[bess] Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 20 January 2021 06:51 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: bess@ietf.org
Delivered-To: bess@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 15F763A0962; Tue, 19 Jan 2021 22:51:21 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-bess-evpn-proxy-arp-nd@ietf.org, bess-chairs@ietf.org, bess@ietf.org, Matthew Bocci <matthew.bocci@nokia.com>, matthew.bocci@nokia.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.24.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <161112548105.6186.14010899890751165417@ietfa.amsl.com>
Date: Tue, 19 Jan 2021 22:51:21 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/ZxLPSsqoDlm0MJC_0mbI2F2n-_k>
Subject: [bess] Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 06:51:21 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-bess-evpn-proxy-arp-nd-11: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-proxy-arp-nd/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for this clear and well-written document; the effort that went into presenting the information really comes through. I basically just have editorial nits as comments, with a few substantive notes on the security considerations section. For most of the document I was convinced that I understood this point, but then Section 5.5 led me to question myself: in the "static provisioning" learning mode, is the IP->MAC mapping configured only at the PE that the CE using those addresses will attach to, or at all PEs in the BD? I can follow up out-of-band with some editorial suggestions either way. Abstract (and Introduction) This document describes the EVPN Proxy-ARP/ND function, augmented by the capability of the ARP/ND Extended Community [I-D.ietf-bess-evpn-na-flags]. From that perspective this document updates [RFC7432]. [...] nit: this paragraph doesn't do very much to tell me what the nature of the update is. If it's just to clarify how all the pieces fit together we might add a clause at the end ", to provide more comprehensive documentation of the operation of the system as a whole" or similar. (Some parts of it might also have worked as an RFC 2026 Applicability Statement, but it is probably not worth the trouble of trying to rework things at this stage, especially since what we have is already nicely laid out.) Section 3 There's a lot of information packed into the Figure, and the surrounding text does a great job describing it. Thank you! The Proxy-ARP/ND function can be structured in six sub-functions or procedures: (editorial) the text from here to the end of the section feels distinct from the explanation of the figure; it might benefit from getting promoted into a (sub)section of its own. Section 3.1 An entry MAY associate a configured static IP to a list of potential MACs, i.e. IP1->(MAC1,MAC2..MACN). When there is more than one MAC in the list of allowed MACs, the PE will not advertise any IP->MAC in EVPN until a local ARP/NA message or any other frame is received from the CE. [...] (nit) would it be better to phrase this as "until a frame (including local ARP/NA message) is received from the CE"? That seems to emphasize that any traffic will do, even if we expect that traffic to be ARP/NA. Section 3.1.1 o Hosts build a Default Router List based on the received RAs and NAs with R Flag=1. Each cache entry has an IsRouter flag, which must be set based on the R Flag in the received NAs. A host can nit: maybe "must be set for received RAs and is set based on the R flag [...]" Section 3.6 The distributed nature of EVPN and Proxy-ARP/ND allows the easy detection of duplicated IPs in the network, in a similar way to the MAC duplication function supported by [RFC7432] for MAC addresses. nit: is this "MAC duplication detection function"? IP1->MAC2 in the Proxy-ARP/ND table. Static IP->MAC entries, that is, locally provisioned or EVPN-learned entries (with I=1 in the ARP/ND Extended Community), are not subject to this procedure. [...] nit: I think the sentence is better without the parentheses, since the presence of I=1 is critical for correct functioning and not intrinsic to the entries being EVPN-learned. 1. The entry in duplicate detected state cannot be updated with new dynamic or EVPN-learned entries for the same IP. The operator MAY override the entry though with a static IP->MAC. nit: commas before and after "though". 2. The PE SHOULD alert the operator and stop responding ARP/NS for the duplicate IP until a corrective action is taken. nit: "stop responding to". for IP1. Since the AS-MAC is a managed MAC address known by all the PEs in the EVI, all the PEs MAY apply filters to drop nit: this seems to be the first time that we talk about the AS-MAC being a managed address and being known to all PEs in the EVI; it might be worth rewording in light of that or mentioning that in the definition of AS-MAC. Section 5.2 This scenario minimizes flooding while enabling dynamic learning of IP->MAC entries. The Proxy-ARP/ND function is enabled in the BDs of the EVPN PEs, so that the PEs intercept and respond to CE requests. nit: from context it seems like the "dynamic learning" here refers to the EVPN-learned entries, but in §3.1 we reserved the term "dynamic" for entries learned by local snooping. Since the next paragraph talks about snooping as an optional addition, we run into semi-conflicting usage of the term "dynamic". I would suggest (assuming the above is correct) rewording this to "while enabling learning of IP->MAC entries over the EVPN" or similar. Section 5.5 These rules are often called port security. Port security summarizes different operational steps that limit the access to the IXP-LAN, to the customer router and controls the kind of traffic that the routers are allowed to exchange (e.g., Ethernet, nit: this list lacks parallel structure; going with "limit the access to the IXP-LAN and the customer router, and controls the kind of traffic" would be okay. Section 6 I think it would be useful to reiterate that the security considerations of RFC 7432 and draft-ietf-bess-evpn-na-flags continue to apply (in addition to the useful text that is already present here). I guess ARP and IPv6 ND are arguably also applicable (AFAICT the security properties of the proxied scheme are very similar to those of native usage, in an environment that already has to trust the PEs and provider network that supply the EVPN to the same extent that one would otherwise trust an IP router). It would also be my personal preference (though I do not insist upon it) to note that EVPN does not inherently provide cryptographic protection (including confidentiality protection) despite the word "private" appearing in the name. (This is really a topic that should be addressed via a long-term IETF-wide shift towards just "virtual network" instead of "virtual private network", but I try to mention it when I can so as to socialize the idea.) I appreciate the discussion (earlier in the document) of the use of dummy MACs to suppress unknown ARP-Request/NS flooding, added in response to the opsdir review. Is it worth calling out the security/availability considerations of that technique from this section? ("No" is a perfectly fine answer.) Is it too banal to repeat that configuring the unicast-forwarding and/or flooding sub-functions to be disabled risks blocking service for a CE if the static configuration is broken? The solution also provides protection against Denial Of Service attacks that use ARP/ND-spoofing as a first step. [...] Are these DoS attacks described anywhere that we might reference for further reading? ("No" is a perfectly fine answer.) When EVPN and its associated Proxy-ARP/ND function are used in IXP networks, they provide ARP/ND security and mitigation. IXPs MUST If I understand correctly, this security/mitigation is provided in the face of malicious CE devices, but the system still requires that PEs are trusted and does not provide cryptographic or independently verifiable assurances of correct IP->MAC bindings. I would suggest being explicit about the threat that is being protected against, since by itself the term "security" is so vague so as to become almost meaningless. For example, IXPs should disable all unneeded control protocols, and block unwanted protocols from CEs so that only IPv4, ARP and IPv6 I suggest the parenthetical "so that (for example) only"; we do not really have much reason to preclude other ethertypes if desired by the IXP.
- [bess] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker
- Re: [bess] Benjamin Kaduk's No Objection on draft… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk
- Re: [bess] Benjamin Kaduk's No Objection on draft… Rabadan, Jorge (Nokia - US/Mountain View)