Re: [bess] Warren Kumari's Discuss on draft-ietf-bess-evpn-na-flags-06: (with DISCUSS and COMMENT)
"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com> Mon, 12 October 2020 14:50 UTC
Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E353A1543; Mon, 12 Oct 2020 07:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHJy02_kv6kP; Mon, 12 Oct 2020 07:50:00 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680094.outbound.protection.outlook.com [40.107.68.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEAA83A1533; Mon, 12 Oct 2020 07:49:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oJPtnMBNzijbaFprpt+powy8+ao0adi7Fp4hzoP5hfkbbmr5BSiUpd5T+vJ8Ggptrtd7xW014GmR2QvGZrBH3Tu7TiTMP9RtsA8dVOfxYXwor+4ifAo+9kn8sLHIjGtNwKWoMlIQxjKaufjqWZfPVgTKxpbIXO3nJbqQ8DvhvHFDCnPPnzYwe9I+iHyKANYRG1Wyi0QizhwcxhiQGeCFzr9/bLMrS0tc8MR4TLAt2loCxmV2C0z48nga9UpPNA4nZeEGSxHjSNEhhuoirgmOZyHsZH9kYC+ghxMffb5UKggJLtuzNpG9492gOK4sdo89uf/UL6M2lI2LKOQwKFYx/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0yXNE/Q+6hZelsoqow1sISMTT3/ObqUmJ9YdVe5jdTY=; b=TAk3+HqyHGC91Uu0baMZoRw0ipItlNXj7SpCuPu8cX81E2Jg2xhUij1bLXfj7M1tvN97yueket9j33C8RWkNk2qnV/Xu+uFM8igkv9nV7a224iLUxZ+zp2WL4l//HEF0X0/TVhggZxMM4BypkG/vzGf06a6bGcF44y3OUCGrUswh9Q45v32qzLysUnzT/1ojzwHyTtANd7QNVmTHP0Zu01+AaTVFKbw59AsgfTlERXRkwzhujRWGVj5sagYKGjmZUy0se3ElqOrrf/0a9ZTO9qNU5FRA7N6hVRqiCfIxa0CfG6JgxUpMK7VfPZWKS+ZYNMUMscOKFAveXZmprQOAzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0yXNE/Q+6hZelsoqow1sISMTT3/ObqUmJ9YdVe5jdTY=; b=ohfHJFCQlfOiUBDqNeMx8wHEvwwCNfuMtnrmtXkqhilGdKbEkk2EKe0xrwFSE+8Lq2x+J0c2N/EuErbIk/H6Um2k/n7RPqhJruOzk0NJSPZexo/MutK4UrjId181UfY+3Uyr3teGXEHZknz03UXSP1kLUJgy6m3iCTQ/pIXi4zw=
Received: from MWHPR08MB3520.namprd08.prod.outlook.com (2603:10b6:301:61::15) by MWHPR08MB3405.namprd08.prod.outlook.com (2603:10b6:301:69::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Mon, 12 Oct 2020 14:49:57 +0000
Received: from MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::19d8:bf7f:5bfa:e391]) by MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::19d8:bf7f:5bfa:e391%4]) with mapi id 15.20.3455.030; Mon, 12 Oct 2020 14:49:57 +0000
From: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
To: Warren Kumari <warren@kumari.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-bess-evpn-na-flags@ietf.org" <draft-ietf-bess-evpn-na-flags@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Thread-Topic: Warren Kumari's Discuss on draft-ietf-bess-evpn-na-flags-06: (with DISCUSS and COMMENT)
Thread-Index: AQHWkcUAPB4Ketlidk6Gq1ozpBwhE6mPOk25gANJ4ICAATjFxoAAagsAgAADT9A=
Date: Mon, 12 Oct 2020 14:49:56 +0000
Message-ID: <MWHPR08MB3520C39957B7D73AA26063D8F7070@MWHPR08MB3520.namprd08.prod.outlook.com>
References: <160087782618.20573.10957225151400609589@ietfa.amsl.com> <MWHPR08MB3520795536E9CD46EE53DA4AF7080@MWHPR08MB3520.namprd08.prod.outlook.com> <CAHw9_iLbn4QA5AoEXYidSY-E=wCLi4UzqN3xRZENCYM0d77mbQ@mail.gmail.com> <MWHPR08MB3520D59ABC0D4074A59E4100F7070@MWHPR08MB3520.namprd08.prod.outlook.com>, <CAHw9_i+O8D1V56oSBvQM-EC7VaeZDPyu3vo=DyYqGVBR-Vb-YQ@mail.gmail.com>
In-Reply-To: <CAHw9_i+O8D1V56oSBvQM-EC7VaeZDPyu3vo=DyYqGVBR-Vb-YQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: kumari.net; dkim=none (message not signed) header.d=none;kumari.net; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [135.245.20.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: a8e16c21-057c-4f54-38d4-08d86ebe164f
x-ms-traffictypediagnostic: MWHPR08MB3405:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MWHPR08MB3405D47FB0C5244679F33C1EF7070@MWHPR08MB3405.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pM33UctHF8UMQQf/RXn9rcm+1HRzUJ8f8wTyTC/LPC4YPfYY/2RswcG66vPwvYrlJz+YatbZyMmQLibV1o5OCZvcJXqyE5j5fSEBEKarQ/ShRvLlYXIWbxuaJTCk1aRS2T8+BIzWffLKF3V+T00E3pKW/EVgX+MCnk97ueToheCYUWW6Ouhi4LCeQkRo9iUlf3KO4Qb7Gt++o9OpPN+M+/qzoxD/JWn4zXH7B+J8PaQHysZHYe7s0RuVZ+Cf+3/WjMbyHl6/bUh510eib6ho2TcMNhZj25TLY7ZcTGHOxpD/OiwHBguYRH3pSsLRIXWaExflvU2VbnLpkMsf/9/aRYZ5rnWzQWPTxcdMeqwMw875+KZWzeaQI8GHHWLryJV2qR/8O2QkN+jKHBI1soCNWitg6pZ7JlLpw9DJ5VWY/edPhSEiFnHrDgjH0EdInTUqYTrMhxjg1sfXG3cGazKWfg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR08MB3520.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(346002)(366004)(39860400002)(376002)(21615005)(71200400001)(66446008)(86362001)(478600001)(83080400001)(26005)(66946007)(91956017)(966005)(64756008)(8936002)(186003)(9686003)(66476007)(66556008)(4326008)(33656002)(7696005)(54906003)(53546011)(66574015)(83380400001)(2906002)(5660300002)(52536014)(76116006)(6506007)(55016002)(6916009)(166002)(107886003)(8676002)(316002)(116284003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: e2GrP3oVBlGlKIkP162fr7R/2UW/fh3RlEdTSvUHTZLZae7gh0ZrbcaUlTt05I1KW+Dt1NkwN0+T6zlpCe1//9VZBmHk13Xrxg8piExNfy/RHkHTxENns+HRfmMpxuyP80QitbBdKMAu1prtfhR4pgzaLOdJHeqwvxr/H3gmxeMhq1zZI3thZjLXXw0riQh7BHvED9tMYqUKlEe/vwprVSZz/jHfq/R10qMXJ/K+/npHf1nHP5vHbRXV/UrfembqoANYCwwxy28jeajGELZ50Ud4XVJZOpb6BuPCLcp7Bl0DgDGl/d8c8IUFNJxw5GaIcIdgxFa990+tO4FojGC6f6RkVmr9W76hTgwvubJsghXT0mK9ZPy54Ylk7nEiouKMWByZcM/NLChRtmX5jGIxsxV4gEFOYGL6xQtkQMtirYQ41qQUFQSjUZXxUfAEHywROcaapmME+81/Ex2SXjD0oBB52qhMykpEx+HLWUXsPljJK32lGbk7gNBMy4Rpxww8OOoF5uAy4+/6GV0YCF9P1xRh3BwJgQYid/g3tKG4CgBkcYCWcVI2iywcIRYtjhakEN6+Puw9UyN1BLnoyr6WaUZaVc26PyaMC4hNf/U8l21+0KSBmBRTPa7JpNUtwv5E/lsGvnf0MpARBX69YrbXUw==
Content-Type: multipart/alternative; boundary="_000_MWHPR08MB3520C39957B7D73AA26063D8F7070MWHPR08MB3520namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR08MB3520.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a8e16c21-057c-4f54-38d4-08d86ebe164f
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2020 14:49:56.7618 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Q+DGdfF9qerYdiUDZd/4roTAkYp3WYoNNu+rQNny/xmwD448eT4IxSlNOTIKbkYrBLy/T5XPpQ2Eui8AEPUmtw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR08MB3405
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/UGmg_zObI0SZyfUtvppflwPiKkU>
Subject: Re: [bess] Warren Kumari's Discuss on draft-ietf-bess-evpn-na-flags-06: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 14:50:04 -0000
Thank you Warren! Jorge From: Warren Kumari <warren@kumari.net> Date: Monday, October 12, 2020 at 4:38 PM To: Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com> Cc: The IESG <iesg@ietf.org>, draft-ietf-bess-evpn-na-flags@ietf.org <draft-ietf-bess-evpn-na-flags@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> Subject: Re: Warren Kumari's Discuss on draft-ietf-bess-evpn-na-flags-06: (with DISCUSS and COMMENT) Hi there, Just a quick note to say thank you for addressing my concerns; I appreciate your adding text even though the concern isn't (strictly) within this document. I've just cleared my DISCUSS. W On Mon, Oct 12, 2020 at 5:10 AM Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com> wrote: > > Hi Warren, > > > > OK, thanks for explaining. > > > > Added the following text in rev 08. Let me know if it satisfies your concern. I understand it is a general concern about proxy-arp/nd in EVPN networks and not about this specific document. > > > > > > The same security considerations described in [RFC7432] apply to this > > document. In general, it is worth noting that the use of Proxy ARP/ > > ND in EVPN BDs may add some security risks. Attackers can make use > > of ARP/ND messages to create state in all the PEs attached to the > > same BD as the attacker and exhaust resources in those PEs. > > Therefore, additional security mechanisms may be needed. Some > > examples of such additional security mechanisms are e.g., limit the > > number of Proxy ARP/ND entries per-BD/per-port, or monitor closely > > the rate at which hosts create dynamic Proxy-ARP/ND entries. > > > > > > Thank you! > > Jorge > > > > From: Warren Kumari <warren@kumari.net> > Date: Sunday, October 11, 2020 at 3:39 PM > To: Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com> > Cc: The IESG <iesg@ietf.org>, draft-ietf-bess-evpn-na-flags@ietf.org <draft-ietf-bess-evpn-na-flags@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> > Subject: Re: Warren Kumari's Discuss on draft-ietf-bess-evpn-na-flags-06: (with DISCUSS and COMMENT) > > > > > > On Fri, Oct 9, 2020 at 7:38 AM Rabadan, Jorge (Nokia - US/Mountain View) <jorge.rabadan@nokia.com> wrote: > > Hi Warren, > > > > Thank you for reviewing! > > > > Please see some comments in-line and let us know if we still need to add information to the security section. > > > > Thx > > Jorge > > > > From: Warren Kumari via Datatracker <noreply@ietf.org> > Date: Wednesday, September 23, 2020 at 6:17 PM > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-bess-evpn-na-flags@ietf.org <draft-ietf-bess-evpn-na-flags@ietf.org>, bess-chairs@ietf.org <bess-chairs@ietf.org>, bess@ietf.org <bess@ietf.org>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>, Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com> > Subject: Warren Kumari's Discuss on draft-ietf-bess-evpn-na-flags-06: (with DISCUSS and COMMENT) > > Warren Kumari has entered the following ballot position for > draft-ietf-bess-evpn-na-flags-06: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-na-flags/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Be ye not afraid! This DISCUSS should be fairly trivial to address... > > > > This allows for more information to be carried with MAC/IP Advertisements. It > seems to me that this gives a DoS-style attacker more opportunities to exhaust > state on routers - I could sit on a wire and create lots of ARP/ND states (make > up new IP and MAC combinations), causing this to be propagated and burning > memory / state / etc. > > This is somewhat discussed in RFC 7432, but the technique in this document > seems like it makes this issue somewhat worse - a single sentence in the > Security Considerations noting it would satisfy me (as would an explanation > that I'm mistaken :-)). > > -------------------- > > [jorge] we’re happy to add any other explanations in the security section, however I thought your concern could have been addressed by this existing sentence: > > “In addition, this document adds pieces of information that impact on > > the way ARP/ND entries are installed in ARP/ND and/or proxy-ARP/ND > > tables, and therefore the resolution protocols for IPv4 and IPv6 > > addresses.” > > > > Also, can you please clarify what you mean by this?: > > “this gives a DoS-style attacker more opportunities to exhaust > state on routers - I could sit on a wire and create lots of ARP/ND states (make > up new IP and MAC combinations), causing this to be propagated and burning > memory / state / etc.” > > Note that the new flags come in an extended community, which is not part of the route key, hence receiving multiple combinations of flags with the same IP->MAC information will not create new state, but update the existing one. As an example, if a PE receives IP1->MAC1(R=1,I=0) and later IP1->MAC1(R=0,I=1), the PE will not create additional state but will update the entry with the latest information. > > > > Yes, multiple combinations of flags with the same IP->MAC will just result in updates, but let's pretend I'm sitting on a network at work, my IP address is 172.16.0.10/12 and my MAC address is 00:11:22:33:44:55. I've decided I want the rest of the day off to go watch the cricket match, and so it would be *just great* if the network were to go down.... > > > > I generate an ARP request for 172.16.0.11, and then immediately reply to my own ARP with a MAC address of 00:11:22:33:44:56. I then generate an ARP request for 172.16.0.12, and immediately reply to my own ARP with a MAC address of 00:11:22:33:44:57, etc. (This is a trivial ARP flooding attack - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/security-advisories/arp%20flooding%20attack. Variations include using the same IP and different MACs, or the same MAC and different IPs.) > > > > On a "normal" (non-VPN) system, this is only slightly painful (everything is local, you can purge old IP->MAC entries easily, and the worst case failure is the single router that you are behind). In a (L2-style) VPN this needs to be propagated, and each new ARP entry requires a new announcement, all devices need to do $something, and the failure domain is all of the devices participating. > > > > > > Let me know if I’m missing your point please, and if so it would be great if you can suggest some text for the security section. > > > > I don't really have any suggested text, other than perhaps a warning that implementations should pay attention to this. Actually I'm not sure what the least painful response is... > > > > W > > > > > > -------------------- > > > > > > I also support EK & Rob's DISCUSSes > > [jorge] we think we addressed their discusses… but obviously they (and you) can let us know if it is not the case. > > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Other than my DISUCSSes, I found this document to be well written and easy to > understand - thank you for writing it... > > [jorge] thank you for your kind words! > > > > > > > -- > > I don't think the execution is relevant when it was obviously a bad idea in the first place. > This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. > ---maf -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [bess] Warren Kumari's Discuss on draft-ietf-bess… Warren Kumari via Datatracker
- Re: [bess] Warren Kumari's Discuss on draft-ietf-… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Warren Kumari's Discuss on draft-ietf-… Warren Kumari
- Re: [bess] Warren Kumari's Discuss on draft-ietf-… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Warren Kumari's Discuss on draft-ietf-… Warren Kumari
- Re: [bess] Warren Kumari's Discuss on draft-ietf-… Rabadan, Jorge (Nokia - US/Mountain View)