Re: [bess] Secdir last call review of draft-ietf-bess-mvpn-evpn-aggregation-label-10
"Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net> Wed, 23 August 2023 01:02 UTC
Return-Path: <zzhang@juniper.net>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE3BDC151073; Tue, 22 Aug 2023 18:02:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="07PePHk6"; dkim=pass (1024-bit key) header.d=juniper.net header.b="Eil2c9SD"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sG4K0BKU-nHf; Tue, 22 Aug 2023 18:02:45 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0709EC151067; Tue, 22 Aug 2023 18:02:29 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37MI314C003318; Tue, 22 Aug 2023 18:02:29 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=VvvvS3SVxNY9OR20tNhV96zoEvzXkYzyLazm+vredFM=; b=07PePHk6mfUOAIQ6ZC8si5V+r0I+ffRLSY636iNzbK7IeVzOwsP5ZQIu+jcWOp0dFsNG 9Ex2elexO43pvqGaa5eVKQqdVdSANg/LiFVyf+vBaXZ0GPcBoVsWq6DeBrNYRR8K+sfv AQvKCwNWpR8eRQOmuu1EHTAHquKuRd0gs9RHOLHQ9SZnvXSK20b8dwfDIwaKELVcdGm6 9A/wzZsRxldZLkmTAagEnICZoIbgk/SWI6vrAbTONIhVsYvevqFuXJILiGCWz75BuQwQ +dC75521bg3TbW5nUf8me4riBnOpGsaPP/q1LY8yYuYoPLVcCoIgU1F3+JT36B7d2tz0 Jw==
Received: from mw2pr02cu001.outbound.protection.outlook.com (mail-westus2azlp17012022.outbound.protection.outlook.com [40.93.10.22]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3sn1y4rtcu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Aug 2023 18:02:28 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cc4esMnOnmdsURch8Rx0Ht1KWi8ASiw34Lar/+VSFzwqJj5qQGOVqsBsUqxiEaZg6dv3MgG3avaTOvX1NcH6QA4vbRIJ4SPtkkbtNpyXIeJaxH6QWDMfahklYRUgLd0Qrb0B5sGtQlViBNzJDRkkV77KhaPUNfDb7sou7USivs43pPs80JbT46ClxZMnDX8eTplm6Ehgz2fhWVBkppSM/YVpp4DR0fN2Sq+SeaOImOnUNxb2At0FCl38O7R5N9G5GLo5N/GlNMr6UvCa37PJchdNcj+4Jpc5CJFwEVAJJ+IENtuxWdRLHI7drjOtFNbQ65WzFmPrDRlF1HuW+R7K1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VvvvS3SVxNY9OR20tNhV96zoEvzXkYzyLazm+vredFM=; b=b43GdR+2h5iMHg7T906PbSLL7kFNE+HiSKhipnyE5Kx3D23V/T6wMfC0lPdEa4MBCJzOD7GGgpRGO7Dgo5tt8T+9P71JB/NHRsogJ0H/PlB2T9hB3EXyA0ctlvzwPg6daMdviVj0+U3j2FwUd2/sSxxt8o0OMNkI+UnLze1RCmBtXvqZjonNEy5lH5MrcQyvvBfI1GxJUI3QEA5nN07AG68na1P3YwdnhfWmBtZ80QVpOnH/4DmZIGsNK/HcR99XQM5S8AsoZxCmyCUI0DAFCHuRQB8MJMJLPjrZa/25dVlGzCYdjU3iBBByzBPC3JfAGKR7zFenSD0J7bIK8RrMnQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VvvvS3SVxNY9OR20tNhV96zoEvzXkYzyLazm+vredFM=; b=Eil2c9SD6siK5daM2udk1yv7cgOFsZMMZjy72kaCE37Ync/8MQ7m0nxwbJsKDgQWa/38Z+gG00mIdvqgbf4o8sFwhxqrSE3/PSmgBQO5FmgasRlbiybrGS7082gxFuR21FDXjxeoosDkqStqlcR/W2jGoJY7N5CXKSkiJt7RWW0=
Received: from BL0PR05MB5652.namprd05.prod.outlook.com (2603:10b6:208:6a::19) by PH0PR05MB8526.namprd05.prod.outlook.com (2603:10b6:510:b3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.24; Wed, 23 Aug 2023 01:02:26 +0000
Received: from BL0PR05MB5652.namprd05.prod.outlook.com ([fe80::bd02:b195:df27:2633]) by BL0PR05MB5652.namprd05.prod.outlook.com ([fe80::bd02:b195:df27:2633%5]) with mapi id 15.20.6699.022; Wed, 23 Aug 2023 01:02:25 +0000
From: "Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net>
To: Robert Sparks <rjsparks@nostrum.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "bess@ietf.org" <bess@ietf.org>, "draft-ietf-bess-mvpn-evpn-aggregation-label.all@ietf.org" <draft-ietf-bess-mvpn-evpn-aggregation-label.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-bess-mvpn-evpn-aggregation-label-10
Thread-Index: AQHZtBGBXXFw4R4e60SJ+HFFTeDVJq/3Uo6w
Date: Wed, 23 Aug 2023 01:02:25 +0000
Message-ID: <BL0PR05MB56523521FF58C9527AC88C45D41CA@BL0PR05MB5652.namprd05.prod.outlook.com>
References: <168909151659.32968.7232771259274341256@ietfa.amsl.com>
In-Reply-To: <168909151659.32968.7232771259274341256@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=4bf6d074-4a9c-4c7d-89eb-e9d15fbb3dea; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2023-08-23T01:01:28Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BL0PR05MB5652:EE_|PH0PR05MB8526:EE_
x-ms-office365-filtering-correlation-id: 61bbcae2-1628-47d7-3799-08dba3749d92
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6k2/LP9+bBHqLJkUslOKNenLF+n2nN4rPMwgQ6YWTFS/uFAHOSXCCnVl4ku/HxcSHjjyTLJv7zvZPm52CyZX6ogW/k00aIzdc6VY2cf9mbcZoEExv9oYCYhU+YFAINnA7ssgHwpReznicPhXum9HISuorSybCZhhvXlD+n4/WmcZK0juCBdPZaH6/+sawrvfna8azxMbVqz5HZsu9Q8pyGn0NPpovqsWngeeTRwMCk1KJAiHZvXK56lmS5tUD+KDw1mylkQMw3QJhSHXeeMt9u9erYM96/KnC0GvN/lHRele00VOzIy1Z/fLWSqrDU673XvaqHTm9yc9A3YHn4XU2VvUzd6ZGoP8SxCbUXeroddGknYoYcgaENzIhORxh4ZQ9RnbyUbx+DnzTKJ3/TlAgSKUIXN19d4mDKE6RFOag9wW8RZtU0KjNhNAAzoKR6IcILbw7cF59NoeNrs46RHinj4f/IFAD05C/XXSjknT7xMV2yG3/01ufl1RMbywT2woe4YkZdrsly+dUwsFq78/U/iCh/228jy+zzmHweLGS9x1A3bzponWZTazWE6Pf8e2TGjjssY761uWVpfCkZDWUxAKk0xZ9KhPtZ1tBFIhixTgac3JMdLCUPltXTkSUShpEOwXVYHapynb4B55uqElD2A7WjCm3zXqQkRjZ5hG3iZ5+Q/BD9HmETu6qXyJr11M
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR05MB5652.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(346002)(366004)(39860400002)(376002)(136003)(451199024)(186009)(1800799009)(478600001)(9686003)(41300700001)(966005)(12101799020)(86362001)(76116006)(316002)(7696005)(66476007)(64756008)(6506007)(66946007)(54906003)(66446008)(66556008)(53546011)(33656002)(110136005)(71200400001)(5660300002)(8676002)(4326008)(8936002)(52536014)(26005)(83380400001)(2906002)(38070700005)(38100700002)(122000001)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dP11ZS2ZV9ysik9f19cE/Q4UbGetXQkvuWtyS88y7zlSyRUJVPdzsfQbAEieSMvxt3X+L1U8T8AOszBTeajJAf3dwXGQlKuzA8B7dg0T0orfZDC2FNBLzwb2zg6yA4OHjLFZtWEBsuJHMijldXAVO5L8qVm2zx74NDyYqV66XJ8eT6SEmaKrcAcsIdshRsOPCnncxL/JQumWRs24/RrdwIv5DgVCSlstyHOiOrNz4O/T4VciD5nfis3xmot0/AFtWwzUNA+qF0wvSedTaXXCrCLhClsd7LdG/HPsCLhUpaFSBq8SkI0dq3t5XaW+D3gXS2iULn5T5IRfDmnkvUfEMqeLHFEjtGerKUDkR/B9Mw+aYT77fTK+pAJkMh7ftRTl/JovgSqwu9pSFNl/If0Opd2ncTJGZe0EM1J6nSQtNP95Y0+gUgY47IUYsL36PE6zphmhUFjstXnXT0ZQAII79wImiiy7F2c5H36AbyB3M/uZDUYBzXk4He5DDnw5WgMWREspgpSijS3V5hbVMAPuqRV9fqGVVdqbfFbQLTSGxjNJZmO+vQssKS1+LvcIcfCMWQni6sBq4Q1HBFw4aDr9N6Pz2by2H1dfuCjB2xBKGU2lRdOtaBH1KAYvJ/CBaqF0yrSTOK3YfWLc70Tv5dSrKm/wjELX3UWmh0Hk0cOHiJKy9dxVjsjLAwo15dxbtiz0Sdeg/H2+cwd+PsYleLWy49oC6sijDwFpvntnyAmFfnqVnDKVw1bPj0XnxRfys5K3hZiXs52sK38yA46m2T8WoQZFAjzWw0SDzJOGHdAiKZKZ/ECA8gJ4olhqLf3SioaHnQCHb1bY5mlRFdVYC5dyA8X75iMxsz1eqjA0QXmY262KdGHrZBcWfX9FF7x6x74QjEqGB/772JrroJrvkVdl4JIUaJPo+HA3amQTTmHxAPUpNAcJUO2UgExAaDxejrDO1wHiFg3mPBmqw7AuxutgDOV2m3/8j0WsFqpnm9HeII0M/2TQwbX+RLvjuoTXi4PZp1Kg/V6yVtLoNa3ObYE6ezRj0lEG4lw8qrh2ASf9mdul0TIRxoJbxc3epACMSqNkea7c9Hvn2Ue+hdd5v2b2tz0wwQAcoWPqQ3U7Utkj+XLzMH79fYjLaMcyCLmxjDW981dhvDYdPfpGdd6PKHvsIMkM9Dce9TVhwX8jUoP/BfjgUcUltU5l5D9oOcKzBfi2cxawJz8z240GPvHva2eVBSWy74Gat88j1zVTnvL8LYki5OKeoXJPoY3NCZrMpXId/qZ1uRO0zxHZdHi+szzb3U3b2vQhe+2PukPWbUtHr4VL8HjDkQqY9hyJ+nFs4Mmpsbn/ARCTZnts+6MaaykYugEgrkncBajDYL6aSBrikgC/W8bCiOFQIzfs9ktGsvEuAmZSnCshhm2tnMxXlwv9V3oc5bWLsPdXNfoW8DNvZiybUPUJT89ahP09F13t5GS3iHo3vcDJIIcqw5GxruJqMaJ0+JueNrc6Ei1LFXMj+7aSk3H2avY+jPHrx/yLxpwVj4v1G2f7uRtKfL5fqkowqt1TOSzPyBLMW4XsGQ0AL3jmLej5jAtin83IljobLuah
Content-Type: text/plain; charset="utf-7"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR05MB5652.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 61bbcae2-1628-47d7-3799-08dba3749d92
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Aug 2023 01:02:25.8178 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oA192rX9IjT5MA4U0gpqtLZhryQrwM1bljJmsJQEWhIJcF4iwWT/xX82zNLdbbuwPK1wwStw06FZmZ6BISjCiA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR05MB8526
X-Proofpoint-ORIG-GUID: ng7-ZAP-QElTPseG54v7MpgjtUjIT1pw
X-Proofpoint-GUID: ng7-ZAP-QElTPseG54v7MpgjtUjIT1pw
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-08-22_22,2023-08-22_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 phishscore=0 clxscore=1011 mlxlogscore=999 malwarescore=0 priorityscore=1501 adultscore=0 suspectscore=0 impostorscore=0 bulkscore=0 spamscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2308100000 definitions=main-2308230008
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/bCP6swbgSmrSbkKVmBilYmhO-NQ>
Subject: Re: [bess] Secdir last call review of draft-ietf-bess-mvpn-evpn-aggregation-label-10
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Aug 2023 01:02:49 -0000
Hi Robert, Thanks for your review and for working with me offline on the security considerations. I have posted the -11 revision, which addresses your comments and comments from others. https://author-tools.ietf.org/iddiff?url1=draft-ietf-bess-mvpn-evpn-aggregation-label-10&url2=draft-ietf-bess-mvpn-evpn-aggregation-label-11&difftype=--html Please let me know if you have any other comments. Thanks! Jeffrey Juniper Business Use Only -----Original Message----- From: Robert Sparks via Datatracker <noreply@ietf.org> Sent: Tuesday, July 11, 2023 12:05 PM To: secdir@ietf.org Cc: bess@ietf.org; draft-ietf-bess-mvpn-evpn-aggregation-label.all@ietf.org; last-call@ietf.org Subject: Secdir last call review of draft-ietf-bess-mvpn-evpn-aggregation-label-10 [External Email. Be cautious of content] Reviewer: Robert Sparks Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other review comments. This document is mostly ready for publication as a Proposed Standard RFC, but has nits (one bordering on an issue) to address before publication. This document requires quite a bit of background provided outside of the document to make it meaningful. There is some effort to point to where essential concepts are defined, but a few more might be appropriate. It reads reasonably well, but I have provided some editorial comments at the end. Nit bordering on issue: The Security Considerations need more consideration. The essence of what's provided so far is "Nothing new to consider here, see RFC 5331, RFC 6514, RFC 7432, and RFC 8402 for the things you should really think about before using the procedures defined in this document". It's not clear how what the security consideration section in 5331 applies to these procedures - some discussion of what's important from that, and the other referenced docs, to _this_ document would be helpful. The primary concern seems to be entirely about the safe handling of, and consequences of (mis)-provisioning of, labels. Is there not a concise discussion in the literature around these labels to point to? Structural nit: The last paragraph and four bullets at the end of section 3.2 appears to be a set of pre-condition requirement (something that can only be violated by mis-configuration) rather than something to test for at runtime. Consider stating this earlier and as a requirement on configuration of the system. Or, if I'm incorrect, say what to do should a receiving PE encounter this configuration. Editorial nits: Consider more explicit instruction where you require PEs to program things. I think "place an entry in" or similar would be clearer. There is something that looks like normative text in the Terminology definition of SRGB (last sentence). Consider moving it into the body of the document, pointing to where it's specified (if specified elsewhere), or removing it. At "This document simply specifies" (in 2.1) - what does "simply" mean here? Please see if you can avoid the term. Consider rewriting the first sentence of 3.2 more directly (think about translation into other languages). Something like "The procedures here MAY be used when...". The "need not...unless" construction is difficult. At the last sentence of section 2.2 (before 2.2.1), consider how this will read in a decade. Avoid "today's networks" and simplify "more and more". Please break the single sentence paragraph at the end of page 12 (starting "When a PE receives an x-PMSI/IMEI") into several simpler sentences. Consider reworking the first part of "A PE MUST NOT both carry the DCB flag...". The route is carrying the flag, not the PE.
- [bess] Secdir last call review of draft-ietf-bess… Robert Sparks via Datatracker
- Re: [bess] Secdir last call review of draft-ietf-… Jeffrey (Zhaohui) Zhang