IP Router-Alert Considerations and usage

Slides:



Advertisements
Similar presentations
Philip Eardley, Bob Briscoe, Dave Songhurst - BT Francois Le Faucheur, Anna Charny, Vassilis Liatsos – Cisco Kwok-Ho Chan, Joe Babiarz, Stephen Dudley.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—8-1 MPLS TE Overview Introducing the TE Concept.
NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:
ICE Jonathan Rosenberg dynamicsoft. Issue 1: Port Restricted Flow This case does not work well with ICE right now Race condition –Works if message 13.
QoS in MPLS SMU CSE 8344.
NVO3 dataplane encapsulation requirements discussion Erik Nordmark, Arista Networks.
NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.
Node Information Queries July 2002 Yokohama IETF Bob Hinden / Nokia.
DCCP: Issues From the Mailing List Sally Floyd, Eddie Kohler, Mark Handley, et al. DCCP WG March 4, 2004.
1 IETF66/TSVWG: RSVP Extensions for Emergency draft-lefaucheur-emergency-rsvp-02.txt RSVP Extensions for Emergency Services Francois Le Faucheur -
Support for RSVP in Layer 3 VPNs draft-davie-tsvwg-rsvp-l3vpn-01.txt Bruce Davie François le Faucheur Ashok Narayanan Cisco Systems.
Principles & Constraints Philip Eardley. Application-agnostic The CONEX protocol should be open about (independent of) the responses it allows to the.
RTP Splicing Status Update draft-ietf-avtext-splicing-for-rtp-11 Jinwei Xia.
Reshad Rahman, Editor.  Adrian Farrel OldDog Consulting  Tony Li Ericsson  David Ward Francois LeFaucheur Ashok Narayanan Cisco.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.
March 20th, 2001 SIP WG meeting 50th IETF SIP WG meeting Overlap signalling handling
RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.
RTP Functionalities for RTCWEB A combined view from the authors of draft-cbran-rtcweb-media-00 draft-cbran-rtcweb-media-00 draft-perkins-rtcweb-rtp-usage-02.
IETF 61 draft-ooms-v6ops-bgp-tunnel-04.txt Connecting IPv6 Islands over IPv4 MPLS using IPv6 Provider Edge Routers (6PE) Francois Le Faucheur -
Bearer Control for VoIP and VoMPLS Control Plane Francois Le Faucheur Bruce Thompson Cisco Systems, Inc. Angela Chiu AT&T March 30, 2000.
EDCS IETF 81, Jul/2011, Quebec City, Canadadraft-bashandy-idr-bgp-repair-label-02 Scalable Loop Free BGP FRR Using Repair Label draft-bashandy-idr-bgp-repair-label-02.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Konstantin agouros Omkar deshpande
Requirements for LER Forwarding of IPv4 Option Packets
UDP Encapsulation for IP Tunneling
IETF 67, MPLS WG, San Diego 11/08/2006
Managed Objects for Packet Sampling
P2MP MPLS-TE Fast Reroute with P2MP Bypass Tunnels
Human Computer Interaction Lecture 21,22 User Support
RPSEC WG Issues with Routing Protocols security mechanisms
<draft-lefaucheur-rsvp-dste-02
draft-ietf-simple-message-sessions-00 Ben Campbell
IPv6 Flow Label Specification
Request History Capability – Requirements & Solution
Presenter: Jeffrey Zhang
Les Ginsberg Stefano Previdi Peter Psenak Martin Pilka
15th November 2016 Gorry Fairhurst (via webrtc) David Black WG chairs
An analysis of scaling issues in MPLS-TE backbone networks
Global Standards Collaboration (GSC) GSC-15
Introduction to Networking
Francois Le Faucheur Cisco
<draft-lefaucheur-rsvp-ipsec-01
TCP for DNS security considerations
Guide to TCP/IP Fourth Edition
Signaling RSVP-TE P2MP LSPs in an Inter-domain Environment draft-ali-mpls-inter-domain-p2mp-rsvp-te-lsp-01.txt Zafar Ali, Cisco Systems.
Signaled PID When Multiplexing Multiple Payloads over RSVP-TE LSPs draft-ali-mpls-sig-pid-multiplexing-case-00.txt Zafar Ali, Cisco Systems.
CHAPTER 8 Network Management
A Unified Approach to IP Segment Routing
Bala’zs, Norm, Jouni DetNet WG London, 23rd March, 2018
Quick-Start for TCP and IP
ECN Experimentation draft-black-ecn-experimentation
Net 323 D: Networks Protocols
IETF-100, MPTCP WG, November 2017
CSE 313 Data Communication
LIME CO Model Update draft-ietf-lime-yang-oam-model-07
ITIS 6167/8167: Network and Information Security
NET 323D: Networks Protocols
draft-ietf-dtn-bpsec-06
DCCP: Issues From the Mailing List
draft-ietf-bier-ipv6-requirements-01
Editors: Bala’zs Varga, Jouni Korhonen
draft-ietf-stir-oob-02 Out of Band
Deprecating ASM for Interdomain Multicast IETF 102 Montreal 2018
Pseudo-Wire Protection
Parameters & Defaults:
draft-venaas-bier-mtud-01
DetNet Architecture Updates
Presentation transcript:

IP Router-Alert Considerations and usage draft-rahman-rtg-router-alert-considerations-01 Reshad Rahman David Ward Francois Le Faucheur Ashok Narayanan Cisco Adrian Farrel OldDog Consulting Tony Li Ericsson

What is this all about? RAO security concerns & solutions not documented well Some feel careful implementation & careful deployment address the RAO security concerns Some feel concerns are far from addressed Practical questions remain unanswered: Should an operator block e2e RAO packets to protect itself? Should IETF stop (some) extensions to existing protocols using RAO? Should IETF discourage definition of new protocols using RAO? Should RAO definition be enhanced? Objective: documents concerns/solutions and answer above questions

Structure Change from Previous Version (as per feedback/guidance) draft-rahman-rtg- router-alert-considerations-00 draft-rahman-rtg- router-alert-considerations-01 Based on current RAO definition BCP Track Concerns & Recommendations draft-narayanan-rtg- router-alert-extensions-00 Explores enhanced RAO definition

RAO Concern & Protection Approaches No mechanism specified to facilitate triage between desired & undesired RAO packets PID may be used, but not granular enough e.g. “my RSVP-TE packets” vs “e2e RSVP packets”? e.g. “Protocol-1 over TCP” vs “Protocol-2 over TCP” RAO Protection can be achieved by: Assume only “desired RAO” (controlled-environment) Rely on RAO implementation to perform triage and rate- limiting of “undesired RAO” Tunnel “undesired RAO” (draft-dasmith-mpls-ip-options) Block “undesired RAO” at the edge

Guidelines for new e2e Applications e2e delivery of RAO packets cannot be relied on today new Apps are likely to be muxed over shared transport protocol (which makes triage difficult)  “it is RECOMMENDED that new end to end applications or protocols be developed without using IP Router Alert”

Use of RAO (by existing protocols) RAO can be used safely in Controlled-environments RAO can be used safely in some open environments provided the operator can protect itself efficiently by: Implementing efficient triage & rate-limiting of “undesired RAO” at every hop (possibly combined with some protocol specific mechanism to reduce RAO dependency e.g. RSVP-TE Refresh Reduction) Tunneling “undesired RAO” (draft-dasmith-mpls-ip-options) extensions to existing protocols that use RAO are OK provided extension is applicable to the above environments

Use of RAO (by existing protocols) “it is RECOMMENDED that a Service Provider protects his network from attacks based on IP Router Alert using mechanisms that avoid (or at least minimize) dropping of end to end IP Router Alert packets (other than those involved in the attack)”.

RAO Router Implementation Section 4 currently provides examples of protection mechanisms that may be supported by an RAO implementation Received Feedback: “too implementation-specific to become recommendations” “Not IETF job to specify how to implement” Proposal: Include a generic recommendation to implement RAO protection (possibly suggesting selective rate-limiting of undesirable RAO) but without actual details on how to implement it

Next Steps (1/2) Add text for a generic recommendation to implement RAO protection but without actual details Turn section 4.4 into a clarification to make explicit what is implicit in current RAO definition i.e. Router ought to forward RAO packet for protocols that are not of interest to the router

Next Steps (2/2) Remove fall-back SP recommendations: “As a last resort, if the SP does not have any means to safely transport e2e RAO packets over his network, it is RECOMMENDED that, rather than dropping those packets, the SP forwards these packets through his network after removing the RAO from the IP header on ingress/receipt of the packet.” “Where the SP does not ensure reliable transport of RAO packets (i.e., those get dropped) for an e2e protocol of interest to a user, the user can consider removing the RAO from the IP header before sending the packet to the SP and may then intercept the packet on the other ...” Because if we were to specify RAO manipulation behavior we may as well specify more effective ones as discussed in draft-narayanan-rtg-router-alert- extension

Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.