Re: [bess] Erik Kline's Discuss on draft-ietf-bess-evpn-proxy-arp-nd-11: (with DISCUSS and COMMENT)
"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com> Wed, 17 March 2021 19:31 UTC
Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9D63A1250; Wed, 17 Mar 2021 12:31:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.148
X-Spam-Level:
X-Spam-Status: No, score=-2.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id neVK9piHsTfN; Wed, 17 Mar 2021 12:31:08 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680123.outbound.protection.outlook.com [40.107.68.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 636C03A1260; Wed, 17 Mar 2021 12:31:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YHa2vKmIdSr2tlJ49pdS8lx1Eiwr2y/R2oyPkGOYObo2JsdXwL4Nt+EC7V2e6fUqhUZld9EAmoAX7B/NBOJEVlwkw6H7aM/m8kqIznj+VOaLovSS5PrCN76zbWYqacPH3UiRSKznjCGeSdM9fjjD1Kiaxw1X4AEg2T+MY1nsTNnVUH3ToDPp0n8EhQA3atpAkZuigtl43Rz8ryc9I8oQavJQGr/+IIAIRmz+pSgFBtM0IlbhNQgSh+U7LIWXzMilSfOJrJ33Qmswt1MNIywASsgyrotnHgWyc59YES2IJ6PDaCjLcBzlgT90oVlOo9Tp/F1wcXx2HZCG7qsG6F7ZDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=36fXCrA1b4Ciqdl+nS+rxbX9QzxIzLhrIF+iCV+5iyY=; b=dY8FFaRgMLpMjCtcOwxfDbA7c1nYLbir+3ZEkKUejWJDvh7FMzG1BM+Fj+4xiJ9z7BIkyK+es1lsTwMeh5wcgQVHdfpG0i4Bxj1HJtcPJUkWVHmrzQ9CA8g/Yu/JthSNpmEuERkMCpMDlEbq+lVdW7+jsPjHF0Xph+z0CLRG6vv5ir1W4KietE/d9hYHnKUUs9xoDp7eN/oOkAWWev1Md0t/wGiTGt4w65s/5/RWrt77JKK6q6yqhUv+MCJscknAXfX6Mb07qwlGJPYgZ8idwL7ndBpzHK51rbKf+SL+e8UQZ8sNmp2LKDzDNvl9fuxHsT4YH/Ob+GBQtwi0k8GhRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=36fXCrA1b4Ciqdl+nS+rxbX9QzxIzLhrIF+iCV+5iyY=; b=rIGn6Zjk1b7fZe/2GCkP7/zXvAeQZWM7oeaeoSbbQrm/GCxpKL7XpRisG3NhBB+AwFltqr3ZDmYC97PY5QubnYdDtWTSgyPpKGzYcyhCFDcvuKYnKfnMfajC8EUSvBe3/b4EOXmVd8F0ePjap2Hoprm27K0KujmJIloIqcCTdWY=
Received: from MWHPR08MB3520.namprd08.prod.outlook.com (2603:10b6:301:61::15) by CO2PR0801MB2328.namprd08.prod.outlook.com (2603:10b6:102:10::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32; Wed, 17 Mar 2021 19:31:04 +0000
Received: from MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::3df6:7840:7369:73a6]) by MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::3df6:7840:7369:73a6%6]) with mapi id 15.20.3933.032; Wed, 17 Mar 2021 19:31:04 +0000
From: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
To: Erik Kline <ek.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-bess-evpn-proxy-arp-nd@ietf.org" <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Thread-Topic: Erik Kline's Discuss on draft-ietf-bess-evpn-proxy-arp-nd-11: (with DISCUSS and COMMENT)
Thread-Index: AQHW78X5HGRV4oalxEOnfMTcq5ZeeKqIuTj2
Date: Wed, 17 Mar 2021 19:31:04 +0000
Message-ID: <MWHPR08MB3520F0C478223ACD5502358EF76A9@MWHPR08MB3520.namprd08.prod.outlook.com>
References: <161121365458.7173.470020047466412216@ietfa.amsl.com>
In-Reply-To: <161121365458.7173.470020047466412216@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [135.245.20.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 68503910-43c5-4c2d-060f-08d8e97b3470
x-ms-traffictypediagnostic: CO2PR0801MB2328:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <CO2PR0801MB232883B9483F4877A75AEE8FF76A9@CO2PR0801MB2328.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kAdLOk3CIl/UcBguA8AYJvTE9RDrHFTtnxF4AMktZbLITfpdgvpHyx5MPvp2o+tmOsX4SWQFemV8C/jhoDSS38qtB5jM/wvE4EwuHm8g/nXjmq/uy9pvzw0ksspNMgTAMaIzDhXybsvZdzK3Din9LweweraVeGM8lXy6rKAb/qZ8DlR4qpaNqlOopljA3I0TUqeugs4EDkgWMBIFMsdNf+r1rNQQKnqtyg4RScbC9fSSibZiehRyqVbNtZDNyuU+ziUh1snN8GTCPuuWoiDKxKvLfeVQwwc3UxpyzcxsFwojEkW8SKmSPh2c2yTmTCkLFggoKWQqm2K52eUtPsm94L1BVsyjVbAx7ZrHFykCSRCwuu3Gg21psBg+YJGAUasjBk0cCMncfIoTtfqs5IVVqNBgRsEm+7acEybiXdHAWsBmKjjIJOrM7JTn0VU11+XYLMoICSXz9GN8cYQZohQa0uWvMOJlE/n8F6quT6W8dTL7D6IUgyRIJyv6xVB/Rm4/9NYg216dtzZS3m4QqBu7jLoVSjccFcvXdbJCKlg/suC0xddKX1HLtk+IDdsMlFbUN086eqkLzFfOHie+WohNf9M3QbRl9Py6ont4yQ4NTMvAXZeCu+YQd5zyfrNPRGKi2CexdEwO94JD9MdMBGaoyg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR08MB3520.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39860400002)(396003)(376002)(346002)(136003)(4326008)(33656002)(91956017)(71200400001)(66556008)(66946007)(8936002)(54906003)(8676002)(66476007)(53546011)(64756008)(66446008)(186003)(2906002)(9326002)(110136005)(55016002)(107886003)(9686003)(316002)(5660300002)(6506007)(966005)(52536014)(86362001)(30864003)(7696005)(83380400001)(166002)(76116006)(66574015)(478600001)(21615005)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: z6AoSLiE+ExgnbsRk7cR5qv1q81puwpWcTTRzqh1Cl4YxsKM2DQo+qW100hPhaLZxOKPt8xSs3RxGq4mJhAAtfM7rCTFWaltNiQ6SrfIT9GdIHi9fEvbilS2Ffaf0NVtKP2bKYbXa2XBvRS5+Waa6C119KiNMvoMUpIajAPHde4VSJdSSyB7DznBRovMb7LhttKdr3j6BRh0rU1fWbT4XilGcIusc5RdQat8kplYPp23q+bq4IiIYcKwalCSuvUozVH54WJAtVc9iQRQG7sHTtTRvOVyD3ThqGx+ijjm2VouZ/bUl5pP6sLW8vF2DIAQ/z+HmZOIZBdU7OmKE8UnDpnXa1KHlCU/GnNMNrZc0AvxvJZyCI24w+FpS7XU2tsr6ck+UrRG1fJSHWGEbr0/ZTwQ0mMBbMKURyylfUSrYJXir1GkUniYkgAgO48+UyheT/Yihks3IDYFcHQXqyPf5ZZUaQDkVSSzbu3c66UXbaUahG2mzBrezvAGKguw85UwiFMJGu6upwnwL3xWgWpr2R4URF9KIgMaUi1SUA3MS5D1DwM/ckFnoGoGkrsgUwSi9bazy2yjdt+NeQR2w15KQg0lAKObg5roaByHsQAwjLNUYCRwZuoT4NKDrXRZEAcQsQ8QQxPyh4N0mFIBVhRJ549ZAvAERTUI5ESgylFQaDD+xbhVppvZVd4WccqdI++RKqtzLjrTNGeqW4GOLEhyK4tb9WL/X/q0F/ZcD5SNBz6MGHMWSDE9DGmHE2V8N404VrP+yu0XRS21YItg8dYdwVpWRSZgrY9K91+xies6P63fSHKgKXyi99QUFJHgVTX3RwcVGbpI977h3C2FT+W/jqGkLrLeO+d06XQa4WMXU6jsRX4NxyrBHZ3wk4B3Qlpds8F6CFaD3k+lDLT8Czr7KGZEIIPirDJ+3t0xUm9OD+7w2i2boNmcjbNDA6sDDMIyP8lHCYnAJ5aS9lTBRTOLKdflbtRzSdQ09w92o9JsSzroEEap66beKPfXmDx+hSpmzXuLjbSvXIbiHX10p5XgJWypt3OCCgAo5pQNOmqaIUT0RkFuYUjShAkNhBtbzX7FSlTLHo7Mje6l90Hd3HhmDPuTtgOMe5Vue2jNLYb9J/1rbOYYlJHDO8ouLeESUx7D2FP+NCyI43fpyekV+D26m/5C9DSDZGJpBtZr3wqPBBcv9x2u251Al1+iC7HeUil9lA942GNgRSr4TnbRliOmZbRsH6YatoFhS0YBSqowQ5EQdJ07dm7hNDbZjWUMYmFTnFfueXedeX7tkaPqX6+7+Avp2xS8Xk+dQv/DvZc6sOnHGWfdwJRYvKri+nND8sDlunm9SbPiHwmpn6vCY6oxxA==
Content-Type: multipart/alternative; boundary="_000_MWHPR08MB3520F0C478223ACD5502358EF76A9MWHPR08MB3520namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR08MB3520.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 68503910-43c5-4c2d-060f-08d8e97b3470
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2021 19:31:04.1881 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FIwV65W4WxbG2N4ZSuEeCFvDa24Jq7qCfKbrfzJYYzI+hehKvS2D3FFmHA0vfZ2HdIaExy9hxEH6zMrsqpawgA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR0801MB2328
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/YRTdvm5252ir8D_8KSxuVxsxj3c>
Subject: Re: [bess] Erik Kline's Discuss on draft-ietf-bess-evpn-proxy-arp-nd-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 19:31:19 -0000
Hi Erik, Thank you for your thorough review. Will publish a new version addressing your great comments as well as the ones in other reviews too. Please see in-line with [jorge]. Thx Jorge From: Erik Kline via Datatracker <noreply@ietf.org> Date: Thursday, January 21, 2021 at 8:21 AM To: The IESG <iesg@ietf.org> Cc: draft-ietf-bess-evpn-proxy-arp-nd@ietf.org <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> Subject: Erik Kline's Discuss on draft-ietf-bess-evpn-proxy-arp-nd-11: (with DISCUSS and COMMENT) Erik Kline has entered the following ballot position for draft-ietf-bess-evpn-proxy-arp-nd-11: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-proxy-arp-nd/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- [ meta ] * I appreciate the attempt to explicitly discuss handling NS/NA messages with not-previously-seen options. Thank you for that. It seems to me, however, that the proposed approach to proceed with setting the current capabilities in concrete but point to things like "unicast-forward" as a relief valve, even though 3.2-f seems to say the multicast packets (i.e. on cache miss) should be discarded (implying the unicast mapping might never be learned in the first place?). [jorge] I think you are saying that the spec should also allow an option to forward, even if the MAC DA of the IP owner is not known on the PE. That sounds reasonable, although I would think operators who implemented the draft in their EVPN networks would prefer more security and not allow flooding ARP-Requests/NS with unknown options. I modified 3.2-f as follows, let me know if that addresses your concern: f. A PE MUST only reply to ARP-Request and NS messages with the format specified in [RFC0826] and [RFC4861] respectively. Received ARP-Requests and NS messages with unknown options SHOULD be either forwarded (as unicast packets) to the owner of the requested IP (assuming the MAC is known in the Proxy-ARP/ND table and BD) or discarded. An option to flood ARP-Requests/NS messages with unknown options MAY be used. The operator should assess if flooding those unknown options may be a security risk for the EVPN BD. An administrative option to control this behavior ('unicast-forward', 'discard' or 'forward') SHOULD be supported. The 'unicast-forward' option is described in Section 3.4. [ general ] * When a PE reboots, should it do MLD (e.g. 2710, 3810, ...) of some kind to gather critical state so that it doesn't have to wait for CEs to have problems? [jorge] hmm...in this document the PEs provide a layer-2 BD for the CEs that they connect (the PEs do not generally have IP interfaces in that BD). If no MLD-snooping is enabled in the BD, the ND multicast messages are flooded to all the CEs attached to the local PE or remote PEs. So upon reboot, when the PE is back online it will start building its proxy-ARP/ND database again, and in the meantime it will flood NS that do not hit an entry. Whether the operator decides to use MLD snooping or not on the same BD where proxy-ARP/ND is enabled, is out of scope of this document... we can add a sentence say that, do you think it is needed? Let me know if I am misunderstanding please. [ section 3.1 ] * To my knowledge there is no concept in IPv6 of a link where anycast/O=0 NAs only propagate partway through a broadcast domain. In practice, if I understand the architecture correctly, O=0 NAs will propagate to all CEs "behind" a given PE but, if anycast=false, no further. This could lead to a difficult to debug scenario (though I admit this is probably quite rare). Note that 4861-7.2.4 implies that most nodes sending NAs for their own addresses will adhere to "the Override flag SHOULD be set to one". This is not a MUST, though. Dropping all O=0 NAs might affect some implementations that don't comply with this SHOULD. I have no idea how many implementations this might affect (in practice, I suspect none?), but... I think it might need to be considered. [jorge] the NA messages with O Flag = 0 should not be dropped, they are normally forwarded by the PE based on the MAC DA. The only consideration is that the IP->MAC bind will only be learned on the proxy-ND table if the ‘anycast’ capability is enabled in the PE’s BD. Otherwise the NA message will be normally forwarded, its IP->MAC not being learned. We added a sentence to clarify that: Note that if the O Flag is zero in the received NA message, the IP->MAC SHOULD only be learned in case IPv6 'anycast' is enabled in the BD. Irrespective, an NA message with O Flag = 0 will be normally forwarded by the PE based on a MAC DA lookup. [ section 3.1.1/3.2 ] * I was not able to understand what the typical disposition of the O bit is supposed to be in these proxied NAs. Is the intent to default to O=0 so that local O=1 can be preferred (vis. 4861-7.2.4 and 4389)? Or will it more typically be set to O=1 (as if just replaying the NA that was learned by another PE)? [jorge] normally the PE will learn an IP->MAC bind, e.g., IP1->MAC1, in its proxy-nd table from received NA messages with O=1 or EVPN routes with O=1. Hence when replying to received NS for IP1 the PE will issue an NA with O=1. However, the document also allows to configure the support for “anycast” in the proxy-nd function, in which case, the PE proxy-nd function will learn IP1->MAC1 with O=1 or 0, depending on how the flag is set on the received NA or EVPN route for IP1->MAC1. I modified the text to clarify this: Note that, typically, IP->MAC entries with O=0 will not be learned, and therefore the Proxy-ND function will reply to NS messages with NA messages that contain O=1. However, this document allows the configuration of the "anycast" capability in the BD where the Proxy- ND function is enabled. If "anycast" is enabled in the BD and an NA message with O=0 is received, the associated IP->MAC entry will be learned with O=0. If this "anycast" capability is enabled in the BD, Duplicate IP Detection must be disabled so that the PE is able to learn the same IP mapped to different MACs in the same Proxy-ND table. If the "anycast" capability is disabled, NA messages with O Flag = 0 will not create a Proxy-ND entry (although they will be forwarded normally), hence no EVPN advertisement with ARP/ND Extended Community will be generated. [ section 3.2 ] * Item (f) as currently written would break Enhanced DAD (RFC 7527), would it not? [jorge] when addressing Jean-Michel’s concerns, we changed the text to the following. Hopefully that clears your concern too? Let me know please: f. A PE MUST only reply to ARP-Request and NS messages with the format specified in [RFC0826] and [RFC4861] respectively. Received ARP-Requests and NS messages with unknown options SHOULD be either forwarded (as unicast packets) to the owner of the requested IP (assuming the MAC is known in the Proxy-ARP/ND table and BD) or discarded. An option to flood ARP-Requests/NS messages with unknown options MAY be used. The operator should assess if flooding those unknown options may be a security risk for the EVPN BD. An administrative option to control this behavior ('unicast-forward', 'discard' or 'forward') SHOULD be supported. The 'unicast-forward' option is described in Section 3.4. [ section 3.6 ] * "Duplicate IP Detection for IPv6 SHOULD be disabled when IPv6 'anycast' is activated in a given EVI." This doesn't seem like the right response to me. It should be okay to keep doing DAD for O=1 addresses regardless of the setting of this 'anycast' option, I would have thought. [jorge] yes, the DAD procedures implemented by the CEs should continue, and this is out of the scope. The sentence refers to the procedure in this section which only affects the PEs. We changed the text to clarify, let me know if it makes sense please: The Proxy-ARP/ND function SHOULD support duplicate IP detection as per this section so that ARP/ND-spoofing attacks or duplicate IPs due to human errors can be detected. For IPv6 addresses, CEs will continue to carry out the DAD procedures as per [RFC4862]. The solution described in this section is an additional security mechanism carried out by the PEs that guarantees IPv6 address moves between PEs are legit and not the result of an attack. <snip> For Proxy-ND, the Duplicate IP Detection described in this section SHOULD only monitor IP moves for IP->MACs learned from NA messages with O Flag=1. NA messages with O Flag=0 would not override the ND cache entries for an existing IP, and therefore the procedure in this section would not detect duplicate IPs. This Duplicate IP Detection for IPv6 SHOULD be disabled when the IPv6 "anycast" capability is activated in a given BD. [ section 5.5 ] * I think that recommending Reply Sub-Functions discard NS packets of unexpected for means, in practice, no new NS option or flag can ever really be made to work. The PE(s) serving the CE(s) that make "new NS" solicitations will all need to be upgraded, and it's not immediately clear to me that remote PEs wouldn't also need to be upgraded (to support a possible "new NA"in response). If this is in fact likely to be the operational reality then I think this limitation probably needs to be noted explicitly. [jorge] is this concern addressed with the previous comment about item f)? please let me know. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- [[ comments ]] [ section 3.1.1 ] * " ... If no ARP/ND Extended Community is received, the PE will add a configured R Flag/O Flag to the entry. This configured R Flag SHOULD be an administrative choice with a default value of 1." This reads as though the R flag should be added essentially by default? I realize that might seem reasonable on a broadcast domain populated by almost entirely by routers but it might cause confusion w.r.t. any hosts/servers added to the broadcast domain. It seems like it might be better if the flags were always learned reliably, propagated reliably, and never presumed? [jorge] yes, the intent is that flags for EVPN-learned entries are always learned from the extended community. However the ARP/ND extended community is recent and not supported by RFC7432 PEs, where the proxy-ARP/ND function was already there, so this default configuration provides a backwards compatibility option. I added a sentence to reflect that: The configuration of this administrative choice provides a backwards compatible option with EVPN PEs that follow [RFC7432] but do not support this specification. I guess a host being mistaken for a router that never actually sends an RA doesn't cause any real problems in other nodes' ND tables. I would think, though, that if R were presumed to be 0 then it would force R bit learning and propagation to be made to work reliably and be more easily detected if it doesn't. [jorge] I agree, and this document provides the tools for the R flag to be correctly learned and propagated in EVPN. As mentioned, we also wanted to cover the backward compatibility cases for RFC7432 EVPN PEs. [ section 5.6 ] * Saying that anycast is not a requirement for IXPs seems like maybe a bit presumptuous speaking for all IXPs (maybe someone wants an anycast on-link NTP/PTP service?). Perhaps just say that it's not /typically/ a requirement for IXPs? [jorge] agreed, I added “typically”, thanks. [[ nits ]] [ section 1 ] * "BD: Broadcast Domain" is listed twice. [jorge] fixed, thanks. [ section 2.2 ] * s/go worse/grow worse/, perhaps [jorge] changed, thanks. [ section 3.1 ] * s/to the all/to all/ [jorge] fixed, thanks.
- [bess] Erik Kline's Discuss on draft-ietf-bess-ev… Erik Kline via Datatracker
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Erik Kline
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Rabadan, Jorge (Nokia - US/Mountain View)