IETF Logo Mail Archive

Re: [bess] Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)

"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com> Tue, 09 March 2021 08:54 UTC

Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7183A17D2; Tue, 9 Mar 2021 00:54:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.148
X-Spam-Level:
X-Spam-Status: No, score=-2.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ejnDy7FBRM6Q; Tue, 9 Mar 2021 00:54:23 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2101.outbound.protection.outlook.com [40.107.92.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 143253A17D3; Tue, 9 Mar 2021 00:54:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SMTT/Muhp8VYEUgQmNBkRv9RMKMA0JBHcr5p/7PD2DHCJhLJc2pXA4qV+8cIERPTBbNUOQkIMKG0cRRNlFL5UZ2lasYZeovRGbRqJPsJ91c2nZIG9kEC8DJJrFT/hVcfx/nF+ZnJl3WXLWVuaCb7NDGjUtx3cNhngfCZqBzYnik0PMQM0zCIaVWOQVXSSeWMSG9SWUWZ0dRjtzLTZqIkuH3jJoV79QbsZFI3WCjYyb21dD+n80MG+QUQHK7oAGH3kJYWYeOQgS5ztdXv8asb+aWTYJgNMeq7aABEsdtvxmakRfz7uBTVnQ7N21KJR4bD8Z/3NTz3c1rHrSM+08mWqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DD95UusMcZXhXd1a2xEmKuMjO2w4SOdf4ZIMS7xMPU4=; b=G/xI+I6cY1AIC+QRyV8YUCSQjEpTc8MqsiVHgnby852MUbfrS6KGREkkILgJtN6b9sjPAoa367Z7tzm8PVx0rN2Jo7GOTR8CX3jfD84sZkz6VaxPwZFydFsuzka+kKwLy3Ujt/KXc5UD2L3h00UsBSU5W2Pd4Rp/aV6yPH79PgJsv1DX+ur7AxuXZg4xqzTC2Bkff6vQKE83Q10EcKlpGU/K3bD6oCJpaHJCyPhvXLtznOrXH3LW+MYECojKnvpGzCFNyV4Ti5Oj8LhRtFVd/BnIgeylgS1ruSBcpB9Sug04jtXguqG0bVD/fSoflONc5lqMJ1OZAyfL9SxLJXWwXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DD95UusMcZXhXd1a2xEmKuMjO2w4SOdf4ZIMS7xMPU4=; b=x6jfmlqaAOvuLq4u3LpKi3jQOgyWsT/xcgY9G3nStvm8ty03MXKTCScHqbEdOsnnPaL6xrtEi6BOH/Y5Y2fJtk4zwgvvPR4f1QSm6k4aKgWerUWxKmgrJOx6H4Vu+5VsnL01BFCZLVaxSXBDKADF3yCJGRv1H2786tVQoV8TdTU=
Received: from MWHPR08MB3520.namprd08.prod.outlook.com (2603:10b6:301:61::15) by CO1PR08MB7176.namprd08.prod.outlook.com (2603:10b6:303:d8::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Tue, 9 Mar 2021 08:54:15 +0000
Received: from MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::3df6:7840:7369:73a6]) by MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::3df6:7840:7369:73a6%6]) with mapi id 15.20.3912.027; Tue, 9 Mar 2021 08:54:15 +0000
From: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-bess-evpn-proxy-arp-nd@ietf.org" <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
Thread-Index: AQHW7viwqstDbgs750yiHvjCrwCKYKp6r5x5gABVIICAAKCuMg==
Date: Tue, 09 Mar 2021 08:54:15 +0000
Message-ID: <MWHPR08MB352077C58D1E7D9E558D04FFF7929@MWHPR08MB3520.namprd08.prod.outlook.com>
References: <161112548105.6186.14010899890751165417@ietfa.amsl.com> <MWHPR08MB35200D0B92E02A744F1AB683F7939@MWHPR08MB3520.namprd08.prod.outlook.com>, <20210308231825.GO56617@kduck.mit.edu>
In-Reply-To: <20210308231825.GO56617@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [135.245.20.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e16532c6-9310-4ea4-6808-08d8e2d8eae9
x-ms-traffictypediagnostic: CO1PR08MB7176:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <CO1PR08MB71761F8612F8CDA70DC3B71AF7929@CO1PR08MB7176.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oDGwfWF4CmsQShH41GB0csHuQ14gdC6S6+FbUrtH6f19VFMIgo8svCb20HKYBz74YU/ii41o6gY7G0f5ztXsZiXDWT0d0pFIamRfd6XGpsegxQNAGcXoCWcZjXPIzsWoALD+RxJd7MUMA/UrbyIznpJj5TMTza1O7BYTrFw8VMpYQSpV266pskvx1pONOpn//TbfksTLmZ+ipICf9SMSFV4YQIJ/4zUVFkDlxbAq85xinyCRqdGNnMY7dqqOKqh7drHScoj7hkh9tZRy4cvFQrRha/RAJyIVsG0x+nWoRm3Cns2BAo9/c2ADn5ablasNBj23U1Tq7fkuAH7okKgTBQaNir/l4KjQqGRlQhuE92QE/Nzl3mOSPVUJVeYUsbvnUY0a6V04W4IU49YFYvkuTaK2z6q+Li2yVcBjOk3/p0LKE8iwQ5fEAZn46DH+htQG7RUMA6jOOrFOIOAAK+CZ/qV73jbVBAXvmWOeutvnvHU5mYMWA+TjizHW/ZZP1mFdiEmLLx8LwvwaTLqS4f98j9oLHSlbLuvUktybL7qa2KuhHhGLAX/KjlfxqKq2LSnDmZpyceF48GZCyZAnS/2ZOOQF3wHMr4l0Yr7fFx3g78E=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR08MB3520.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(396003)(346002)(376002)(66476007)(66446008)(66556008)(64756008)(5660300002)(66574015)(66946007)(86362001)(71200400001)(107886003)(966005)(54906003)(8936002)(316002)(186003)(91956017)(76116006)(26005)(166002)(21615005)(2906002)(7696005)(4326008)(55016002)(8676002)(33656002)(6916009)(30864003)(52536014)(83380400001)(9686003)(6506007)(53546011)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: wArsMpjYmcppGqgEgJ1yun/MdNxtPkm7Ftb0V7qzGIJoEL7dIoiL7GuiGIvTLyhi0b3VYfjrPmOZ7o5o01yavkznepejOezVQsnJf9mnKDx6ANlSW+ERUhYRG8u4D720prxPC12fnxCHYVoF3Djziq3brQ8RkYbwSOKRToIx0LZrb3qbAJxRpMOAfPytin4NjbGi21dbiYurtJLfFZ9r/QmtneEgigpIJeYQRVjvwX+yl4TU+s07hAA/r+aAsEvYTei0wfWZsDFOUW7oQorwitgPw4sq/FLzTqiFBDYhhMoVsl/pllf4BpCUBQ1zohob0O8tmu1+nRGIDci4jZk+WMCVswSjkiAHs011HMkezvg4dU/8rPrgXCKK4X84lmBK7TtqSL0anVHdW7Ehrh6IlAm6K0gfhFL+8+yD+68pcR3veDmklhALbbpVCyNRZ1PVdEbo8dWdvTF7rFoKd0SfBglHfJGYfIxAnW+9PYPS5ROLETZBHBRr1uWVFDa910m5Vfa5nsfWgRNjKo7xVZ/EWlxIqB/YLI631OrOlH6sAS7b+BNRL3qe+wcUu/8fdhD0v91j+FnjRBUMnWLN9ZPHVULI/qYCGekkrhjlIKpGDrEz4E94I14zDwvoMLxeHfjLhEtSbfngLDBAwFYqwbSqwYOZt9mARQQgwm2k8muK8JbHFRCyPhgM9gNJBhVeRclYWF/Ouw3Ezb6eNYP62+/ul3V/SIv8tdngUWQEDppIyXOH/CSCropqNxUEKHJaC8X4nt9jaVncT1VzVcF/qId0o9hH0cbZAMf+c+8FbAyl6Jw7Qq8bvdrbdurc1p9OaP9uNZycBXZ0jfDsRE8PjhuA73b24MmyA55eebMaWWv9n40OpaKecYzjxtZ48c0o59+3qzWWiEnYj7zssVWmtK1Jz5+e2bGijVZ7keGY+OUwP/V6CMng6wnaBnanQrysrIDy6RoEc0sZcqW9tQ6YRhrQUYrIWRGsHGII1PzZlEVY9puAxNLlIbvS5I92601Lq/HkibMhecDU3j/g5XA7vFO8crRbnMYAo33qra+JFTc8FI29pWPJJytC8Wn0txlbWaz+CAaC3zrZHg4wGjhzWumIf9RpPyH9tvBr6mCmi5iqU3D35vRrUdR/p2PPTnWEqh2Mh/bB2/xiq83V1uUons5Ef76GxLsoaUsm689xdNHm/pdMfKMMs/L3PfHEUWgVtDgPcO9XjCNvyVjTjlcSuoJlkfkydCaRRUCM7MvIiOhYKtx1bJRFIavRXj0ZIlVjFyyDDsNfHfrdYpo2UQWlQRAIwugqo0j1xFpjPkmm9WbKLe09DsRRcuFk23PkNfq1CxHKe7tTxg8dsnY0QD7PModUqA==
Content-Type: multipart/alternative; boundary="_000_MWHPR08MB352077C58D1E7D9E558D04FFF7929MWHPR08MB3520namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR08MB3520.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e16532c6-9310-4ea4-6808-08d8e2d8eae9
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2021 08:54:15.3424 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MfRsRUgSTPr6E+lg9F8n06JoEv7ps4FfCbfRrw3nNtgh9/bbAfdJLoAzmL9LcobyKP4ICULhoiXc8/amlK/IMA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR08MB7176
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/jyK0WKh3UeDZBJfuG5B7DLyTUfs>
Subject: Re: [bess] Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 08:54:27 -0000

Thank you Ben. And sorry for the delay in replying.

Jorge

From: Benjamin Kaduk <kaduk@mit.edu>
Date: Tuesday, March 9, 2021 at 12:18 AM
To: Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-bess-evpn-proxy-arp-nd@ietf.org <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>
Subject: Re: Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
Hi Jorge,

Thanks for these -- your proposals all sound good.

With respect to your question about the "dummy MAC", I think I was
referring to the AS-MAC (but I'm not 100% sure).  I don't think there's
anything about that topic that is critical to cover in the security
considerations, so we should be okay with your editor's copy as-is.

Thanks again,

Ben

On Mon, Mar 08, 2021 at 07:50:09PM +0000, Rabadan, Jorge (Nokia - US/Mountain View) wrote:
> Hi Benjamin,
>
>
>
> Thanks for the thorough review.
>
> Please see my comments in-line with [jorge]. I’ll incorporate the changes in the next version.
>
>
>
> Thx
>
> Jorge
>
>
>
>
>
> -------------------------------------------------------------------------------------
>
> From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
>
> Date: Wednesday, January 20, 2021 at 7:51 AM
>
> To: The IESG <iesg@ietf.org>
>
> Cc: draft-ietf-bess-evpn-proxy-arp-nd@ietf.org <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>
>
> Subject: Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
>
> Benjamin Kaduk has entered the following ballot position for
>
> draft-ietf-bess-evpn-proxy-arp-nd-11: No Objection
>
>
>
> When responding, please keep the subject line intact and reply to all
>
> email addresses included in the To and CC lines. (Feel free to cut this
>
> introductory paragraph, however.)
>
>
>
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>
> for more information about IESG DISCUSS and COMMENT positions.
>
>
>
>
>
> The document, along with other ballot positions, can be found here:
>
> https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-proxy-arp-nd/
>
>
>
>
>
>
>
> ----------------------------------------------------------------------
>
> COMMENT:
>
> ----------------------------------------------------------------------
>
>
>
> Thanks for this clear and well-written document; the effort that went
>
> into presenting the information really comes through.  I basically just
>
> have editorial nits as comments, with a few substantive notes on the
>
> security considerations section.
>
> [jorge] thanks!
>
>
>
> For most of the document I was convinced that I understood this point,
>
> but then Section 5.5 led me to question myself: in the "static
>
> provisioning" learning mode, is the IP->MAC mapping configured only at
>
> the PE that the CE using those addresses will attach to, or at all PEs
>
> in the BD?  I can follow up out-of-band with some editorial suggestions
>
> either way.
>
> [jorge] I added this in section 3.1 to clarify, let me know if you prefer different wording:
>
> “Static entries are provisioned from the management plane. A static entry is configured on the PE attached to the host using the IP address in that entry”
>
>
>
> Abstract (and Introduction)
>
>
>
>    This document describes the EVPN Proxy-ARP/ND function, augmented by
>
>    the capability of the ARP/ND Extended Community
>
>    [I-D.ietf-bess-evpn-na-flags].  From that perspective this document
>
>    updates [RFC7432].  [...]
>
>
>
> nit: this paragraph doesn't do very much to tell me what the nature of
>
> the update is.  If it's just to clarify how all the pieces fit together
>
> we might add a clause at the end ", to provide more comprehensive
>
> documentation of the operation of the system as a whole" or similar.
>
> (Some parts of it might also have worked as an RFC 2026 Applicability
>
> Statement, but it is probably not worth the trouble of trying to rework
>
> things at this stage, especially since what we have is already nicely
>
> laid out.)
>
> [jorge] ok, I added:
>
> “From that perspective this document updates RFC7432 to provide more comprehensive documentation of the operation of the Proxy-ARP/ND function”
>
>
>
>
>
> Section 3
>
>
>
> There's a lot of information packed into the Figure, and the surrounding
>
> text does a great job describing it.  Thank you!
>
>
>
>    The Proxy-ARP/ND function can be structured in six sub-functions or
>
>    procedures:
>
>
>
> (editorial) the text from here to the end of the section feels distinct
>
> from the explanation of the figure; it might benefit from getting
>
> promoted into a (sub)section of its own.
>
> [jorge] done! Thanks.
>
>
>
>
>
> Section 3.1
>
>
>
>    An entry MAY associate a configured static IP to a list of potential
>
>    MACs, i.e. IP1->(MAC1,MAC2..MACN).  When there is more than one MAC
>
>    in the list of allowed MACs, the PE will not advertise any IP->MAC in
>
>    EVPN until a local ARP/NA message or any other frame is received from
>
>    the CE.  [...]
>
>
>
> (nit) would it be better to phrase this as "until a frame (including
>
> local ARP/NA message) is received from the CE"?  That seems to emphasize
>
> that any traffic will do, even if we expect that traffic to be ARP/NA.
>
> [jorge] done.
>
>
>
>
>
>
>
>
>
> Section 3.1.1
>
>
>
>    o  Hosts build a Default Router List based on the received RAs and
>
>       NAs with R Flag=1.  Each cache entry has an IsRouter flag, which
>
>       must be set based on the R Flag in the received NAs.  A host can
>
>
>
> nit: maybe "must be set for received RAs and is set based on the R flag
>
> [...]"
>
> [jorge] added: “Each cache entry has an IsRouter flag, which must be set for received RAs and is set based on the R flag in the received NAs”
>
>
>
> Section 3.6
>
>
>
>    The distributed nature of EVPN and Proxy-ARP/ND allows the easy
>
>    detection of duplicated IPs in the network, in a similar way to the
>
>    MAC duplication function supported by [RFC7432] for MAC addresses.
>
>
>
> nit: is this "MAC duplication detection function"?
>
> [jorge] yes, added “detection”
>
>
>
>        IP1->MAC2 in the Proxy-ARP/ND table.  Static IP->MAC entries,
>
>        that is, locally provisioned or EVPN-learned entries (with I=1 in
>
>        the ARP/ND Extended Community), are not subject to this
>
>        procedure.  [...]
>
>
>
> nit: I think the sentence is better without the parentheses, since the
>
> presence of I=1 is critical for correct functioning and not intrinsic to
>
> the entries being EVPN-learned.
>
> [jorge] good point, removed.
>
>
>
>
>
>        1.  The entry in duplicate detected state cannot be updated with
>
>            new dynamic or EVPN-learned entries for the same IP.  The
>
>            operator MAY override the entry though with a static IP->MAC.
>
>
>
> nit: commas before and after "though".
>
> [jorge] added
>
>
>
>        2.  The PE SHOULD alert the operator and stop responding ARP/NS
>
>            for the duplicate IP until a corrective action is taken.
>
>
>
> nit: "stop responding to".
>
> [jorge] fixed
>
>
>
>            for IP1.  Since the AS-MAC is a managed MAC address known by
>
>            all the PEs in the EVI, all the PEs MAY apply filters to drop
>
>
>
> nit: this seems to be the first time that we talk about the AS-MAC being
>
> a managed address and being known to all PEs in the EVI; it might be
>
> worth rewording in light of that or mentioning that in the definition of
>
> AS-MAC.
>
> [jorge] added this in the definition: “AS-MAC: Anti-spoofing MAC. It is a especial MAC configured on all the PEs attached to the same BD and used for the Duplicate IP Detection procedures.”
>
>
>
> Section 5.2
>
>
>
>    This scenario minimizes flooding while enabling dynamic learning of
>
>    IP->MAC entries.  The Proxy-ARP/ND function is enabled in the BDs of
>
>    the EVPN PEs, so that the PEs intercept and respond to CE requests.
>
>
>
> nit: from context it seems like the "dynamic learning" here refers to
>
> the EVPN-learned entries, but in §3.1 we reserved the term "dynamic" for
>
> entries learned by local snooping.  Since the next paragraph talks about
>
> snooping as an optional addition, we run into semi-conflicting usage of
>
> the term "dynamic".  I would suggest (assuming the above is correct)
>
> rewording this to "while enabling learning of IP->MAC entries over the
>
> EVPN" or similar.
>
> [jorge] you are right that 5.2 is confusing. I changed it to:
>
> “This scenario minimizes flooding while enabling dynamic learning of IP->MAC entries. The Proxy-ARP/ND function is enabled in the BDs of the EVPN PEs, so that the PEs snoop ARP/ND messages issued by the CEs and respond to CE ARP-requests/NS messages.
>
> PEs will flood requests if the entry is not in their Proxy table. Any unknown source MAC->IP entries will be learned and advertised in EVPN, and traffic to unknown entries is discarded at the ingress PE.”
>
>
>
>
>
>
>
> Section 5.5
>
>
>
>                          These rules are often called port security.
>
>    Port security summarizes different operational steps that limit the
>
>    access to the IXP-LAN, to the customer router and controls the kind
>
>    of traffic that the routers are allowed to exchange (e.g., Ethernet,
>
>
>
> nit: this list lacks parallel structure; going with "limit the access to
>
> the IXP-LAN and the customer router, and controls the kind of traffic"
>
> would be okay.
>
> [jorge] done.
>
>
>
>
>
> Section 6
>
>
>
> I think it would be useful to reiterate that the security considerations
>
> of RFC 7432 and draft-ietf-bess-evpn-na-flags continue to apply (in
>
> addition to the useful text that is already present here).  I guess ARP
>
> and IPv6 ND are arguably also applicable (AFAICT the security properties
>
> of the proxied scheme are very similar to those of native usage, in an
>
> environment that already has to trust the PEs and provider network that
>
> supply the EVPN to the same extent that one would otherwise trust an IP
>
> router).
>
> [jorge] agreed. Added.
>
>
>
>
>
> It would also be my personal preference (though I do not insist upon it)
>
> to note that EVPN does not inherently provide cryptographic protection
>
> (including confidentiality protection) despite the word "private"
>
> appearing in the name.  (This is really a topic that should be addressed
>
> via a long-term IETF-wide shift towards just "virtual network" instead
>
> of "virtual private network", but I try to mention it when I can so as
>
> to socialize the idea.)
>
> [jorge] that sounds good to me. Added: “Note that EVPN does not inherently provide cryptographic protection (including confidentiality protection).”
>
>
>
>
>
> I appreciate the discussion (earlier in the document) of the use of
>
> dummy MACs to suppress unknown ARP-Request/NS flooding, added in
>
> response to the opsdir review.  Is it worth calling out the
>
> security/availability considerations of that technique from this
>
> section?  ("No" is a perfectly fine answer.)
>
> [jorge] not sure what you mean by the use of “dummy MACs”?
>
>
>
> Is it too banal to repeat that configuring the unicast-forwarding and/or
>
> flooding sub-functions to be disabled risks blocking service for a CE if
>
> the static configuration is broken?
>
> [jorge] sure, I added: “While the unicast-forward and/or flooding suppression sub-functions provide an added security mechanism for the BD, they can also increase the risk of blocking the service for a CE if the EVPN PEs cannot provide the ARP/ND resolution that the CE needs.”
>
>
>
>    The solution also provides protection against Denial Of Service
>
>    attacks that use ARP/ND-spoofing as a first step.  [...]
>
>
>
> Are these DoS attacks described anywhere that we might reference for
>
> further reading?  ("No" is a perfectly fine answer.)
>
> [jorge] It’s a generic statement, I fail to know what references to provide. If you have suggestions I’d be glad to add them.
>
>
>
>
>
>    When EVPN and its associated Proxy-ARP/ND function are used in IXP
>
>    networks, they provide ARP/ND security and mitigation.  IXPs MUST
>
>
>
> If I understand correctly, this security/mitigation is provided in the
>
> face of malicious CE devices, but the system still requires that PEs are
>
> trusted and does not provide cryptographic or independently verifiable
>
> assurances of correct IP->MAC bindings.  I would suggest being explicit
>
> about the threat that is being protected against, since by itself
>
> the term "security" is so vague so as to become almost meaningless.
>
> [jorge] sure, I added: “When EVPN and its associated Proxy-ARP/ND function are used in IXP networks, they provide ARP/ND security and mitigation against attacks from malicious CEs”
>
>
>
>    For example, IXPs should disable all unneeded control protocols, and
>
>    block unwanted protocols from CEs so that only IPv4, ARP and IPv6
>
>
>
> I suggest the parenthetical "so that (for example) only"; we do not
>
> really have much reason to preclude other ethertypes if desired by the
>
> IXP.
>
> [jorge] added.
>
>
>
>

v2.23.0 | Report a Bug | By Email