Hi Sean Turner
Thank you for the review. I am so sorry to reply after a long time. We need to update the document according to George's comments.
Now we have post v7, URL: http://www.ietf.org/internet-drafts/draft-ietf-mpls-lsp-ping-relay-reply-07.txt
The change lists are as below:
1. add a destination point in stack TLV to avoid potential loop.
2. add a source address in stack TLV, then the initiator could get the replying node address.
I also reply inline to your questions as below. Thank you.
Regards
Lizhong
From: Sean TurnerDate: 2014-12-14 03:29Subject: secdir review of draft-ietf-mpls-lsp-ping-relay-replyDo not be alarmed. I have reviewed this document as part of thesecurity directorate’s ongoing effort to review all IETF documents beingprocessed by the IESG. These comments were written with the intentof improving security requirements and considerations in IETF drafts.Comments not addressed in last call may be included in AD reviewsduring the IESG review. Document editors and WG chairs should treatthese comments just like any other last call comments.Version: 06Summary: Ready with some non-security/non-privacy nits.Ping mechanisms always give me the heebie-jeebies [1]because of the security concerns associated with them (i.e., DoS,spoofing/hijacking/etc., and unauthorized disclosure). This documentspecifies an extension to the existing ECHO mechanism in RFC 4379and it does nothing to address these concerns in fact it increases theconcerns wrt DoS. *BUT* it rightly points this increase exposure out inthe security considerations section. It provides remediation techniquessimilar to those specified in RFC 4379: rate limit and validate sourceagainst access list. This draft, unlike RFC 4379, does recommend thatoperators wishing to not disclose their nodes blank the address out inthe TLV. This draft also refers to RFC 4379 for additional securityconsiderations.WARNING - questions and nits follow:s3 - 1st paragraph: Relayed Echo Reply “replaces” Echo Reply - does thismean you’re deprecating the use of “Echo Reply”?[Lizhong] no. The reply message from any node to initiator will still be Echo Reply.But the reply message from replying LSR to a relay node or from a relay node toanother relay node will be Relayed Echo Reply.s4.1: Is the outermost label allowed to be set to 255 to support the“ping” mode or must it always be set to 1, 2, etc. to support “traceroute"mode - as described in RFC 4379 s4.3? I know s5 is just an examplebut it really looks like this extension is just supposed to be for faultisolation.[Lizhong] It is possible to set 255. One implementation in my mind is to manuallygenerate the stack TLV list, and the replying LSR could still relay the message backto the initiator according to the received stack TLV list. The case in the document isfor stack TLV list auto learning.s4.1 - last paragraph: Does the next initiator put it’s address in the stackbefore or after the previous initiator? I assume it’s after, but I maybemissed that part? Would be good to state that explicitly.[Lizhong] are you referring to section 4.2. There is some change in v7. Please helpto check again, to see if that is OK for you now.Cheers,spt[1] http://en.wikipedia.org/wiki/Heebie-jeebies_(idiom)