Relayed Echo Reply mechanism for LSP Ping
draft-ietf-mpls-lsp-ping-relay-reply-06
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7743.
|
|
---|---|---|---|
Authors | Luo Jian , Lizhong Jin , Thomas Nadeau , George Swallow | ||
Last updated | 2014-12-12 (Latest revision 2014-12-05) | ||
Replaces | draft-zjns-mpls-lsp-ping-relay-reply | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Last Call review
(of
-10)
by Joel Halpern
Ready w/issues
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Associated WG milestone |
|
||
Document shepherd | Loa Andersson | ||
Shepherd write-up | Show Last changed 2014-10-13 | ||
IESG | IESG state | Became RFC 7743 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | Adrian Farrel | ||
Send notices to | mpls-chairs@ietf.org, draft-ietf-mpls-lsp-ping-relay-reply@ietf.org | ||
IANA | IANA review state | Version Changed - Review Needed |
draft-ietf-mpls-lsp-ping-relay-reply-06
Internet Engineering Task Force S. Huque Internet-Draft P. Aras Intended status: Informational Salesforce Expires: October 21, 2020 J. Dickinson Sinodun J. Vcelak NS1 D. Blacka Verisign April 19, 2020 Multi Signer DNSSEC models draft-ietf-dnsop-multi-provider-dnssec-05 Abstract Many enterprises today employ the service of multiple DNS providers to distribute their authoritative DNS service. Deploying DNSSEC in such an environment may present some challenges depending on the configuration and feature set in use. In particular, when each DNS provider independently signs zone data with their own keys, additional key management mechanisms are necessary. This document presents deployment models that accommodate this scenario and describe these key management requirements. These models do not require any changes to the behavior of validating resolvers, nor do they impose the new key management requirements on authoritative servers not involved in multi signer configurations. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 21, 2020. Huque, et al. Expires October 21, 2020 [Page 1] Internet-Draft Multi Signer DNSSEC models April 2020 Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction and Motivation . . . . . . . . . . . . . . . . . 2 2. Deployment Models . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Multiple Signer models . . . . . . . . . . . . . . . . . 3 2.1.1. Model 1: Common KSK set, Unique ZSK set per provider 4 2.1.2. Model 2: Unique KSK set and ZSK set per provider . . 5 3. Validating Resolver Behavior . . . . . . . . . . . . . . . . 5 4. Signing Algorithm Considerations . . . . . . . . . . . . . . 6 5. Authenticated Denial Considerations . . . . . . . . . . . . . 6 5.1. Single Method . . . . . . . . . . . . . . . . . . . . . . 7 5.2. Mixing Methods . . . . . . . . . . . . . . . . . . . . . 7 6. Key Rollover Considerations . . . . . . . . . . . . . . . . . 8 6.1. Model 1: Common KSK, Unique ZSK per provider . . . . . . 8 6.2. Model 2: Unique KSK and ZSK per provider . . . . . . . . 9 7. Using Combined Signing Keys . . . . . . . . . . . . . . . . . 10 8. Use of CDS and CDNSKEY . . . . . . . . . . . . . . . . . . . 10 9. Key Management Mechanism Requirements . . . . . . . . . . . . 10 10. DNS Response Size Considerations . . . . . . . . . . . . . . 11 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 12. Security Considerations . . . . . . . . . . . . . . . . . . . 11 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 14.1. Normative References . . . . . . . . . . . . . . . . . . 12 14.2. Informative References . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 1. Introduction and Motivation RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH BEFORE PUBLISHING: The source for this draft is maintained in GitHub at: https://github.com/shuque/multi-provider-dnssec Huque, et al. Expires October 21, 2020 [Page 2] Internet-Draft Multi Signer DNSSEC models April 2020 Many enterprises today employ the service of multiple Domain Name System (DNS) [RFC1034] [RFC1035] providers to distribute their authoritative DNS service. This is primarily done for redundancy and availability, and allows the DNS service to survive a complete, catastrophic failure of any single provider. Additionally, enterprises or providers occasionally have requirements that preclude standard zone transfer techniques [RFC1995] [RFC5936] : either non- standardized DNS features are in use that are incompatible with zone transfer, or operationally a provider must be able to (re)sign DNS records using their own keys. This document outlines some possible models of DNSSEC [RFC4033] [RFC4034] [RFC4035] deployment in such an environment. This document assumes a reasonable level of familiarity with DNS operations and protocol terms. Much of the terminology is explained in further detail in DNS Terminology [RFC8499]. 2. Deployment Models If a zone owner can use standard zone transfer techniques, then the presence of multiple providers does not require modifications to the normal deployment models. In these deployments, there is a single signing entity (which may be the zone owner, one of the providers, or a separate entity), while the providers act as secondary authoritative servers for the zone. Occasionally, however, standard zone transfer techniques cannot be used. This could be due to the use of non-standard DNS features, or due to operational requirements of a given provider (e.g., a provider that only supports "online signing".) In these scenarios, the multiple providers each act like primary servers, independently signing data received from the zone owner and serving it to DNS queriers. This configuration presents some novel challenges and requirements. 2.1. Multiple Signer models In this category of models, multiple providers each independently sign and serve the same zone. The zone owner typically uses provider-specific APIs to update zone content identically at each of the providers, and relies on the provider to perform signing of the data. A key requirement here is to manage the contents of the DNSKEY and Delegation Signer (DS) RRsets in such a way that validating resolvers always have a viable path to authenticate the DNSSEC signature chain, no matter which provider is queried. This requirement is achieved by having each provider import the public Zone Signing Keys (ZSKs) of all other providers into their DNSKEY RRsets. Huque, et al. Expires October 21, 2020 [Page 3] Internet-Draft Multi Signer DNSSEC models April 2020 Internet-Draft MPLS LSP Ping Relayed Echo Reply December 2014 if (Relay Node Address Stack TLV exists) { Print the last address in the stack; } else { Print the source IP address of Echo Reply message; } 5. LSP Ping Relayed Echo Reply Example Considering the inter-AS scenario in Figure 4 below. +-------+ +-------+ +------+ +------+ +------+ +------+ | | | | | | | | | | | | | PE1 +---+ P1 +---+ ASBR1+---+ ASBR2+---+ P2 +---+ PE2 | | | | | | | | | | | | | +-------+ +-------+ +------+ +------+ +------+ +------+ <---------------AS1-------------><---------------AS2------------> <--------------------------- LSP -------------------------------> Figure 4: Example Inter-AS LSP In the example, an LSP has been created between PE1 to PE2. When performing LSP traceroute on the LSP, the first Echo Request sent by PE1 with outer-most label TTL=1, contains the Relay Node Address Stack TLV with PE1's address. After processed by P1, P1's address will be added in the Relay Node Address Stack TLV address list following PE1's address in the Echo Reply. PE1 copies the Relay Node Address Stack TLV into the next Echo Request when receiving the Echo Reply. Upon receiving the Echo Request, ASBR1 checks the address list in the Relay Node Address Stack TLV in sequence, and finds out that PE1's address is routable. Then deletes P1's address, and adds its own address following PE1 address. As a result, there would be PE1's address followed by ASBR1's address in the Relay Node Address Stack TLV of the Echo Reply sent by ASBR1. PE1 then sends an Echo Request with outer-most label TTL=3, containing the Relay Node Address Stack TLV copied from the received Echo Reply message. Upon receiving the Echo Request message, ASBR2 checks the address list in the Relay Node Address Stack TLV in sequence, and finds out that PE1's address is IP route unreachable, and ASBR1's address is the first routable one in the Relay Node Luo, et al. Expires June 8, 2015 [Page 11] Internet-Draft MPLS LSP Ping Relayed Echo Reply December 2014 Address Stack TLV. So ASBR1 is the next relay node. ASBR2 adds its address as the last address item following ASBR1's address in Relay Node Address Stack TLV, sets ASBR1's address as the destination address of the Relayed Echo Reply, and sends the Relayed Echo Reply to ASBR1. Upon receiving the Relayed Echo Reply from ASBR2, ASBR1 checks the address list in the Relay Node Address Stack TLV in sequence, and finds out that PE1's address is first routable one in the address list. So PE1 is the next relay node. Then ASBR1 sends an Echo Reply to PE1 with the payload of the received Relayed Echo Reply unchanged other than the Message Type field. For the Echo Request with outer-most label TTL=4, P2 checks the address list in the Relay Node Address Stack TLV in sequence, and finds out that both PE1's and ASBR1's addresses are not IP routable, and ASBR2's address is the first routable address. Then P2 sends an Relayed Echo Reply to ASBR2 with the Relay Node Address Stack TLV containing four addresses, PE1's, ASBR1's, ASBR2's and P2's address in sequence. Then according to the process described in section 4.4, ASBR2 sends the Relayed Echo Reply to ASBR1. Upon receiving the Relayed Echo Reply, ASBR1 sends an Echo Reply to PE1 which is IP routable. And as relayed by ASBR2 and ASBR1, the Echo Reply would finally be sent to the initiator PE1. For the Echo Request with outer-most label TTL=5, the Echo Reply would relayed to PE1 by ASBR2 and ASBR1, similar to the case of TTL=4. The Echo Reply from the replying node which has no IP reachable route to the initiator is finally transmitted to the initiator by multiple relay nodes. In the case that the interface address of ASBR1 to P1 is IP1 which maybe an IPv4 private address and not IP routable for AS2, and the loopback address on ASRB1 is IP2 which is routable for AS2. Then when ASBR1 sends a Relayed Echo Reply, it will firstly add IP1 without K bit set in the Relay Node Address Stack TLV, and then add IP2 with K bit set in the stack TLV. Then ASBR2/P2 could relay the Relayed Echo Reply back first to IP2 which is routable for ASBR2/P2, then ASBR1 will send Echo Reply to PE1. Thanks for the K bit, the ASBR1 will not be skipped for message relay. Luo, et al. Expires June 8, 2015 [Page 12] Internet-Draft MPLS LSP Ping Relayed Echo Reply December 2014 6. Security Considerations The Relayed Echo Reply mechanism for LSP Ping creates an increased risk of DoS by putting the IP address of a target router in the Relay Node Address Stack. These messages then could be used to attack the control plane of an LSR by overwhelming it with these packets. A rate limiter SHOULD be applied to the well-known UDP port on the relay node as suggested in [RFC4379]. The node which acts as a relay node SHOULD validate the relay reply against a set of valid source addresses and discard packets from untrusted border router addresses. An implementation SHOULD provide such filtering capabilities. If an operator wants to obscure their nodes, it is RECOMMENDED that they may replace the replying node address that originated the Echo Reply with blank address in Relay Node Address Stack TLV. Other security considerations discussed in [RFC4379], are also applicable to this document. 7. Backward Compatibility When one of the nodes along the LSP does not support the mechanism specified in this document, the node will ignore the Relay Node Address Stack TLV as described in section 4.2. Then the initiator may not receive the Relay Node Address Stack TLV in Echo Reply message from that node. In this case, an indication should be reported to the operator, and the Relay Node Address Stack TLV in the next Echo Request message should be copied from the previous Echo Request, and continue the ping process. If the node described above is located between the initiator and the first relay node, the ping process could continue without interruption. 8. IANA Considerations IANA is requested to assign one new Message Type, one new TLV and one new Return Code. 8.1. New Message Type This document requires allocation of one new message type from "Multi-Protocol Label Switching (MPLS) Label Switched Paths (LSPs) Ping Parameters" registry, the "Message Type" registry: Value Meaning ----- ------- TBD MPLS Relayed Echo Reply Luo, et al. Expires June 8, 2015 [Page 13] Internet-Draft MPLS LSP Ping Relayed Echo Reply December 2014 The value should be assigned from the "Standards Action" range (0-191), and using the lowest free value within this range. 8.2. New TLV This document requires allocation of one new TLV from "Multi-Protocol Label Switching (MPLS) Label Switched Paths (LSPs) Ping Parameters" registry, the "TLVs" registry: Type Meaning ---- -------- TBD Relay Node Address Stack TLV A suggested value should be assigned from "Standards Action" range (32768-49161) as suggested by [RFC4379] Section 3, using the first free value within this range. 8.3. New Return Code This document requires allocation of one new return code from "Multi- Protocol Label Switching (MPLS) Label Switched Paths (LSPs) Ping Parameters" registry, the "Return Codes" registry: Value Meaning ----- ------- TBD Response Packet length was exceeded unexpected by the Relay Node Address Stack TLV unexpected The value should be assigned from the "Standards Action" range (0-191), and using the lowest free value within this range. 9. Acknowledgement The authors would like to thank Carlos Pignataro, Xinwen Jiao, Manuel Paul, Loa Andersson, Wim Henderickx, Mach Chen, Thomas Morin, Gregory Mirsky, Nobo Akiya and Joel M. Halpern for their valuable comments and suggestions. 10. Contributors Ryan Zheng JSPTPD 371, Zhongshan South Road Nanjing, 210006, China Email: ryan.zhi.zheng@gmail.com Luo, et al. Expires June 8, 2015 [Page 14] Internet-Draft MPLS LSP Ping Relayed Echo Reply December 2014 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4379] Kompella, K. and G. Swallow, "Detecting Multi-Protocol Label Switched (MPLS) Data Plane Failures", RFC 4379, February 2006. 11.2. Informative References [I-D.ietf-mpls-seamless-mpls] Leymann, N., Decraene, B., Filsfils, C., Konstantynowicz, M., and D. Steinberg, "Seamless MPLS Architecture", draft- ietf-mpls-seamless-mpls-07 (work in progress), June 2014. Authors' Addresses Jian Luo (editor) ZTE 50, Ruanjian Avenue Nanjing, 210012, China Email: luo.jian@zte.com.cn Lizhong Jin (editor) Shanghai, China Email: lizho.jin@gmail.com Thomas Nadeau (editor) Lucidvision Email: tnadeau@lucidvision.com George Swallow (editor) Cisco 300 Beaver Brook Road Boxborough , MASSACHUSETTS 01719, USA Email: swallow@cisco.com Luo, et al. Expires June 8, 2015 [Page 15]