Re: [bess] Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Mon, 08 March 2021 23:18 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 513C73A19A7; Mon, 8 Mar 2021 15:18:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GL31WiuUc4tl; Mon, 8 Mar 2021 15:18:34 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 396943A19A6; Mon, 8 Mar 2021 15:18:34 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 128NIPns018469 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 8 Mar 2021 18:18:30 -0500
Date: Mon, 08 Mar 2021 15:18:25 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-bess-evpn-proxy-arp-nd@ietf.org" <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Message-ID: <20210308231825.GO56617@kduck.mit.edu>
References: <161112548105.6186.14010899890751165417@ietfa.amsl.com> <MWHPR08MB35200D0B92E02A744F1AB683F7939@MWHPR08MB3520.namprd08.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <MWHPR08MB35200D0B92E02A744F1AB683F7939@MWHPR08MB3520.namprd08.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/dXr8zL9PWmRyzqqxDXEvYiwztAI>
Subject: Re: [bess] Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 23:18:37 -0000
Hi Jorge, Thanks for these -- your proposals all sound good. With respect to your question about the "dummy MAC", I think I was referring to the AS-MAC (but I'm not 100% sure). I don't think there's anything about that topic that is critical to cover in the security considerations, so we should be okay with your editor's copy as-is. Thanks again, Ben On Mon, Mar 08, 2021 at 07:50:09PM +0000, Rabadan, Jorge (Nokia - US/Mountain View) wrote: > Hi Benjamin, > > > > Thanks for the thorough review. > > Please see my comments in-line with [jorge]. I’ll incorporate the changes in the next version. > > > > Thx > > Jorge > > > > > > ------------------------------------------------------------------------------------- > > From: Benjamin Kaduk via Datatracker <noreply@ietf.org> > > Date: Wednesday, January 20, 2021 at 7:51 AM > > To: The IESG <iesg@ietf.org> > > Cc: draft-ietf-bess-evpn-proxy-arp-nd@ietf.org <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> > > Subject: Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT) > > Benjamin Kaduk has entered the following ballot position for > > draft-ietf-bess-evpn-proxy-arp-nd-11: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-proxy-arp-nd/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Thanks for this clear and well-written document; the effort that went > > into presenting the information really comes through. I basically just > > have editorial nits as comments, with a few substantive notes on the > > security considerations section. > > [jorge] thanks! > > > > For most of the document I was convinced that I understood this point, > > but then Section 5.5 led me to question myself: in the "static > > provisioning" learning mode, is the IP->MAC mapping configured only at > > the PE that the CE using those addresses will attach to, or at all PEs > > in the BD? I can follow up out-of-band with some editorial suggestions > > either way. > > [jorge] I added this in section 3.1 to clarify, let me know if you prefer different wording: > > “Static entries are provisioned from the management plane. A static entry is configured on the PE attached to the host using the IP address in that entry” > > > > Abstract (and Introduction) > > > > This document describes the EVPN Proxy-ARP/ND function, augmented by > > the capability of the ARP/ND Extended Community > > [I-D.ietf-bess-evpn-na-flags]. From that perspective this document > > updates [RFC7432]. [...] > > > > nit: this paragraph doesn't do very much to tell me what the nature of > > the update is. If it's just to clarify how all the pieces fit together > > we might add a clause at the end ", to provide more comprehensive > > documentation of the operation of the system as a whole" or similar. > > (Some parts of it might also have worked as an RFC 2026 Applicability > > Statement, but it is probably not worth the trouble of trying to rework > > things at this stage, especially since what we have is already nicely > > laid out.) > > [jorge] ok, I added: > > “From that perspective this document updates RFC7432 to provide more comprehensive documentation of the operation of the Proxy-ARP/ND function” > > > > > > Section 3 > > > > There's a lot of information packed into the Figure, and the surrounding > > text does a great job describing it. Thank you! > > > > The Proxy-ARP/ND function can be structured in six sub-functions or > > procedures: > > > > (editorial) the text from here to the end of the section feels distinct > > from the explanation of the figure; it might benefit from getting > > promoted into a (sub)section of its own. > > [jorge] done! Thanks. > > > > > > Section 3.1 > > > > An entry MAY associate a configured static IP to a list of potential > > MACs, i.e. IP1->(MAC1,MAC2..MACN). When there is more than one MAC > > in the list of allowed MACs, the PE will not advertise any IP->MAC in > > EVPN until a local ARP/NA message or any other frame is received from > > the CE. [...] > > > > (nit) would it be better to phrase this as "until a frame (including > > local ARP/NA message) is received from the CE"? That seems to emphasize > > that any traffic will do, even if we expect that traffic to be ARP/NA. > > [jorge] done. > > > > > > > > > > Section 3.1.1 > > > > o Hosts build a Default Router List based on the received RAs and > > NAs with R Flag=1. Each cache entry has an IsRouter flag, which > > must be set based on the R Flag in the received NAs. A host can > > > > nit: maybe "must be set for received RAs and is set based on the R flag > > [...]" > > [jorge] added: “Each cache entry has an IsRouter flag, which must be set for received RAs and is set based on the R flag in the received NAs” > > > > Section 3.6 > > > > The distributed nature of EVPN and Proxy-ARP/ND allows the easy > > detection of duplicated IPs in the network, in a similar way to the > > MAC duplication function supported by [RFC7432] for MAC addresses. > > > > nit: is this "MAC duplication detection function"? > > [jorge] yes, added “detection” > > > > IP1->MAC2 in the Proxy-ARP/ND table. Static IP->MAC entries, > > that is, locally provisioned or EVPN-learned entries (with I=1 in > > the ARP/ND Extended Community), are not subject to this > > procedure. [...] > > > > nit: I think the sentence is better without the parentheses, since the > > presence of I=1 is critical for correct functioning and not intrinsic to > > the entries being EVPN-learned. > > [jorge] good point, removed. > > > > > > 1. The entry in duplicate detected state cannot be updated with > > new dynamic or EVPN-learned entries for the same IP. The > > operator MAY override the entry though with a static IP->MAC. > > > > nit: commas before and after "though". > > [jorge] added > > > > 2. The PE SHOULD alert the operator and stop responding ARP/NS > > for the duplicate IP until a corrective action is taken. > > > > nit: "stop responding to". > > [jorge] fixed > > > > for IP1. Since the AS-MAC is a managed MAC address known by > > all the PEs in the EVI, all the PEs MAY apply filters to drop > > > > nit: this seems to be the first time that we talk about the AS-MAC being > > a managed address and being known to all PEs in the EVI; it might be > > worth rewording in light of that or mentioning that in the definition of > > AS-MAC. > > [jorge] added this in the definition: “AS-MAC: Anti-spoofing MAC. It is a especial MAC configured on all the PEs attached to the same BD and used for the Duplicate IP Detection procedures.” > > > > Section 5.2 > > > > This scenario minimizes flooding while enabling dynamic learning of > > IP->MAC entries. The Proxy-ARP/ND function is enabled in the BDs of > > the EVPN PEs, so that the PEs intercept and respond to CE requests. > > > > nit: from context it seems like the "dynamic learning" here refers to > > the EVPN-learned entries, but in §3.1 we reserved the term "dynamic" for > > entries learned by local snooping. Since the next paragraph talks about > > snooping as an optional addition, we run into semi-conflicting usage of > > the term "dynamic". I would suggest (assuming the above is correct) > > rewording this to "while enabling learning of IP->MAC entries over the > > EVPN" or similar. > > [jorge] you are right that 5.2 is confusing. I changed it to: > > “This scenario minimizes flooding while enabling dynamic learning of IP->MAC entries. The Proxy-ARP/ND function is enabled in the BDs of the EVPN PEs, so that the PEs snoop ARP/ND messages issued by the CEs and respond to CE ARP-requests/NS messages. > > PEs will flood requests if the entry is not in their Proxy table. Any unknown source MAC->IP entries will be learned and advertised in EVPN, and traffic to unknown entries is discarded at the ingress PE.” > > > > > > > > Section 5.5 > > > > These rules are often called port security. > > Port security summarizes different operational steps that limit the > > access to the IXP-LAN, to the customer router and controls the kind > > of traffic that the routers are allowed to exchange (e.g., Ethernet, > > > > nit: this list lacks parallel structure; going with "limit the access to > > the IXP-LAN and the customer router, and controls the kind of traffic" > > would be okay. > > [jorge] done. > > > > > > Section 6 > > > > I think it would be useful to reiterate that the security considerations > > of RFC 7432 and draft-ietf-bess-evpn-na-flags continue to apply (in > > addition to the useful text that is already present here). I guess ARP > > and IPv6 ND are arguably also applicable (AFAICT the security properties > > of the proxied scheme are very similar to those of native usage, in an > > environment that already has to trust the PEs and provider network that > > supply the EVPN to the same extent that one would otherwise trust an IP > > router). > > [jorge] agreed. Added. > > > > > > It would also be my personal preference (though I do not insist upon it) > > to note that EVPN does not inherently provide cryptographic protection > > (including confidentiality protection) despite the word "private" > > appearing in the name. (This is really a topic that should be addressed > > via a long-term IETF-wide shift towards just "virtual network" instead > > of "virtual private network", but I try to mention it when I can so as > > to socialize the idea.) > > [jorge] that sounds good to me. Added: “Note that EVPN does not inherently provide cryptographic protection (including confidentiality protection).” > > > > > > I appreciate the discussion (earlier in the document) of the use of > > dummy MACs to suppress unknown ARP-Request/NS flooding, added in > > response to the opsdir review. Is it worth calling out the > > security/availability considerations of that technique from this > > section? ("No" is a perfectly fine answer.) > > [jorge] not sure what you mean by the use of “dummy MACs”? > > > > Is it too banal to repeat that configuring the unicast-forwarding and/or > > flooding sub-functions to be disabled risks blocking service for a CE if > > the static configuration is broken? > > [jorge] sure, I added: “While the unicast-forward and/or flooding suppression sub-functions provide an added security mechanism for the BD, they can also increase the risk of blocking the service for a CE if the EVPN PEs cannot provide the ARP/ND resolution that the CE needs.” > > > > The solution also provides protection against Denial Of Service > > attacks that use ARP/ND-spoofing as a first step. [...] > > > > Are these DoS attacks described anywhere that we might reference for > > further reading? ("No" is a perfectly fine answer.) > > [jorge] It’s a generic statement, I fail to know what references to provide. If you have suggestions I’d be glad to add them. > > > > > > When EVPN and its associated Proxy-ARP/ND function are used in IXP > > networks, they provide ARP/ND security and mitigation. IXPs MUST > > > > If I understand correctly, this security/mitigation is provided in the > > face of malicious CE devices, but the system still requires that PEs are > > trusted and does not provide cryptographic or independently verifiable > > assurances of correct IP->MAC bindings. I would suggest being explicit > > about the threat that is being protected against, since by itself > > the term "security" is so vague so as to become almost meaningless. > > [jorge] sure, I added: “When EVPN and its associated Proxy-ARP/ND function are used in IXP networks, they provide ARP/ND security and mitigation against attacks from malicious CEs” > > > > For example, IXPs should disable all unneeded control protocols, and > > block unwanted protocols from CEs so that only IPv4, ARP and IPv6 > > > > I suggest the parenthetical "so that (for example) only"; we do not > > really have much reason to preclude other ethertypes if desired by the > > IXP. > > [jorge] added. > > > >
- [bess] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker
- Re: [bess] Benjamin Kaduk's No Objection on draft… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk
- Re: [bess] Benjamin Kaduk's No Objection on draft… Rabadan, Jorge (Nokia - US/Mountain View)