Re: [bess] Opsdir last call review of draft-ietf-bess-evpn-proxy-arp-nd-04
Joe Clarke <jclarke@cisco.com> Mon, 05 November 2018 01:36 UTC
Return-Path: <jclarke@cisco.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 1B5B4129619;
Sun, 4 Nov 2018 17:36:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.971
X-Spam-Level:
X-Spam-Status: No, score=-14.971 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5,
SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 2VwHYmzTUj-x; Sun, 4 Nov 2018 17:36:23 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79])
(using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 88B431276D0;
Sun, 4 Nov 2018 17:36:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=cisco.com; i=@cisco.com; l=1579; q=dns/txt; s=iport;
t=1541381783; x=1542591383;
h=subject:to:cc:references:from:message-id:date:
mime-version:in-reply-to:content-transfer-encoding;
bh=QqyZU0WSiTFjim0nE3Ri3vvn5Ovl5evHG/1NHXrJa7A=;
b=D+RCGozX54Jjorv2npXx2R5O6xb6naj1EB0w32N6uLHCeGmZb6l7nW7K
J+Q6imqDyrCpbaT7gS/XLEodQ4YxBJ//T29vUVMTc1q8ssNlV7N4Ao3QV
BHhiyUGR+cmjfx/qdxQPgmQyriVxC9JVbZ9xGFZwK6GHKosVJNU5oSwDh I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B7AAAtnd9b/5NdJa1kGQEBAQEBAQE?=
=?us-ascii?q?BAQEBAQcBAQEBAQGBZYIFaXyEHpQsgWAtmScNgXeCdQKDPiI4FgEDAQECAQE?=
=?us-ascii?q?CbSiFOwEFI1YQCxgCAiYCAlcGAQwIAQEXgwaCAqhvgS6KE4ELimsXgUE/gTi?=
=?us-ascii?q?Ca4gCglcCiQmGLjOEdIpUCZELBhiBVYd8JoZplBqDLIFaIYFVTSMVgyiQdiG?=
=?us-ascii?q?OTwEB?=
X-IronPort-AV: E=Sophos;i="5.54,466,1534809600"; d="scan'208";a="474040413"
Received: from rcdn-core-11.cisco.com ([173.37.93.147])
by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
05 Nov 2018 01:36:22 +0000
Received: from [192.168.10.113] (rtp-jclarke-nitro4.cisco.com [10.118.87.85])
by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTP id
wA51aE0q023385; Mon, 5 Nov 2018 01:36:17 GMT
To: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>,
"ops-dir@ietf.org" <ops-dir@ietf.org>
Cc: "draft-ietf-bess-evpn-proxy-arp-nd.all@ietf.org"
<draft-ietf-bess-evpn-proxy-arp-nd.all@ietf.org>,
"ietf@ietf.org" <ietf@ietf.org>, "bess@ietf.org" <bess@ietf.org>
References: <153563466646.3197.17486989329935846815@ietfa.amsl.com>
<3E7915CC-296B-49F6-B25F-23713589BCA4@nokia.com>
From: Joe Clarke <jclarke@cisco.com>
Openpgp: preference=signencrypt
Autocrypt: addr=jclarke@cisco.com; prefer-encrypt=mutual; keydata=
xsDiBDo1cJ0RBADSZSmbmzdRr1CoRWWKmAyu0eaQimaLV1TsZEML/ksLyg6faXrKIA/MWc7M
w4FmKkDjaZdFzobzabnKp2QwVadLqi1gYY2WsApKC0rSoqsPx5E847AmwNWXgjXiXORXmnZL
mf5PZ2ECOEJC27sji5Nrh9GSw7OPp6c+EE20gMNVrwCgu3iK5vyGQfy0/wX/jcIvP0nHznUD
/RvijiKomyaf6F5pibmouFNeuCDHc8lwx2giA/MCZl/nSkI2/UX27sULGNgvKNkVPu/AukXu
zW3fIthsJgjQZUoi/BTe9kUP+RL3+RALXXuLv7b3xGRHJ8A1Rpy9H43fkjHZ945YNPrUvJlG
LP5PNGBD1xC21X3EGAyywVynDskcA/4qgbJFkVzmPjFJUjq+RW1zw3UIb3bbkskl/wk5qd+M
w2EhiSPTbEhJQAQUvqSGFWEGp2ANic7iYLdPXV/O6I1/guRRaY0eK77YkkCjz1snaKYnGSeI
GHGwmHb6D+ZHzTqZqr6IssgEIUHjXfgOUTARQbL15nJTVRzDGUiT/65R3c0eSm9lIENsYXJr
ZSA8amNsYXJrZUBjaXNjby5jb20+wl8EExECABcFAjyDqGQFCwcKAwQDFQMCAxYCAQIXgAAS
CRDN7TXCWm4C3wdlR1BHAAEB5KkAn0kBda/9+uF6RfnDSFS7RExUU9DqAJ4knRckYiSASteC
K03QVtEiXblL287ATQQ6NXCeEAQAhIURlK17jmIMdMIuScFU6xK+jkKgVVFrjlRH5vLV2spp
jH/uQ57MMGuOcs7PckXCnPjBV8Tm32Tuw+fCyrbc2gt0ouiT/5WWj0EMeAfWew1zBXX2okGf
LqS6gucVDS6tcEFN6PmJEmX+tWDcmiqx/xXiSfMVYiLMdlK+YDkMDDsAAwUD/3BWOyfdnBGH
Kv28zx+5wq/2vhYnUYCAdVD2ZWCJizQTMbkcxEIKAwtAj6yqKq9ah82nt4VHl5ZejVe47jvR
2nXwJ5VQ9eITuTjTLDw+3qr9lN077VZ32hyb5ULJcW756j9Z3YB2FTANw6KHgChaSVVx9kYJ
FlAggraU7mi39/wvwk4EGBECAAYFAjo1cJ4AEgkQze01wlpuAt8HZUdQRwABAQbdAJ9R8SzU
Mluu9r93BMv6fAW9j6qTZgCfYcEAqOMJv+3Z+YxLiDtWcCY4Sfo=
Organization: Cisco
Message-ID: <ae4da85f-c9ea-26a8-0fe9-bb5a46aa6974@cisco.com>
Date: Sun, 4 Nov 2018 20:36:13 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0)
Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <3E7915CC-296B-49F6-B25F-23713589BCA4@nokia.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Outbound-SMTP-Client: 10.118.87.85, rtp-jclarke-nitro4.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/qBYg9YxAnI4K9Ph4IgbrxMdbDyU>
Subject: Re: [bess] Opsdir last call review of
draft-ietf-bess-evpn-proxy-arp-nd-04
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>,
<mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>,
<mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 01:36:25 -0000
On 11/4/18 18:45, Rabadan, Jorge (Nokia - US/Mountain View) wrote: > [JORGE] not sure what you mean by "negative caching". If you refer to the ability of certain routers/servers to inject dummy MACs into the ARP caches so that hosts stop ARPing for absent IPs, the solution actually may help, since there is an option to suppress unknown ARP-Requests/NS flooding explained in Section 4.5. Should you choose to enable this option on the Proxy-ARP/ND functions of the PEs, you no longer flood unknown ARP-Requests, and therefore there is no longer need to inject those dummy MAC addresses to stop the flooding. A host may keep ARP'ing for an absent host, but at least those messages won't bother the entire BD. I added this text in the security section: > -------------- > "The procedures in this document reduce the amount of ARP/ND message > flooding, which in itself provides a protection to "slow path" > software processors of routers and Tenant Systems in large BDs. The > ARP/ND requests that are replied by the Proxy-ARP/ND function (hence > not flooded) are normally targeted to existing hosts in the BD. > ARP/ND requests targeted to absent hosts are still normally flooded, > however the suppression of Unknown ARP-Requests and NS messages > described in Section 4.5. can provide an additional level of security > against ARP-Requests/NS messages issued to non-existing hosts." > -------------- Thanks. I re-read section 4.5, and I think this does indeed address my comment. The addition of this text is appreciated. Joe
- [bess] Opsdir last call review of draft-ietf-bess… Joe Clarke
- Re: [bess] Opsdir last call review of draft-ietf-… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Opsdir last call review of draft-ietf-… Joe Clarke