used to identify > the explicit reverse path for the BFD session. If a particular set of > sub-TLVs composes the Return Path TLV [RFC7110] and does not increase > the length of the Maximum Transmission Unit for the given LSP, > that set can be safely used in the BFD Reverse Path TLV. > > The second issue - which is related - concerns a potential denial of > service > vector in the supplied path lengths. > > Should a path defined by these sub-TLV's be of extreme length, > irrespective of > it being valid or not, there is a concern that the receiving router, on > attempting to do path matching to the reverse path, could be vulnerable to > resource saturation. By way of illustration, the document states that any > sub-TLV in the LSP ping parameters registry for types 1, 16 and 21 may be > used. > By specifying a length of 8192 and utilsing sub-TLV 14 (Generic IPv4 > Prefix as > specified in RFC8029), a path of 2048 elements could be constructed. It's > unclear how a receiving router would handle the processing of this. Similar > scenarios can occur when paths are specified in terms of IPv4 IGP-Prefix > Segment ID's which can be stacked. > > Effectively, there is a concern that through the use of long paths - valid > or > not valid - it may be possible to create resource starvation on the > receiving > router by spamming these packets. This is slightly mitigated by the fact > that > these packets will be inside a limited domain, however, that does not > mitigate > the concern should said limited domain be compromised to allow for such > transmission. > > GIM>> Thank you for bringing this scenario to our attention. Should note > that the use of the BFD Reverse Path TLV in LSP Ping in SR-MPLS is > considered in more details in draft-ietf-spring-bfd > <https://datatracker.ietf.org/doc/draft-ietf-spring-bfd/>. There, the use > of Non-FEC TLV is recommended for the SR-MPLS environment. For the scenario > that you describe, it seems like the receiver of the MPLS Echo Request > message will evaluate the reverse path constructed based on sub-TLVs and > determine whether it can support it. If the path is deemed invalid, then > the MPLS Echo Reply message will include the Return Code defined in Section > 3.2: > * "Failed to establish the BFD session. The specified reverse path > was not found" (TBD4). When a specified reverse path is > unavailable, the egress BFD peer sends an Echo Reply with the > return code set to "Failed to establish the BFD session. The > specified reverse path was not found" to the ingress BFD peer > Section 3.1. > > What are your thoughts? > > > Minor Issues: > > No minor issues found. > > > >
- [RTG-DIR] Rtgdir last call review of draft-ietf-m… Andrew Alston via Datatracker
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Greg Mirsky
- Re: [RTG-DIR] [mpls] Rtgdir last call review of d… Andrew Alston
- Re: [RTG-DIR] [mpls] Rtgdir last call review of d… Greg Mirsky
- Re: [RTG-DIR] [mpls] Rtgdir last call review of d… Andrew Alston
- Re: [RTG-DIR] [mpls] Rtgdir last call review of d… Greg Mirsky