Hiding Transit-Only Networks in OSPF
draft-ietf-ospf-prefix-hiding-07
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-12-19
|
07 | Amy Vezza | State changed to RFC Ed Queue from Approved-announcement sent |
2012-12-18
|
07 | (System) | IANA Action state changed to No IC |
2012-12-18
|
07 | Amy Vezza | State changed to Approved-announcement sent from Approved-announcement to be sent |
2012-12-18
|
07 | Amy Vezza | IESG has approved the document |
2012-12-18
|
07 | Amy Vezza | Closed "Approve" ballot |
2012-12-18
|
07 | Amy Vezza | Ballot approval text was generated |
2012-12-18
|
07 | Amy Vezza | State changed to Approved-announcement to be sent from IESG Evaluation::AD Followup |
2012-12-18
|
07 | Amy Vezza | Ballot writeup was changed |
2012-12-17
|
07 | Alvaro Retana | New version available: draft-ietf-ospf-prefix-hiding-07.txt |
2012-12-14
|
06 | Stewart Bryant | Ballot writeup was changed |
2012-12-04
|
06 | Adrian Farrel | [Ballot comment] Thanks for addressing the majority of my Discuss points and Comments. One issue remains that I have moved from the Discuss to this … [Ballot comment] Thanks for addressing the majority of my Discuss points and Comments. One issue remains that I have moved from the Discuss to this Comment: I really think that the use of RFC 2119 language in 2.1.2 and subsequent is inappropriate. In my opinion you are just describing what an implementation does if it wants to achieve a particular effect. You are not describing mandatory to implement interoperability behaviors. |
2012-12-04
|
06 | Adrian Farrel | Ballot comment text updated for Adrian Farrel |
2012-12-04
|
06 | Adrian Farrel | [Ballot comment] Thanks for addressing the majority of my Discuss points and Comments. One issue remains that I have moved from the Discuss to this … [Ballot comment] Thanks for addressing the majority of my Discuss points and Comments. One issue remains that I have moved from the Discuss to this Comment: I really think that the use of RFC 2119 language in 2.1.2 and subsequent is inappropriate. In my opinion you are just describing what an implementation does if it wants to achieve a particular effect. You are not describing mandatory to implement interoperability behaviors. |
2012-12-04
|
06 | Adrian Farrel | [Ballot Position Update] Position for Adrian Farrel has been changed to No Objection from Discuss |
2012-12-04
|
06 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2012-12-04
|
06 | Alvaro Retana | New version available: draft-ietf-ospf-prefix-hiding-06.txt |
2012-08-30
|
05 | Cindy Morgan | State changed to IESG Evaluation::Revised ID Needed from IESG Evaluation |
2012-08-29
|
05 | Wesley Eddy | [Ballot Position Update] New position, No Objection, has been recorded for Wesley Eddy |
2012-08-29
|
05 | Ralph Droms | [Ballot Position Update] New position, No Objection, has been recorded for Ralph Droms |
2012-08-28
|
05 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded for Robert Sparks |
2012-08-28
|
05 | Sean Turner | [Ballot comment] I read this draft a couple of times trying to figure out what you were hiding. Then, I read Adrian's mutterings - I'm … [Ballot comment] I read this draft a couple of times trying to figure out what you were hiding. Then, I read Adrian's mutterings - I'm with him. |
2012-08-28
|
05 | Sean Turner | [Ballot Position Update] New position, No Objection, has been recorded for Sean Turner |
2012-08-28
|
05 | Adrian Farrel | [Ballot discuss] Updated Discuss to reflect progress with IPR and the "updates" metadata tag. Moved some smaller points to the Comment. --- I am generally … [Ballot discuss] Updated Discuss to reflect progress with IPR and the "updates" metadata tag. Moved some smaller points to the Comment. --- I am generally supportive of this work and see its utility, but I have a number of gripes with this document which I would like to discuss. --- Section 2.1.1 begins brightly "For each numbered point-to-point network..." There is no discussion in this document of unnumbered interfaces. --- Section 2.1.2 To hide a transit-only point-to-point network, the Type 3 link MUST be omitted from the router-LSA. This use of "MUST" makes it look like hiding has to be done all the time even though it comes in a second clause. Wouldn't it be enough to s/MUST be/is/ ? This question carries forward to most of the sections of the document. --- This is a longwinded mutter about "hiding". By the end of Section 2.1.2 I was not convinced that anything has actually been hidden from someone snooping OSPF. The corresponding advertisement from RT2 will let us know... - RT1 is directly connected to RT2. - The addresses of RT1 and RT2. - The addresses of the link ends. - The link metrics. It is only if there a several links between RT1 and RT2 that any information is lost, and even then it is relatively easy to deduce. Pedantically, I don't think you are hiding anything, but you are removing reachability by excluding specific addresses from the RIB. This is valuable and achieves the goals you intended (more rapid convergence and protection from attacks). It isjust that you are not hiding anything - you are making them unreachable. To make this actionable, I think you need clarification in the Abstract and Introduction: what are you hiding and from whom? Or better still: drop the term "hiding" and talk about "reduced reachability" or "zero reachability" of transit networks. Hey! Section 8 actually gets around to saying the right stuff. Can you lift some of this text to the Introduction? >> email discussions with the authors suggest that this can be fixed >> with a simple clarification in the Introduction --- Section 7 suggests using RFC 5837, and I can see the utility. But it needs to be noted that implementations must reist the temptation to follow up one ICMP exchange by targeting the next exchange at the source address of the response. Clearly that address will not be reachable. |
2012-08-28
|
05 | Adrian Farrel | [Ballot comment] You will want to update Alvaro's coordinates before this goes to the RFC Editor. --- In section 7, is … [Ballot comment] You will want to update Alvaro's coordinates before this goes to the RFC Editor. --- In section 7, is "recommended" supposed to be "RECOMMENDED"? --- Section 8 s/ONLY/only/ --- It is not enough to state that this document updates RFC 2328 and 5340. You need to spell out somewhere in the document the nature of the update. --- I think you need to discuss the interaction with RFC 3630 and RFC 5329. |
2012-08-28
|
05 | Adrian Farrel | Ballot comment and discuss text updated for Adrian Farrel |
2012-08-28
|
05 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley |
2012-08-28
|
05 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick |
2012-08-27
|
05 | Barry Leiba | [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba |
2012-08-27
|
05 | Stephen Farrell | [Ballot comment] - abstract: I'd say s/minimize/reduce/ would be better in the last sentence. (Same for intro.) The point is that you can't know any … [Ballot comment] - abstract: I'd say s/minimize/reduce/ would be better in the last sentence. (Same for intro.) The point is that you can't know any reasonable "minimum" here, but you can I guess reduce the liklihood of some attacks. - I agree with Adrian's mutterings about the term "hiding." - Section 7 seems very brief to me but then I don't know much about routing. I also wondered that this section has no uppercase 2119 words - is the "recommended" there intended to be the same as RECOMMENDED aka SHOULD? If so, and 5837 (An ICMP extension?) is all that's needed, then I think it'd be clearer to use SHOULD. If not, then couldn't you RECOMMEND some good way to manage these no-longer-routable devices? - Section 8: very much a quibble but I think "unauthorized access" isn't quite right, fewer routers will be exposed-to/ available-for any access, not just unauthorized access. I'd say better might be to just put the full-stop after "exposed." - Section 10, paragraph 2: sigh - the ack for the idea is fine, I'm just non-actionably lamenting the USPTO's idea of invention;-( |
2012-08-27
|
05 | Stephen Farrell | [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell |
2012-08-23
|
05 | Jean Mahoney | Request for Telechat review by GENART is assigned to Vijay Gurbani |
2012-08-23
|
05 | Jean Mahoney | Request for Telechat review by GENART is assigned to Vijay Gurbani |
2012-08-16
|
05 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2012-08-13
|
05 | Vijay Gurbani | Request for Telechat review by GENART Completed. Reviewer: Vijay Gurbani. |
2012-08-13
|
05 | Vijay Gurbani | Request for Telechat review by GENART Completed: Ready. Reviewer: Vijay Gurbani. |
2012-08-11
|
05 | Adrian Farrel | [Ballot discuss] Updated Discuss as Stewart has Deferred the IESG discussion to allow the working group to discuss the IPR claim. --- I am generally … [Ballot discuss] Updated Discuss as Stewart has Deferred the IESG discussion to allow the working group to discuss the IPR claim. --- I am generally supportive of this work and see its utility, but I have a number of gripes with this document which I would like to discuss. --- It is not enough to state that this document updates RFC 2328. You need to spell out somewhere in the document the nature of the update. The implication of "updates" is that all new implementations of RFC 2328 must also implement this document in order to be conformant to RFC 2328. Is this what you intended. Same for RFC 5340. --- I think you need to discuss the interaction with RFC 3630 and RFC 5329. --- Section 2.1.1 begins brightly "For each numbered point-to-point network..." There is no discussion in this document of unnumbered interfaces. --- Section 2.1.2 To hide a transit-only point-to-point network, the Type 3 link MUST be omitted from the router-LSA. This use of "MUST" makes it look like hiding has to be done all the time even though it comes in a second clause. Wouldn't it be enough to s/MUST be/is/ ? This question carries forward to most of the sections of the document. --- This is a longwinded mutter about "hiding". By the end of Section 2.1.2 I was not convinced that anything has actually been hidden from someone snooping OSPF. The corresponding advertisement from RT2 will let us know... - RT1 is directly connected to RT2. - The addresses of RT1 and RT2. - The addresses of the link ends. - The link metrics. It is only if there a several links between RT1 and RT2 that any information is lost, and even then it is relatively easy to deduce. Pedantically, I don't think you are hiding anything, but you are removing reachability by excluding specific addresses from the RIB. This is valuable and achieves the goals you intended (more rapid convergence and protection from attacks). It isjust that you are not hiding anything - you are making them unreachable. To make this actionable, I think you need clarification in the Abstract and Introduction: what are you hiding and from whom? Or better still: drop the term "hiding" and talk about "reduced reachability" or "zero reachability" of transit networks. Hey! Section 8 actually gets around to saying the right stuff. Can you lift some of this text to the Introduction? --- Section 7 suggests using RFC 5837, and I can see the utility. But it needs to be noted that implementations must reist the temptation to follow up one ICMP exchange by targeting the next exchange at the source address of the response. Clearly that address will not be reachable. |
2012-08-11
|
05 | Adrian Farrel | Ballot discuss text updated for Adrian Farrel |
2012-08-10
|
05 | Stewart Bryant | Telechat date has been changed to 2012-08-30 from 2012-08-16 |
2012-08-10
|
05 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded for Ronald Bonica |
2012-08-10
|
05 | Adrian Farrel | [Ballot discuss] I am generally supportive of this work and see its utility, but I have a number of gripes with this document which I … [Ballot discuss] I am generally supportive of this work and see its utility, but I have a number of gripes with this document which I would like to discuss. --- The write-up is missing details of the discussion in the WG of the IPR disclosure. Usually, this is as simple as "The IPR disclosure was brought to the attention of the WG on . There were no follow-up comments from the WG." Can the shepherd confirm this was the case? --- It is not enough to state that this document updates RFC 2328. You need to spell out somewhere in the document the nature of the update. The implication of "updates" is that all new implementations of RFC 2328 must also implement this document in order to be conformant to RFC 2328. Is this what you intended. Same for RFC 5340. --- I think you need to discuss the interaction with RFC 3630 and RFC 5329. --- Section 2.1.1 begins brightly "For each numbered point-to-point network..." There is no discussion in this document of unnumbered interfaces. --- Section 2.1.2 To hide a transit-only point-to-point network, the Type 3 link MUST be omitted from the router-LSA. This use of "MUST" makes it look like hiding has to be done all the time even though it comes in a second clause. Wouldn't it be enough to s/MUST be/is/ ? This question carries forward to most of the sections of the document. --- This is a longwinded mutter about "hiding". By the end of Section 2.1.2 I was not convinced that anything has actually been hidden from someone snooping OSPF. The corresponding advertisement from RT2 will let us know... - RT1 is directly connected to RT2. - The addresses of RT1 and RT2. - The addresses of the link ends. - The link metrics. It is only if there a several links between RT1 and RT2 that any information is lost, and even then it is relatively easy to deduce. Pedantically, I don't think you are hiding anything, but you are removing reachability by excluding specific addresses from the RIB. This is valuable and achieves the goals you intended (more rapid convergence and protection from attacks). It isjust that you are not hiding anything - you are making them unreachable. To make this actionable, I think you need clarification in the Abstract and Introduction: what are you hiding and from whom? Or better still: drop the term "hiding" and talk about "reduced reachability" or "zero reachability" of transit networks. Hey! Section 8 actually gets around to saying the right stuff. Can you lift some of this text to the Introduction? --- Section 7 suggests using RFC 5837, and I can see the utility. But it needs to be noted that implementations must reist the temptation to follow up one ICMP exchange by targeting the next exchange at the source address of the response. Clearly that address will not be reachable. |
2012-08-10
|
05 | Adrian Farrel | [Ballot comment] You will want to update Alvaro's coordinates before this goes to the RFC Editor. --- In section 7, is … [Ballot comment] You will want to update Alvaro's coordinates before this goes to the RFC Editor. --- In section 7, is "recommended" supposed to be "RECOMMENDED"? --- Section 8 s/ONLY/only/ |
2012-08-10
|
05 | Adrian Farrel | [Ballot Position Update] New position, Discuss, has been recorded for Adrian Farrel |
2012-08-09
|
05 | Jean Mahoney | Request for Telechat review by GENART is assigned to Vijay Gurbani |
2012-08-09
|
05 | Jean Mahoney | Request for Telechat review by GENART is assigned to Vijay Gurbani |
2012-08-08
|
05 | Brian Haberman | [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman |
2012-07-25
|
05 | Stewart Bryant | Placed on agenda for telechat - 2012-08-16 |
2012-07-25
|
05 | Stewart Bryant | State changed to IESG Evaluation from Waiting for AD Go-Ahead |
2012-07-25
|
05 | Stewart Bryant | Ballot has been issued |
2012-07-25
|
05 | Stewart Bryant | [Ballot Position Update] New position, Yes, has been recorded for Stewart Bryant |
2012-07-25
|
05 | Stewart Bryant | Created "Approve" ballot |
2012-07-25
|
05 | Stewart Bryant | Ballot writeup was changed |
2012-07-16
|
05 | Yi Yang | New version available: draft-ietf-ospf-prefix-hiding-05.txt |
2012-07-13
|
04 | Samuel Weiler | Request for Last Call review by SECDIR Completed: Ready with Nits. Reviewer: Julien Laganier. |
2012-07-06
|
04 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call |
2012-06-28
|
04 | Pearl Liang | IANA has reviewed draft-ietf-ospf-prefix-hiding-04, which is currently in Last Call, and has the following comments: IANA understands that, upon approval of this document, there … IANA has reviewed draft-ietf-ospf-prefix-hiding-04, which is currently in Last Call, and has the following comments: IANA understands that, upon approval of this document, there are no IANA Actions which IANA must complete. |
2012-06-28
|
04 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Julien Laganier |
2012-06-28
|
04 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Julien Laganier |
2012-06-25
|
04 | Vijay Gurbani | Request for Last Call review by GENART Completed. Reviewer: Vijay Gurbani. |
2012-06-22
|
04 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2012-06-22
|
04 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2012-06-22
|
04 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Subject: Last Call: (Hiding Transit-only Networks in OSPF) to … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Subject: Last Call: (Hiding Transit-only Networks in OSPF) to Proposed Standard The IESG has received a request from the Open Shortest Path First IGP WG (ospf) to consider the following document: - 'Hiding Transit-only Networks in OSPF' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2012-07-06. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract A transit-only network is defined as a network connecting routers only. In OSPF, transit-only networks are usually configured with routable IP addresses, which are advertised in Link State Advertisements (LSAs) but not needed for data traffic. In addition, remote attacks can be launched against routers by sending packets to these transit-only networks. This document presents a mechanism to hide transit-only networks to speed up network convergence and minimize remote attack vulnerability. This document updates RFC 2328 and RFC 5340. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-ospf-prefix-hiding/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-ospf-prefix-hiding/ballot/ The following IPR Declarations may be related to this I-D: http://datatracker.ietf.org/ipr/1798/ |
2012-06-22
|
04 | Amy Vezza | State changed to In Last Call from Last Call Requested |
2012-06-22
|
04 | Stewart Bryant | Last call was requested |
2012-06-22
|
04 | Stewart Bryant | Ballot approval text was generated |
2012-06-22
|
04 | Stewart Bryant | Ballot writeup was generated |
2012-06-22
|
04 | Stewart Bryant | State changed to Last Call Requested from Publication Requested |
2012-06-22
|
04 | Stewart Bryant | Last call announcement was generated |
2012-06-21
|
04 | Cindy Morgan | (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? … (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? Proposed Standard (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary This draft mechanisms to prevent the advertisements of prefixes associated with transit-only network. In OSPFv2, the protocol encoding for the Network-LSA is modified. In OSFPv3, prefix advertisement suppression can be accomplished without any protocol encoding changes. Working Group Summary The function is fairly straight-forward and the only discussion was related to OSPFv3 whether the DR should suppress advertisement of all prefixes on the link or whether it should be based on the individual link-LSA advertisements. After some discussion, we decided on the latter. Document Quality The document has gone through several WG review cycles and revisions. There is at least one implementation and another under development. Personnel Acee Lindem is the document shepherd and Stewart Bryant is the responsible AD. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document was presented in Bejing and went through several WG reviews. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. No. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the interested community has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. None. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. Yes. (8) Has an IPR disclosure been filed that references this document? If so, summarize any discussion and conclusion regarding the IPR disclosures. Yes - Defensive patent. https://datatracker.ietf.org/ipr/1423/ (9) How solid is the consensus of the interested community behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the interested community as a whole understand and agree with it? These is consensus behind the draft and many believe it is useful. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. All idnits errors and warnings have been resolved. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. Not applicable. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the interested community considers it unnecessary. Yes. Updates RFC 2328 and RFC 5340. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). This document doesn't require any IANA actions. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. Not Applicable. |
2012-06-21
|
04 | Cindy Morgan | Note added 'Acee Lindem (acee.lindem@ericsson.com) is the document shepherd.' |
2012-06-21
|
04 | Cindy Morgan | Intended Status changed to Proposed Standard |
2012-06-21
|
04 | Cindy Morgan | IESG process started in state Publication Requested |
2012-06-20
|
04 | Yi Yang | New version available: draft-ietf-ospf-prefix-hiding-04.txt |
2012-06-13
|
(System) | Posted related IPR disclosure: Cisco's Statement of IPR Related to draft-ietf-ospf-prefix-hiding-03 | |
2012-05-01
|
03 | Yi Yang | New version available: draft-ietf-ospf-prefix-hiding-03.txt |
2012-02-02
|
02 | (System) | New version available: draft-ietf-ospf-prefix-hiding-02.txt |
2012-01-03
|
01 | (System) | New version available: draft-ietf-ospf-prefix-hiding-01.txt |
2011-12-03
|
02 | (System) | Document has expired |
2011-06-01
|
00 | (System) | New version available: draft-ietf-ospf-prefix-hiding-00.txt |