Re: [bess] Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com> Tue, 09 March 2021 08:54 UTC
Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7183A17D2; Tue, 9 Mar 2021 00:54:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.148
X-Spam-Level:
X-Spam-Status: No, score=-2.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ejnDy7FBRM6Q; Tue, 9 Mar 2021 00:54:23 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2101.outbound.protection.outlook.com [40.107.92.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 143253A17D3; Tue, 9 Mar 2021 00:54:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SMTT/Muhp8VYEUgQmNBkRv9RMKMA0JBHcr5p/7PD2DHCJhLJc2pXA4qV+8cIERPTBbNUOQkIMKG0cRRNlFL5UZ2lasYZeovRGbRqJPsJ91c2nZIG9kEC8DJJrFT/hVcfx/nF+ZnJl3WXLWVuaCb7NDGjUtx3cNhngfCZqBzYnik0PMQM0zCIaVWOQVXSSeWMSG9SWUWZ0dRjtzLTZqIkuH3jJoV79QbsZFI3WCjYyb21dD+n80MG+QUQHK7oAGH3kJYWYeOQgS5ztdXv8asb+aWTYJgNMeq7aABEsdtvxmakRfz7uBTVnQ7N21KJR4bD8Z/3NTz3c1rHrSM+08mWqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DD95UusMcZXhXd1a2xEmKuMjO2w4SOdf4ZIMS7xMPU4=; b=G/xI+I6cY1AIC+QRyV8YUCSQjEpTc8MqsiVHgnby852MUbfrS6KGREkkILgJtN6b9sjPAoa367Z7tzm8PVx0rN2Jo7GOTR8CX3jfD84sZkz6VaxPwZFydFsuzka+kKwLy3Ujt/KXc5UD2L3h00UsBSU5W2Pd4Rp/aV6yPH79PgJsv1DX+ur7AxuXZg4xqzTC2Bkff6vQKE83Q10EcKlpGU/K3bD6oCJpaHJCyPhvXLtznOrXH3LW+MYECojKnvpGzCFNyV4Ti5Oj8LhRtFVd/BnIgeylgS1ruSBcpB9Sug04jtXguqG0bVD/fSoflONc5lqMJ1OZAyfL9SxLJXWwXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DD95UusMcZXhXd1a2xEmKuMjO2w4SOdf4ZIMS7xMPU4=; b=x6jfmlqaAOvuLq4u3LpKi3jQOgyWsT/xcgY9G3nStvm8ty03MXKTCScHqbEdOsnnPaL6xrtEi6BOH/Y5Y2fJtk4zwgvvPR4f1QSm6k4aKgWerUWxKmgrJOx6H4Vu+5VsnL01BFCZLVaxSXBDKADF3yCJGRv1H2786tVQoV8TdTU=
Received: from MWHPR08MB3520.namprd08.prod.outlook.com (2603:10b6:301:61::15) by CO1PR08MB7176.namprd08.prod.outlook.com (2603:10b6:303:d8::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Tue, 9 Mar 2021 08:54:15 +0000
Received: from MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::3df6:7840:7369:73a6]) by MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::3df6:7840:7369:73a6%6]) with mapi id 15.20.3912.027; Tue, 9 Mar 2021 08:54:15 +0000
From: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-bess-evpn-proxy-arp-nd@ietf.org" <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
Thread-Index: AQHW7viwqstDbgs750yiHvjCrwCKYKp6r5x5gABVIICAAKCuMg==
Date: Tue, 09 Mar 2021 08:54:15 +0000
Message-ID: <MWHPR08MB352077C58D1E7D9E558D04FFF7929@MWHPR08MB3520.namprd08.prod.outlook.com>
References: <161112548105.6186.14010899890751165417@ietfa.amsl.com> <MWHPR08MB35200D0B92E02A744F1AB683F7939@MWHPR08MB3520.namprd08.prod.outlook.com>, <20210308231825.GO56617@kduck.mit.edu>
In-Reply-To: <20210308231825.GO56617@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [135.245.20.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e16532c6-9310-4ea4-6808-08d8e2d8eae9
x-ms-traffictypediagnostic: CO1PR08MB7176:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <CO1PR08MB71761F8612F8CDA70DC3B71AF7929@CO1PR08MB7176.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oDGwfWF4CmsQShH41GB0csHuQ14gdC6S6+FbUrtH6f19VFMIgo8svCb20HKYBz74YU/ii41o6gY7G0f5ztXsZiXDWT0d0pFIamRfd6XGpsegxQNAGcXoCWcZjXPIzsWoALD+RxJd7MUMA/UrbyIznpJj5TMTza1O7BYTrFw8VMpYQSpV266pskvx1pONOpn//TbfksTLmZ+ipICf9SMSFV4YQIJ/4zUVFkDlxbAq85xinyCRqdGNnMY7dqqOKqh7drHScoj7hkh9tZRy4cvFQrRha/RAJyIVsG0x+nWoRm3Cns2BAo9/c2ADn5ablasNBj23U1Tq7fkuAH7okKgTBQaNir/l4KjQqGRlQhuE92QE/Nzl3mOSPVUJVeYUsbvnUY0a6V04W4IU49YFYvkuTaK2z6q+Li2yVcBjOk3/p0LKE8iwQ5fEAZn46DH+htQG7RUMA6jOOrFOIOAAK+CZ/qV73jbVBAXvmWOeutvnvHU5mYMWA+TjizHW/ZZP1mFdiEmLLx8LwvwaTLqS4f98j9oLHSlbLuvUktybL7qa2KuhHhGLAX/KjlfxqKq2LSnDmZpyceF48GZCyZAnS/2ZOOQF3wHMr4l0Yr7fFx3g78E=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR08MB3520.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(396003)(346002)(376002)(66476007)(66446008)(66556008)(64756008)(5660300002)(66574015)(66946007)(86362001)(71200400001)(107886003)(966005)(54906003)(8936002)(316002)(186003)(91956017)(76116006)(26005)(166002)(21615005)(2906002)(7696005)(4326008)(55016002)(8676002)(33656002)(6916009)(30864003)(52536014)(83380400001)(9686003)(6506007)(53546011)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: wArsMpjYmcppGqgEgJ1yun/MdNxtPkm7Ftb0V7qzGIJoEL7dIoiL7GuiGIvTLyhi0b3VYfjrPmOZ7o5o01yavkznepejOezVQsnJf9mnKDx6ANlSW+ERUhYRG8u4D720prxPC12fnxCHYVoF3Djziq3brQ8RkYbwSOKRToIx0LZrb3qbAJxRpMOAfPytin4NjbGi21dbiYurtJLfFZ9r/QmtneEgigpIJeYQRVjvwX+yl4TU+s07hAA/r+aAsEvYTei0wfWZsDFOUW7oQorwitgPw4sq/FLzTqiFBDYhhMoVsl/pllf4BpCUBQ1zohob0O8tmu1+nRGIDci4jZk+WMCVswSjkiAHs011HMkezvg4dU/8rPrgXCKK4X84lmBK7TtqSL0anVHdW7Ehrh6IlAm6K0gfhFL+8+yD+68pcR3veDmklhALbbpVCyNRZ1PVdEbo8dWdvTF7rFoKd0SfBglHfJGYfIxAnW+9PYPS5ROLETZBHBRr1uWVFDa910m5Vfa5nsfWgRNjKo7xVZ/EWlxIqB/YLI631OrOlH6sAS7b+BNRL3qe+wcUu/8fdhD0v91j+FnjRBUMnWLN9ZPHVULI/qYCGekkrhjlIKpGDrEz4E94I14zDwvoMLxeHfjLhEtSbfngLDBAwFYqwbSqwYOZt9mARQQgwm2k8muK8JbHFRCyPhgM9gNJBhVeRclYWF/Ouw3Ezb6eNYP62+/ul3V/SIv8tdngUWQEDppIyXOH/CSCropqNxUEKHJaC8X4nt9jaVncT1VzVcF/qId0o9hH0cbZAMf+c+8FbAyl6Jw7Qq8bvdrbdurc1p9OaP9uNZycBXZ0jfDsRE8PjhuA73b24MmyA55eebMaWWv9n40OpaKecYzjxtZ48c0o59+3qzWWiEnYj7zssVWmtK1Jz5+e2bGijVZ7keGY+OUwP/V6CMng6wnaBnanQrysrIDy6RoEc0sZcqW9tQ6YRhrQUYrIWRGsHGII1PzZlEVY9puAxNLlIbvS5I92601Lq/HkibMhecDU3j/g5XA7vFO8crRbnMYAo33qra+JFTc8FI29pWPJJytC8Wn0txlbWaz+CAaC3zrZHg4wGjhzWumIf9RpPyH9tvBr6mCmi5iqU3D35vRrUdR/p2PPTnWEqh2Mh/bB2/xiq83V1uUons5Ef76GxLsoaUsm689xdNHm/pdMfKMMs/L3PfHEUWgVtDgPcO9XjCNvyVjTjlcSuoJlkfkydCaRRUCM7MvIiOhYKtx1bJRFIavRXj0ZIlVjFyyDDsNfHfrdYpo2UQWlQRAIwugqo0j1xFpjPkmm9WbKLe09DsRRcuFk23PkNfq1CxHKe7tTxg8dsnY0QD7PModUqA==
Content-Type: multipart/alternative; boundary="_000_MWHPR08MB352077C58D1E7D9E558D04FFF7929MWHPR08MB3520namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR08MB3520.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e16532c6-9310-4ea4-6808-08d8e2d8eae9
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2021 08:54:15.3424 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MfRsRUgSTPr6E+lg9F8n06JoEv7ps4FfCbfRrw3nNtgh9/bbAfdJLoAzmL9LcobyKP4ICULhoiXc8/amlK/IMA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR08MB7176
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/jyK0WKh3UeDZBJfuG5B7DLyTUfs>
Subject: Re: [bess] Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 08:54:27 -0000
Thank you Ben. And sorry for the delay in replying. Jorge From: Benjamin Kaduk <kaduk@mit.edu> Date: Tuesday, March 9, 2021 at 12:18 AM To: Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com> Cc: The IESG <iesg@ietf.org>, draft-ietf-bess-evpn-proxy-arp-nd@ietf.org <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> Subject: Re: Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT) Hi Jorge, Thanks for these -- your proposals all sound good. With respect to your question about the "dummy MAC", I think I was referring to the AS-MAC (but I'm not 100% sure). I don't think there's anything about that topic that is critical to cover in the security considerations, so we should be okay with your editor's copy as-is. Thanks again, Ben On Mon, Mar 08, 2021 at 07:50:09PM +0000, Rabadan, Jorge (Nokia - US/Mountain View) wrote: > Hi Benjamin, > > > > Thanks for the thorough review. > > Please see my comments in-line with [jorge]. I’ll incorporate the changes in the next version. > > > > Thx > > Jorge > > > > > > ------------------------------------------------------------------------------------- > > From: Benjamin Kaduk via Datatracker <noreply@ietf.org> > > Date: Wednesday, January 20, 2021 at 7:51 AM > > To: The IESG <iesg@ietf.org> > > Cc: draft-ietf-bess-evpn-proxy-arp-nd@ietf.org <draft-ietf-bess-evpn-proxy-arp-nd@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> > > Subject: Benjamin Kaduk's No Objection on draft-ietf-bess-evpn-proxy-arp-nd-11: (with COMMENT) > > Benjamin Kaduk has entered the following ballot position for > > draft-ietf-bess-evpn-proxy-arp-nd-11: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-proxy-arp-nd/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Thanks for this clear and well-written document; the effort that went > > into presenting the information really comes through. I basically just > > have editorial nits as comments, with a few substantive notes on the > > security considerations section. > > [jorge] thanks! > > > > For most of the document I was convinced that I understood this point, > > but then Section 5.5 led me to question myself: in the "static > > provisioning" learning mode, is the IP->MAC mapping configured only at > > the PE that the CE using those addresses will attach to, or at all PEs > > in the BD? I can follow up out-of-band with some editorial suggestions > > either way. > > [jorge] I added this in section 3.1 to clarify, let me know if you prefer different wording: > > “Static entries are provisioned from the management plane. A static entry is configured on the PE attached to the host using the IP address in that entry” > > > > Abstract (and Introduction) > > > > This document describes the EVPN Proxy-ARP/ND function, augmented by > > the capability of the ARP/ND Extended Community > > [I-D.ietf-bess-evpn-na-flags]. From that perspective this document > > updates [RFC7432]. [...] > > > > nit: this paragraph doesn't do very much to tell me what the nature of > > the update is. If it's just to clarify how all the pieces fit together > > we might add a clause at the end ", to provide more comprehensive > > documentation of the operation of the system as a whole" or similar. > > (Some parts of it might also have worked as an RFC 2026 Applicability > > Statement, but it is probably not worth the trouble of trying to rework > > things at this stage, especially since what we have is already nicely > > laid out.) > > [jorge] ok, I added: > > “From that perspective this document updates RFC7432 to provide more comprehensive documentation of the operation of the Proxy-ARP/ND function” > > > > > > Section 3 > > > > There's a lot of information packed into the Figure, and the surrounding > > text does a great job describing it. Thank you! > > > > The Proxy-ARP/ND function can be structured in six sub-functions or > > procedures: > > > > (editorial) the text from here to the end of the section feels distinct > > from the explanation of the figure; it might benefit from getting > > promoted into a (sub)section of its own. > > [jorge] done! Thanks. > > > > > > Section 3.1 > > > > An entry MAY associate a configured static IP to a list of potential > > MACs, i.e. IP1->(MAC1,MAC2..MACN). When there is more than one MAC > > in the list of allowed MACs, the PE will not advertise any IP->MAC in > > EVPN until a local ARP/NA message or any other frame is received from > > the CE. [...] > > > > (nit) would it be better to phrase this as "until a frame (including > > local ARP/NA message) is received from the CE"? That seems to emphasize > > that any traffic will do, even if we expect that traffic to be ARP/NA. > > [jorge] done. > > > > > > > > > > Section 3.1.1 > > > > o Hosts build a Default Router List based on the received RAs and > > NAs with R Flag=1. Each cache entry has an IsRouter flag, which > > must be set based on the R Flag in the received NAs. A host can > > > > nit: maybe "must be set for received RAs and is set based on the R flag > > [...]" > > [jorge] added: “Each cache entry has an IsRouter flag, which must be set for received RAs and is set based on the R flag in the received NAs” > > > > Section 3.6 > > > > The distributed nature of EVPN and Proxy-ARP/ND allows the easy > > detection of duplicated IPs in the network, in a similar way to the > > MAC duplication function supported by [RFC7432] for MAC addresses. > > > > nit: is this "MAC duplication detection function"? > > [jorge] yes, added “detection” > > > > IP1->MAC2 in the Proxy-ARP/ND table. Static IP->MAC entries, > > that is, locally provisioned or EVPN-learned entries (with I=1 in > > the ARP/ND Extended Community), are not subject to this > > procedure. [...] > > > > nit: I think the sentence is better without the parentheses, since the > > presence of I=1 is critical for correct functioning and not intrinsic to > > the entries being EVPN-learned. > > [jorge] good point, removed. > > > > > > 1. The entry in duplicate detected state cannot be updated with > > new dynamic or EVPN-learned entries for the same IP. The > > operator MAY override the entry though with a static IP->MAC. > > > > nit: commas before and after "though". > > [jorge] added > > > > 2. The PE SHOULD alert the operator and stop responding ARP/NS > > for the duplicate IP until a corrective action is taken. > > > > nit: "stop responding to". > > [jorge] fixed > > > > for IP1. Since the AS-MAC is a managed MAC address known by > > all the PEs in the EVI, all the PEs MAY apply filters to drop > > > > nit: this seems to be the first time that we talk about the AS-MAC being > > a managed address and being known to all PEs in the EVI; it might be > > worth rewording in light of that or mentioning that in the definition of > > AS-MAC. > > [jorge] added this in the definition: “AS-MAC: Anti-spoofing MAC. It is a especial MAC configured on all the PEs attached to the same BD and used for the Duplicate IP Detection procedures.” > > > > Section 5.2 > > > > This scenario minimizes flooding while enabling dynamic learning of > > IP->MAC entries. The Proxy-ARP/ND function is enabled in the BDs of > > the EVPN PEs, so that the PEs intercept and respond to CE requests. > > > > nit: from context it seems like the "dynamic learning" here refers to > > the EVPN-learned entries, but in §3.1 we reserved the term "dynamic" for > > entries learned by local snooping. Since the next paragraph talks about > > snooping as an optional addition, we run into semi-conflicting usage of > > the term "dynamic". I would suggest (assuming the above is correct) > > rewording this to "while enabling learning of IP->MAC entries over the > > EVPN" or similar. > > [jorge] you are right that 5.2 is confusing. I changed it to: > > “This scenario minimizes flooding while enabling dynamic learning of IP->MAC entries. The Proxy-ARP/ND function is enabled in the BDs of the EVPN PEs, so that the PEs snoop ARP/ND messages issued by the CEs and respond to CE ARP-requests/NS messages. > > PEs will flood requests if the entry is not in their Proxy table. Any unknown source MAC->IP entries will be learned and advertised in EVPN, and traffic to unknown entries is discarded at the ingress PE.” > > > > > > > > Section 5.5 > > > > These rules are often called port security. > > Port security summarizes different operational steps that limit the > > access to the IXP-LAN, to the customer router and controls the kind > > of traffic that the routers are allowed to exchange (e.g., Ethernet, > > > > nit: this list lacks parallel structure; going with "limit the access to > > the IXP-LAN and the customer router, and controls the kind of traffic" > > would be okay. > > [jorge] done. > > > > > > Section 6 > > > > I think it would be useful to reiterate that the security considerations > > of RFC 7432 and draft-ietf-bess-evpn-na-flags continue to apply (in > > addition to the useful text that is already present here). I guess ARP > > and IPv6 ND are arguably also applicable (AFAICT the security properties > > of the proxied scheme are very similar to those of native usage, in an > > environment that already has to trust the PEs and provider network that > > supply the EVPN to the same extent that one would otherwise trust an IP > > router). > > [jorge] agreed. Added. > > > > > > It would also be my personal preference (though I do not insist upon it) > > to note that EVPN does not inherently provide cryptographic protection > > (including confidentiality protection) despite the word "private" > > appearing in the name. (This is really a topic that should be addressed > > via a long-term IETF-wide shift towards just "virtual network" instead > > of "virtual private network", but I try to mention it when I can so as > > to socialize the idea.) > > [jorge] that sounds good to me. Added: “Note that EVPN does not inherently provide cryptographic protection (including confidentiality protection).” > > > > > > I appreciate the discussion (earlier in the document) of the use of > > dummy MACs to suppress unknown ARP-Request/NS flooding, added in > > response to the opsdir review. Is it worth calling out the > > security/availability considerations of that technique from this > > section? ("No" is a perfectly fine answer.) > > [jorge] not sure what you mean by the use of “dummy MACs”? > > > > Is it too banal to repeat that configuring the unicast-forwarding and/or > > flooding sub-functions to be disabled risks blocking service for a CE if > > the static configuration is broken? > > [jorge] sure, I added: “While the unicast-forward and/or flooding suppression sub-functions provide an added security mechanism for the BD, they can also increase the risk of blocking the service for a CE if the EVPN PEs cannot provide the ARP/ND resolution that the CE needs.” > > > > The solution also provides protection against Denial Of Service > > attacks that use ARP/ND-spoofing as a first step. [...] > > > > Are these DoS attacks described anywhere that we might reference for > > further reading? ("No" is a perfectly fine answer.) > > [jorge] It’s a generic statement, I fail to know what references to provide. If you have suggestions I’d be glad to add them. > > > > > > When EVPN and its associated Proxy-ARP/ND function are used in IXP > > networks, they provide ARP/ND security and mitigation. IXPs MUST > > > > If I understand correctly, this security/mitigation is provided in the > > face of malicious CE devices, but the system still requires that PEs are > > trusted and does not provide cryptographic or independently verifiable > > assurances of correct IP->MAC bindings. I would suggest being explicit > > about the threat that is being protected against, since by itself > > the term "security" is so vague so as to become almost meaningless. > > [jorge] sure, I added: “When EVPN and its associated Proxy-ARP/ND function are used in IXP networks, they provide ARP/ND security and mitigation against attacks from malicious CEs” > > > > For example, IXPs should disable all unneeded control protocols, and > > block unwanted protocols from CEs so that only IPv4, ARP and IPv6 > > > > I suggest the parenthetical "so that (for example) only"; we do not > > really have much reason to preclude other ethertypes if desired by the > > IXP. > > [jorge] added. > > > >
- [bess] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker
- Re: [bess] Benjamin Kaduk's No Objection on draft… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk
- Re: [bess] Benjamin Kaduk's No Objection on draft… Rabadan, Jorge (Nokia - US/Mountain View)