draft-ietf-bier-ospf-bier-extensions-16.txt   draft-ietf-bier-ospf-bier-extensions-17.txt 
OSPF P. Psenak, Ed. OSPF P. Psenak, Ed.
Internet-Draft N. Kumar Internet-Draft N. Kumar
Intended status: Standards Track IJ. Wijnands Intended status: Standards Track IJ. Wijnands
Expires: September 13, 2018 Cisco Expires: October 5, 2018 Cisco
A. Dolganow A. Dolganow
Nokia Nokia
T. Przygienda T. Przygienda
J. Zhang J. Zhang
Juniper Networks, Inc. Juniper Networks, Inc.
S. Aldrin S. Aldrin
Google, Inc. Google, Inc.
March 12, 2018 April 3, 2018
OSPFv2 Extensions for BIER OSPFv2 Extensions for BIER
draft-ietf-bier-ospf-bier-extensions-16.txt draft-ietf-bier-ospf-bier-extensions-17.txt
Abstract Abstract
Bit Index Explicit Replication (BIER) is an architecture that Bit Index Explicit Replication (BIER) is an architecture that
provides multicast forwarding through a "BIER domain" without provides multicast forwarding through a "BIER domain" without
requiring intermediate routers to maintain multicast related per-flow requiring intermediate routers to maintain multicast related per-flow
state. Neither does BIER require an explicit tree-building protocol state. Neither does BIER require an explicit tree-building protocol
for its operation. A multicast data packet enters a BIER domain at a for its operation. A multicast data packet enters a BIER domain at a
"Bit-Forwarding Ingress Router" (BFIR), and leaves the BIER domain at "Bit-Forwarding Ingress Router" (BFIR), and leaves the BIER domain at
one or more "Bit-Forwarding Egress Routers" (BFERs). The BFIR router one or more "Bit-Forwarding Egress Routers" (BFERs). The BFIR router
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2018. This Internet-Draft will expire on October 5, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 43 skipping to change at page 7, line 43
Prefix TLV. It does not introduce any new security risks to OSPF. Prefix TLV. It does not introduce any new security risks to OSPF.
Existing security extensions as described in [RFC2328] and [RFC7684] Existing security extensions as described in [RFC2328] and [RFC7684]
apply. apply.
It is assumed that both BIER and OSPF layer is under a single It is assumed that both BIER and OSPF layer is under a single
administrative domain. There can be deployments where potential administrative domain. There can be deployments where potential
attackers have access to one or more networks in the OSPF routing attackers have access to one or more networks in the OSPF routing
domain. In these deployments, stronger authentication mechanisms domain. In these deployments, stronger authentication mechanisms
such as those specified in [RFC7474] SHOULD be used. such as those specified in [RFC7474] SHOULD be used.
The Security Considerations section of [RFC8279] discusses the
possibility of performing a Denial of Service (DoS) attack by setting
too many bits in the BitString of a BIER-encapsulated packet.
However, this sort of DoS attack cannot be initiated by modifying the
OSPF BIER advertisements specified in this document. A BFIR decides
which systems are to receive a BIER-encapsulated packet. In making
this decision, it is not influenced by the OSPF control messages.
When creating the encapsulation, the BFIR sets one bit in the
encapsulation for each destination system. The information in the
OSPF BIER advertisements is used to construct the forwarding tables
that map each bit in the encapsulation into a set of next hops for
the host that is identified by that bit, but is not used by the BFIR
to decide which bits to set. Hence an attack on the OSPF control
plane cannot be used to cause this sort of DoS attack.
While a BIER-encapsulated packet is traversing the network, a BFR
that receives a BIER-encapsulated packet with n bits set in its
BitString may have to replicate the packet and forward multiple
copies. However, a given bit will only be set in one copy of the
packet. That means that each transmitted replica of a received
packet has fewer bits set (i.e., is targeted to fewer destinations)
than the received packet. This is an essential property of the BIER
forwarding process as defined in [RFC8279]. While a failure of this
process might cause a DoS attack (as discussed in the Security
Considerations of [RFC8279]), such a failure cannot be caused by an
attack on the OSPF control plane.
Implementations MUST assure that malformed TLV and Sub-TLV defined in Implementations MUST assure that malformed TLV and Sub-TLV defined in
this document are detected and do not provide a vulnerability for this document are detected and do not provide a vulnerability for
attackers to crash the OSPF router or routing process. Reception of attackers to crash the OSPF router or routing process. Reception of
malformed TLV or Sub-TLV SHOULD be counted and/or logged for further malformed TLV or Sub-TLV SHOULD be counted and/or logged for further
analysis. Logging of malformed TLVs and Sub-TLVs SHOULD be rate- analysis. Logging of malformed TLVs and Sub-TLVs SHOULD be rate-
limited to prevent a Denial of Service (DoS) attack (distributed or limited to prevent a Denial of Service (DoS) attack (distributed or
otherwise) from overloading the OSPF control plane. otherwise) from overloading the OSPF control plane.
4. IANA Considerations 4. IANA Considerations
skipping to change at page 8, line 24 skipping to change at page 8, line 49
5. Acknowledgments 5. Acknowledgments
The authors would like to thank Rajiv Asati, Christian Martin, Greg The authors would like to thank Rajiv Asati, Christian Martin, Greg
Shepherd and Eric Rosen for their contribution. Shepherd and Eric Rosen for their contribution.
6. Normative References 6. Normative References
[I-D.ietf-bier-isis-extensions] [I-D.ietf-bier-isis-extensions]
Ginsberg, L., Przygienda, T., Aldrin, S., and Z. Zhang, Ginsberg, L., Przygienda, T., Aldrin, S., and Z. Zhang,
"BIER support via ISIS", draft-ietf-bier-isis- "BIER support via ISIS", draft-ietf-bier-isis-
extensions-09 (work in progress), February 2018. extensions-11 (work in progress), March 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328,
DOI 10.17487/RFC2328, April 1998, DOI 10.17487/RFC2328, April 1998,
<https://www.rfc-editor.org/info/rfc2328>. <https://www.rfc-editor.org/info/rfc2328>.
 End of changes. 6 change blocks. 
5 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/