Hi Paul,
Thank you for your comments.
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> I have a few minor discusses, which could be just because I'm not an ISIS
> expert. Please bear with me :)
>
> Multiple proxy system identifiers in a single area is a
> misconfiguration and each unique occurrence SHOULD be logged.
>
> This does not really answer what systems should do in this case? Use none
> of them? What would the implication be? Use the one advertised by most nodes?
> What would the risk be with that? The answers would be great additions to the
> Security Considerations :)
I propose to amend this to read:
Multiple proxy system identifiers in a single
area is a misconfiguration and each unique occurrence
SHOULD be logged and the Area Leader MUST NOT generate the
Proxy LSP.
> The Area Leader and other candidates for Area Leader MAY withdraw
> the Area Proxy System Identifier when one or more Inside Routers
> are not advertising the Area Proxy Router Capability. This will
> disable Area Proxy functionality.
>
> Wouldn't this allow a malicious Inside Router to completely disable the Area
> Proxy functionality? Could this be part of an attack? Can this be mitigated
> somehow? Is there something to say about this for the Security Considerations?
Before we get into this specific question, we should talk about the security of
link state protocols in general. We do have authentication mechanisms in place
to
ensure that all routers are known participants. However, once inside that
crunchy
shell of authentication, there is a very soft, gooey interior.
Any node can advertise anything. Sane or not. Correct or not. Consistent or
not.
And an authenticated node can trivially DoS attack the entire domain.
There are even configuration commands defined to do so ( “redistribute bgp …”).
This applies to both IS-IS and OSPF.
Now, to your point: yes, a malicious Inside Router can trivially disable Area
Proxy
functionality, there is no question about that. Could that be an attack? Yes,
certainly.
It would be quite obvious and public as all of the LSDB is completely visible.
Is this worth mitigating? IMHO no. This is no better or worse than any other
attack
that a malicious IS-IS router can launch. It’s exactly on-par with everything
else
that’s in the protocol today.
Is this worth discussing in the Security Considerations? IMHO no. We decided a
long time ago that we were not going to chase the Byzantine Generals problem
and
that hasn’t proven to be problematic in practice.
>
> 0 1 2
> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Type | Length | Proxy System ID |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Proxy System Identifier continued |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
> This diagram seems incorrect. It shows 4 fields instead of 3.
> I suggest using:
>
> 0 1 2
> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Type | Length | |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Proxy System Identifier |
> | |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Thank you for the suggestion, adopted.
Tony
_______________________________________________
Lsr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lsr
