IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-ospf-node-admin-tag-05

"Acee Lindem (acee)" <acee@cisco.com> Wed, 14 October 2015 12:11 UTC

Return-Path: <acee@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305561A1B4B; Wed, 14 Oct 2015 05:11:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdZd2Pjm1ruT; Wed, 14 Oct 2015 05:11:15 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3609B1A1B19; Wed, 14 Oct 2015 05:11:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3606; q=dns/txt; s=iport; t=1444824676; x=1446034276; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Mc+xs0s1EPu82D3jIffADOxfaUMqTBAt2I3czgMiUVE=; b=AL75tOOcUVqzeE+uzX/9u9Wxx5i2QliOKpHbyIrfcG8CWNoDaNL4t/dY tSZwzuruzBzsX585ViXUhPrqnz9g8XWrxp5zG25D6v0o3GhF106MX1C0c vH6h7HYTkDw0F0yRMgLzLvWoLPurDYxhCcxRhrj3b7TU8c1zJ6JI9ihxU U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BgAgAURh5W/5pdJa1eDoMYgUIGvX0BDYFagxOCCn8CHIEgOBQBAQEBAQEBgQqEJwEBBCMRRRACAQgYAgImAgICMBUQAgQOBYguryOTPwEBAQEBAQEBAQEBAQEBAQEBAQEBAReBIopShFozB4JpgUUBBJYVAY0anAkBHwEBQoIRHYEWPnGFaYEGAQEB
X-IronPort-AV: E=Sophos;i="5.17,681,1437436800"; d="scan'208";a="41317759"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 14 Oct 2015 12:11:15 +0000
Received: from XCH-ALN-013.cisco.com (xch-aln-013.cisco.com [173.36.7.23]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t9ECBESS005626 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 14 Oct 2015 12:11:14 GMT
Received: from xch-rcd-015.cisco.com (173.37.102.25) by XCH-ALN-013.cisco.com (173.36.7.23) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 14 Oct 2015 07:11:00 -0500
Received: from xch-rcd-015.cisco.com ([173.37.102.25]) by XCH-RCD-015.cisco.com ([173.37.102.25]) with mapi id 15.00.1104.000; Wed, 14 Oct 2015 07:11:00 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: secdir review of draft-ietf-ospf-node-admin-tag-05
Thread-Index: AQHRAtRkZED+3D3sTk6f1e8MGzkzuJ5lMHaAgATWidGAABZXAIAARf4A//++TICAANxhgA==
Date: Wed, 14 Oct 2015 12:11:00 +0000
Message-ID: <D243BD35.351B8%acee@cisco.com>
References: <alpine.GSO.1.10.1510091159450.26829@multics.mit.edu> <D23ED021.34690%acee@cisco.com> <BY1PR0501MB1381A8D06B804AE4508F371AD5320@BY1PR0501MB1381.namprd05.prod.outlook.com> <alpine.GSO.1.10.1510131547130.26829@multics.mit.edu> <D242FF5D.34EA7%acee@cisco.com> <alpine.GSO.1.10.1510131856050.26829@multics.mit.edu> <D2430569.34EFD%acee@cisco.com>
In-Reply-To: <D2430569.34EFD%acee@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.199]
Content-Type: text/plain; charset="utf-8"
Content-ID: <E0791B81C4602745AAB0D05E5F2E340A@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/TbPgg7rFkXQ-QCaSwc0b3KS5hGs>
Cc: "draft-ietf-ospf-node-admin-tag.all@ietf.org" <draft-ietf-ospf-node-admin-tag.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, Shraddha Hegde <shraddha@juniper.net>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-ospf-node-admin-tag-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2015 12:11:17 -0000

Hi Ben, 

On 10/13/15, 7:02 PM, "Acee Lindem (acee)" <acee@cisco.com> wrote:

>
>
>On 10/13/15, 6:57 PM, "Benjamin Kaduk" <kaduk@MIT.EDU> wrote:
>
>>On Tue, 13 Oct 2015, Acee Lindem (acee) wrote:
>>
>>>
>>> On 10/13/15, 6:27 PM, "Benjamin Kaduk" <kaduk@MIT.EDU> wrote:
>>>
>>> >On Sun, 11 Oct 2015, Shraddha Hegde wrote:
>>> >
>>> >> >(easily) be unset.  Would force-expiring an LSA be enough to reset
>>>the
>>> >> >tag, or something else?
>>> >>
>>> >> Yes - this is standard for any OSPF LSA. However, since the OSPF RI
>>>LSA
>>> >> may include other TLVs or even other tags, a tag could also be
>>>withdrawn
>>> >> by reoriginating the RI LSA without the TLV or with a TLV that
>>>doesn’t
>>> >> include the withdrawn tag.
>>> >
>>> >I may still be confused, but I did not interpret the text in that way.
>>> >That is, the text about "all instances of the RI LSA originated by
>>>that
>>> >node".  (Which I changed to "instances of RI LSAs" in my grammar
>>>edits,
>>> >possibly incorrectly if I'm still confused.)  I was interpreting the
>>>word
>>> >"instances" to include historical ones over time, so that even if an
>>>RI
>>> >LSA carrying a particular admin tag was replaced by a different RI LSA
>>> >for the same advertising router, the old one would still be an
>>>instance of
>>> >that RI LSA.  Going back to RFC 2328, I'm not sure what exactly I had
>>>in
>>> >mind in terms of ages and scopes and sequence numbers that would cause
>>> >this
>>> >situation, but I somehow had it in my mind that there could be
>>>multiple RI
>>> >LSAs active at the same time that apply to a given node, such as if
>>>the
>>> >admin just added a new RI LSA containing only the admin tag to augment
>>>the
>>> >existing RI LSAs being sent.  Is that possible?
>>>
>>> In OSPF, a more-recent version or instance of an LSA will always
>>>supersede
>>> all previous instances of the same LSA.
>>
>>Thanks for clarifying.  So, this is a non-issue, and the only question is
>>whether the text could/should be changed to improve clarity.
>
>Let me think about this since it is a generic OSPF RI ambiguity and it
>will affect multiple documents. In a WebEx right now though…

The key point here is that an OSPF router only maintains the most-recent
instance of an LSA in its Link-State Database. So, there shouldn’t be any
ambiguity. Perhaps, the text could be changed to “all RI LSA instances in
the Link-State Database (LSDB) advertised by the corresponding OSPF
router.” 

Thanks,
Acee 

     

          


>
>Thanks,
>Acee
>
>
>
>>
>>-Ben
>

v2.23.0 | Report a Bug | By Email