Re: [bess] Secdir last call review of draft-ietf-bess-evpn-pref-df-11
"Jorge Rabadan (Nokia)" <jorge.rabadan@nokia.com> Fri, 06 October 2023 19:51 UTC
Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3D6C15109C; Fri, 6 Oct 2023 12:51:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nokia.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKhI8gauFwOA; Fri, 6 Oct 2023 12:51:03 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2126.outbound.protection.outlook.com [40.107.244.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3A5DC14F747; Fri, 6 Oct 2023 12:50:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iL6l1lDxtOSUD0V2KkFJodLFtN5PP19L7Xd6X+kYQbuOn62oj4dJIBOBaHJ7S+DIxE2qmVy1rpji5sfXzzB77DMsok0dS3FLVwBL82UnG1rx2CIkiA/e2aiZhGrWHu72uMbs9asZ2mhsMm3kImIo2QQk+GJEFCTsYW/5NMJemqvUUk6dYXii+DrYJnRCXAAuMfboGcfkOakwWueRU1vaRYuUaMK7l0NpXa4v46EydRWfBLU7QOCyzEe15Hnf92iyZ921RZUWbeoE897aoxTIPurZS1/6oRcLQ516thTBxUDtS9OdjdHFp7IBtz7mV453kfIVhB47XusQG8HLEIdkWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hbaGjPaXd6xRsG5GMItybpkzyXP+UeMu9U+RY346LPg=; b=mSIBn7ZZMistg1bjOHC6oHfsp8VYAMSBb6viTD6TkScO6L4vpCqdvOKrfIXZUCfwQNlMfZCkkw6cUDFhKVOS3vGLY0KlONRR19C6y8tbp54CxbQ1Q6ekgneuUCpxbUFkodJJU1g2l1h3xgqth2IS3DF844sOCdw3bBijDO2h9BXRY44fqyIshSw74T00U/ZRvYbcXYYpDLeIWgYuTw2yenbcVIuFjdqJrX6z9llVCMI3heLjDHlZSt2Y0py1+tvIDlRhY06rroSUF6RSx307a5TN5upYU4BUQ1BPiAyKOmSaWKfWLqrXzNd5tYAMiEsmKVYIRaHlVuFgNF5BmQSpkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hbaGjPaXd6xRsG5GMItybpkzyXP+UeMu9U+RY346LPg=; b=fv/SN57X56+neNTpXGIucxogaXfAYWkVdUK+TBaWDzJq0sQ2i/8bxDItxpX6a7yfWSrv1+NvcIL8/MQeLP7UrAQ6VZAxvZQk8JVpIv5TXsTsgBIsnwGC3FI2Vrg0z2nPAfyfl4QWDd8Xkq9ZsBerTPjCTC787J1diunVIn3blV4kd6/H0PIvOXaF0WA6ooAjbxJkHacIoe+dRilMUZmvMusJ5ICSYgyWAwV0jdsky1Av93ivN6HQOSeKDa3CUJjP/L4OUdrUiNLwgTbNkwLB8C98MGVL87SApVCBzzb/rbsCyEmxuDR4HMVkFZJGSRQANhx5/kvEbBCjjc28R9eMTA==
Received: from DS0PR08MB9445.namprd08.prod.outlook.com (2603:10b6:8:1b7::10) by CYXPR08MB9049.namprd08.prod.outlook.com (2603:10b6:930:d5::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.25; Fri, 6 Oct 2023 19:50:56 +0000
Received: from DS0PR08MB9445.namprd08.prod.outlook.com ([fe80::f036:f280:d5a9:ca7a]) by DS0PR08MB9445.namprd08.prod.outlook.com ([fe80::f036:f280:d5a9:ca7a%5]) with mapi id 15.20.6813.041; Fri, 6 Oct 2023 19:50:56 +0000
From: "Jorge Rabadan (Nokia)" <jorge.rabadan@nokia.com>
To: Peter Yee <peter@akayla.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "bess@ietf.org" <bess@ietf.org>, "draft-ietf-bess-evpn-pref-df.all@ietf.org" <draft-ietf-bess-evpn-pref-df.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-bess-evpn-pref-df-11
Thread-Index: AQHZtXak/H50La+jiEm+5Y19k1lp+rAyFoBO
Date: Fri, 06 Oct 2023 19:50:56 +0000
Message-ID: <DS0PR08MB94458EA6102E05B2B7EDF757F7C0A@DS0PR08MB9445.namprd08.prod.outlook.com>
References: <168924490858.4026.16003917904770821402@ietfa.amsl.com>
In-Reply-To: <168924490858.4026.16003917904770821402@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nokia.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS0PR08MB9445:EE_|CYXPR08MB9049:EE_
x-ms-office365-filtering-correlation-id: 58e25373-a874-411d-f4e7-08dbc6a58e6c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Y3QzJXgKzC565aTUhFT3XGwQI5LLJu5T3tydghAWwmewSd85ysa0bGZXTs9YzXSdL5Ssi6ISgIFVA/ML08OhoS6dWf58+9/f/ADIecXcqY0CddmdsL+ct+igK48T84jMJ7uwN855Fokrel0vQ8lvqxrHx+GgkBdMqbHAtP3tpVTmOH5NMxzFhnu4rmpNGn0cOodimEhkRxVRlTsWRw7QhwchEn2M66KjuVX6V087O95sXhdZQMMFvdOplEBePLow2v1qfcWQekcHRmHJhQ7EJCeUaTG/PEHes8EbaWatczlISArRcPpK7vhIULRf+4JldlCM7RmG6gX9aJRO8+ltf0pSssFWxs5mlCNhAukdgjXgNw5XppZPOFroQ2Xo/epDXz9vUzarEDb0n++fahaG2dEl/ON41isI1vXtpJEYmM9EPDaPU1kRmNEH7Qy2zL2plsLyfzlccxAlC0p5zNy5gqq244Pb2gTWFRSo+SWqGPHFrRDtllvG64h3ACXsDlbbaGU487wDYBhElKg5+zLO615c1HzuubZFbyzaVTllWqXxvxOiZ+xf3CBJU3GT70p7Tz/MoVvfoWwwYOB4pRjswVxe92BJqgh+orHgl0LwofU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DS0PR08MB9445.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(396003)(376002)(39860400002)(346002)(136003)(230922051799003)(186009)(451199024)(64100799003)(1800799009)(66476007)(38100700002)(478600001)(26005)(54906003)(8936002)(83380400001)(64756008)(316002)(71200400001)(66556008)(110136005)(52536014)(55016003)(4326008)(9686003)(41300700001)(7696005)(122000001)(53546011)(66946007)(5660300002)(9326002)(6506007)(8676002)(2906002)(66446008)(166002)(33656002)(86362001)(82960400001)(38070700005)(76116006)(84970400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PDAbOsfLEs84QWRU7ERJ4DkNO4Ql0SZ65O8vufmoU3IrUudzJFsp7lcXdHBfsoOMukvQEfJoopu1UL1pm8Ss4++MwxMM6SQTpYPFeFwZtJVMQXQzydS7OGcGKYmv/l/RY0MlixBJ3dkgSaGYFeB/Ja2LMDEUSe6NokKoJ8BLq2nJgJQ+2YrmPvfTkydaHtILZCaKy3ltPnQQixaVtHWV3LlUfSFIyRHmAPq5q8AFWxJeS5sbxCU2Td82PnBj1wgq0CX140pL7DJRpMuoe5S/iFIPUZK+RiMnFGMQI+9mo/H8IydvcK1JKoRl9KNaFle+83qv1iDUK1ADjgtkDTHbbz6uxiX+9U8gkywjK6lFS+txWVpTfcWH9OMuRMxPrQqhS7K56hg1tPlRKrnmkyyGbuuqo+Pemd4iAZrd28F+9o3OO0E0sN7p3uMJ4m3kxR4Ttb3ZZpx6R1qPg/3ctV6bJ1fj69BaOEa8wQbTzT+sFIyL9hAx7vueGZVkk58sJc91XhN7Iq6pnv1glcdZzKkOkf4QxTxeSHTj389UzRyzsu/PUlSzNsm/gYimXZYmqE1zjJ/TXoXL53wbz7zEGZlhw+Tk9KMIOV+mlmnJwPUXj0H1FIKFD/46eH1ji9rkRs5bQY6mV3JK1Zptvd49wrLRzJHIArGa8+jL1S6SFREjx3J7939KDOTdfwNWpReYlR5ZPypPlZBFL7S2j1VMYumVaDZNtv/nVds7HqqdgJ5xoNQ/2fqqn9Q6twE0IvlFgLBzD3BrfeDR1DXzF9Lrqy37u1qb2qZhI1I6geWaphcxXA83QLlXPsDm5YO2aBKH7fL93FWCzbvet4T6pFslemdo8P+e7f8ExZCCfuFb1YU3Rn80ywkoX/H1mRejyQtBXgxXP11BmrAAz5+GxJYDHjf2j33SBmsaXwBjdbxWdK7WTHMlZq9E7g5521lOkwTes0EW2ZPqGTLDlPVDYykN/wlEixmVCCnByjdHgbsZIFoVKeZemO2FlllIqOsUGy29TBiAAchqEewJBILMo1vKyhfHV3LHkaXR6XnCU7r63BJbmzNg0StkTYcHpsuZxwak3iDi9WB8zowZT04wCLe8o97laS/yxDc9/+QThXBkfcHNQ5uRpbz4NlSS6DmgaZBcGytAfu9iCREixCCo4nsrOWRubP3z/ZuZqxaAhEjnWkiNOynvmOLv4qM3cMur71Afwk8jP0yE8nzPP648g7DgkO6USUAwBEd08ZdFZr3VR+E+odj4NXh7Cfbf4D8i934w+3yJvoW5pnMOir0u4rxYwUVbuwagBvvhSwsiL1OnDB4w7YRP0SRNe1bd8rNsen7R5EmWZ98lNRcTZK8wzA9ufLnR8APN7vH6sPoZhbrrLhXOPHp1LoUj68MYTpjgWMCME55zdapeLuV1aB8aP3Qg4aQqVClq62wFwN7ULGlkoWnrLQ7sQfg5FbxuM5dZ2531fDnth8a0sCrxCy415AIkx6zeyo8LmeZioMwR284fghX2SjBlMkfvzh0X/lku8D2yMjIfple6Wd3J4JYgPwP7Gd85Nh9r6I6TgWd2z+/YDTWDNgU9G/T5D/fB2v7MLHEp7W3K98vq2o1tIZDGbTgQfH6Hkg==
Content-Type: multipart/alternative; boundary="_000_DS0PR08MB94458EA6102E05B2B7EDF757F7C0ADS0PR08MB9445namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS0PR08MB9445.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 58e25373-a874-411d-f4e7-08dbc6a58e6c
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2023 19:50:56.3866 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ve+21vlDQ0FTuc8Ij/G6NWmZpR+p9JGuJ8OAa7IJclVn6KZraIkbpFVr4mfTmODpX4j5YDmzZkDgfTulMdcUMA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYXPR08MB9049
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/m079fIT060O4ONxvHk1GpqXtutI>
Subject: Re: [bess] Secdir last call review of draft-ietf-bess-evpn-pref-df-11
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2023 19:51:07 -0000
Hi Peter, Thank you very much for your review. Please see my comments/resolutions in-line with [Jorge]. All your comments are addressed in version 12 that we just published. Thanks. Jorge From: Peter Yee via Datatracker <noreply@ietf.org> Date: Thursday, July 13, 2023 at 3:41 AM To: secdir@ietf.org <secdir@ietf.org> Cc: bess@ietf.org <bess@ietf.org>, draft-ietf-bess-evpn-pref-df.all@ietf.org <draft-ietf-bess-evpn-pref-df.all@ietf.org>, last-call@ietf.org <last-call@ietf.org> Subject: Secdir last call review of draft-ietf-bess-evpn-pref-df-11 CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information. Reviewer: Peter Yee Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is that the document is ready with nits. The document specifies two new Designated Forwarder algorithms and the procedures for using them in selecting a Designated Forwarder in an EVPN network. The only concern that I have is that a malicious actor able to change the configuration of a PE can unilaterally cause that PE to become the Designated Forwarder in many situations. This concern is already highlighted satisfactorily in the Security Considerations. The two new algorithms share their preference information in the same way the existing algorithms (in RFC 7432 and RFC 8584) do, so what security protections there are (such as use of TCP-AO) remain the same. However, this should be reflected in the security considerations, either by a pointer to a peer document such as RFC 7432 or inclusion of similar or updated language akin to that found in a peer document. [Jorge] makes sense. Added: “Finally, the two Designated Forwarder Election Algorithms specified in this document (Highest-Preference and Lowest-Preference) do not change the way the PEs share their Ethernet Segment information, compared to the algorithms in [RFC7432<https://author-tools.ietf.org/api/export/cec61534-1b9f-4aab-b357-f87ca6510e03/draft-ietf-bess-evpn-pref-df-12.html#RFC7432>] and [RFC8584<https://author-tools.ietf.org/api/export/cec61534-1b9f-4aab-b357-f87ca6510e03/draft-ietf-bess-evpn-pref-df-12.html#RFC8584>]. Therefore the security considerations in [RFC7432<https://author-tools.ietf.org/api/export/cec61534-1b9f-4aab-b357-f87ca6510e03/draft-ietf-bess-evpn-pref-df-12.html#RFC7432>] and [RFC8584<https://author-tools.ietf.org/api/export/cec61534-1b9f-4aab-b357-f87ca6510e03/draft-ietf-bess-evpn-pref-df-12.html#RFC8584>] apply to this document too.” Specific items: Page 1, Abstract, 1st paragraph, 1st sentence: spell out PE on first use with a parenthetical (PE) after it. That abbreviation is not one of the RFC Editor’s well-known abbreviations that doesn’t require expansion. [Jorge] changed, thanks. Page 1, Abstract, 1st paragraph, 1st sentence: change “Broadcast, Unknown unicast and Broadcast traffic” to ““Broadcast, Unknown unicast and Multicast traffic”. Otherwise, you’re going to have to change the abbreviation to BUB. [Jorge] changed, thanks. Page 3, section 1.1, 1st paragraph, 1st sentence: change “Broadcast, Multicast and Unknown unicast traffic” to “Broadcast, Unknown unicast, and Multicast traffic”. Or you can change the abbreviation to BMU if you want, but you ought to be consistent with the Abstract. [Jorge] changed, thanks. Page 3, section 1.1, 1st paragraph, 1st sentence: change “in case of” to “in the case of”. [Jorge] changed, thanks. Page 4, section 2: I think you can safely delete the BUM entry having used both the spelled out and acronym versions prior to this. [Jorge] changed, thanks. Page 5, Ethernet Tag definition, last sentence: change “MUST be different from” to “MUST NOT be”. [Jorge] changed, thanks. Page 5, section 3, 3rd sentence: insert “the” before ‘”Don’t Preempt”’. Change “DF Algorithms Highest-Preference or Lowest-Preference” to “the Highest-Preference and Lowest-Preference DF Algorithms”. [Jorge] changed, thanks. Page 6, Bit 0 definition: make the same change as the previous one above. [Jorge] changed, thanks. Page 8, Figure 3: find somewhere to list the expansions of ENNI and CE. I realize that neither is defined in this document, but the latter could be ambiguous to some readers. [Jorge] both added in the terminology section. Page 9, item ‘a’, 5th sentence: change “Preferance” to “Preference”. [Jorge] changed, thanks. Page 9, item ‘b’: assuming that “Section 3” is a reference pack to section 3 of this document, put it in parentheses or so something else to make it clear that this is supposed to be a pointer, not the concept that there is some section 3 of the Designated Forward Election Extended Community for holding these parameters. [Jorge] changed, thanks. Page 10, item ‘e’, 2nd sentence: change “that” to “than”. Change the second occurrence of “PE” to “PE(s)” to indicate that multiple PEs can be returned by this selection. [Jorge] changed, thanks. Page 10, item ‘e’, 4th sentence: insert “the” before “Originating”. [Jorge] changed, thanks. Page 10, 1st bullet item, 2nd sentence: change “Same” to “The same”. Page 10, 2nd bullet item, 2nd sentence: change “addres” to “address”. Page 10, 2nd bullet item, 3rd sentence: change “Same” to “The same”. [Jorge] all changed, thanks. Page 11, item ‘f’, 1st indented paragraph: change “a 50%” to “by 50%”. Append a comma after “e.g.”. Spell out LAC. Page 11, item ‘f’, 2nd non-indented paragraph, 2nd sentence: insert “a” before “candidate”. Page 11, item ‘f’, 3rd non-indented paragraph, last sentence: change “provide” to “provides”. [Jorge] all changed, thanks. Page 11, item ‘f’, 4th non-indented paragraph: insert “[RFC 7432] based” to “an [RFC7432]-based”. Change “including” to “also”. [Jorge] changed, thanks. Page 12, section 4.2, 1st paragraph, last sentence: change “achive” to “achieve”. Change “decribed” to “described”. Page 12, section 4.2, 2nd paragraph, last sentence: change “local” to “locally”. Page 12, section 4.2, 2nd bullet item: change “E.g.” to “e.g.”. Page 12, section 4.3, 2nd paragraph, 1st sentence: delete the comma in “that, when”. Page 13, item 1, 3rd sentence: delete “Me” in “Don’t Preempt Me”. Page 13, item 1, 4th sentence: add a comma after “however”. Page 16, 1st partial paragraph, 2nd full sentence: delete “up” after “pick”. [Jorge] all changed, thanks.
- [bess] Secdir last call review of draft-ietf-bess… Peter Yee via Datatracker
- Re: [bess] Secdir last call review of draft-ietf-… Jorge Rabadan (Nokia)