Re: [bess] Secdir last call review of draft-ietf-bess-evpn-optimized-ir-09

"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com> Wed, 17 November 2021 09:07 UTC

From: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
To: Derek Atkins <derek@ihtfp.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "bess@ietf.org" <bess@ietf.org>, "draft-ietf-bess-evpn-optimized-ir.all@ietf.org" <draft-ietf-bess-evpn-optimized-ir.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-bess-evpn-optimized-ir-09
Thread-Index: AQHXu3pZWBnJ1VT/ukeJa8VALCENH6wAL4hr
Date: Wed, 17 Nov 2021 09:07:05 +0000
Message-ID: <BY3PR08MB7060E2DD04FE114DEEE3F681F7959@BY3PR08MB7060.namprd08.prod.outlook.com>
References: <163361121039.16337.12285140758441545338@ietfa.amsl.com>
In-Reply-To: <163361121039.16337.12285140758441545338@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VAiEtsdJKqbEU9oZAaBeNxQN8wyHOrKU8vLxX9kn4PAPrvFMw1l1oA65ciDo+zegeu3SHkSFfUM/iI5RcOv3ib9xhG62vvYDLg2x2DMPW75VbXz7HCOP8k3EyNzEJ1gt32m/weZM2n7hIgPZtDPYIHgrTn90M7p8xW15gFZoCq69G0082BgwmU5DFPvvUEy+x0axvQvhHQ6lVJpADAOHOo/RVXByRDrnhdEHrUhF+tVAV3pDu16jBCyhfPk5hltw840+11tMGB7WN5uDYQy5T2kdRYbxh8z4WRcSumIDHYodwv+sOFHhYjzQv4rfDGS0CJG01UvPQpRrBMZaBRQ3K7LzpFw+8UUvCeIX67UAY9AYMmPED4p7d/7j8tTcCwYtNx9cK8/P6zBXz3BWlTrKXLsCSWDUCOg64uI5Kk0a4zC8O/zs4oa28j/EG5sd9PPdp+JX2WpQZqRqcLJVdw4SNGwqveT18hyWBU9YmuTx5pC9FHMPYGvq4YHyLBjXi+to9TN27xEKQn8oAxxR3Puqu6T1fmF6SPSxcUlqfPmjZ6yUidEMmnIUSkXlCKHprkLfQWnsa5sMuycsFFqJvZJ8G+qTARTteufgMXY571i4L6CJBtBouA75/QsxNPzHvJvSXdXgdtQpjdlq8UCqKEyZ3PDa7WuAcW6inEtCoTdhMlfraaxEDyj1ogxBrbd/njqkJVNlqXcU95PlpglSfUfmczp0+OFSVz7RIF0ocDVZlpjRWAzzjCXkzu8r57FMNQ8nsvbZqscRZsf5NZPFlYaux5oxABXkLYZJKh63ynIdSFttiEtMhKaE/PQo94uTjTCGg3hHYbz0/QcP5gpTIGa5I6MNJkIYfxj8+COyvbLpWm349+YflYLTr9ORBFdupLhWBB3f04FtIuSfW+wd8hRZ4QPa8FwY4v6tz154XQTOQZ2+G+MyGj45qt4Xcy/NitIDDKKD00pCyH8KYODFOh4Vlyd/y60ANsNVnA9ibG5rOdFhp5WkWowHzpzc1PC3kpFEx/pD/PtkrUPfkLeEklgNtGYHFTaiNinSQmopISxSvsWnT8Sql11Km+X1wtwaKCz1LkWIXunrmcd5+eTc7bD5/cYmO8TKTeX6QByM3H7zq0oVjjZFf4RQigLlVfZZ6ZCOVXdL1AeZCfjFgASCgyKraypdL626yzfNONScx9bxR3pNwy4ADYOnfxTgQsfdajtGqlGxYA1cWkj2rEZ8n6Arirl+r+JW7OCyPY2U8xqKriD7mo3d7tdlIQZV/RiLWvip/Vc70gUVEU/fO6cIxB+0CaNKgl7bRjQSksgDleiBbYKOqLpdVOHxhWFPPlcqGr3Z4/xIAn8LuyWc0DGRJxK3OdH2TPjwgIhteGsw0Nn/zF26qDUeuL07HcZujBymDGukmRDBkI5Q9Mn4u71fKAtcl2VtHorTLxqLdde6cDAwG5N/jQv+iUlcPHM7Uh0e3KTKd1gPvJKOXX06ZtmdSVo2YsmJ9SpxCQif38j7EkCdLxYmM2dq0r6qGKQv179iLMOGlT7P701iog/fNI9FLIeUYkssFa32CK++sYI8TgOVh24mjQ5dQG17jsnDpDRgRaBeTvQXxSPRrpGYk1LwjliWj11vFKGL0kL73vuwT7Pnx6HML4A+6Ygmz5svlKNHqmS0
Content-Type: multipart/alternative; boundary="_000_BY3PR08MB7060E2DD04FE114DEEE3F681F7959BY3PR08MB7060namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY3PR08MB7060.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 28ae01f9-1cb7-4f08-edf1-08d9a9a9a04a
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2021 09:07:05.1486 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GcKyoAWSpW3/x7lzAtn19W7SWeTb0SXRuvg3cAZwzMEXWrG8KaeZO16gVGfaccKhunhpodJMTG7P+WEVLkq03Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB3896
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/8wVFvFP5vxJFU-_CCMqZWa03ito>
Subject: Re: [bess] Secdir last call review of draft-ietf-bess-evpn-optimized-ir-09
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2021 09:07:13 -0000

Hi Derek,

Thank you very much for reviewing.

The Security section (along with the other sections) has been improved quite a bit in the latest revision compared to version 09.

All in all, a forged BM packet sent into an EVPN PE will reach all the remote EVPN PEs of the same Broadcast Domain. The Assisted-Replication solution makes that replication no worse than that, i.e. forged BM packets injected into an EVPN PE acting as an AR-LEAF will be forwarded to all the remote EVPN PE/NVEs of the same Broadcast Domain.

Thanks.
Jorge

From: Derek Atkins via Datatracker <noreply@ietf.org>
Date: Thursday, October 7, 2021 at 2:53 PM
To: secdir@ietf.org <secdir@ietf.org>
Cc: bess@ietf.org <bess@ietf.org>, draft-ietf-bess-evpn-optimized-ir.all@ietf.org <draft-ietf-bess-evpn-optimized-ir.all@ietf.org>, last-call@ietf.org <last-call@ietf.org>
Subject: Secdir last call review of draft-ietf-bess-evpn-optimized-ir-09
Reviewer: Derek Atkins
Review result: Ready

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written with the intent of improving
security requirements and considerations in IETF drafts.  Comments
not addressed in last call may be included in AD reviews during the
IESG review.  Document editors and WG chairs should treat these
comments just like any other last call comments.

Summary:

* Ready to Publish

Details:

* It is unclear to me how one would protect from a (D)DoS attack with
  a forged BM packet sent into the replicator and prevent
  amplification attacks.

-derek

[bess] Secdir last call review of draft-ietf-bess… Derek Atkins via Datatracker
Re: [bess] Secdir last call review of draft-ietf-… Rabadan, Jorge (Nokia - US/Mountain View)