[bess] Éric Vyncke's Discuss on draft-ietf-bess-evpn-proxy-arp-nd-11: (with DISCUSS and COMMENT)
Éric Vyncke via Datatracker <noreply@ietf.org> Thu, 21 January 2021 14:13 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: bess@ietf.org
Delivered-To: bess@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CBE53A0D12; Thu, 21 Jan 2021 06:13:44 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Éric Vyncke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-bess-evpn-proxy-arp-nd@ietf.org, bess-chairs@ietf.org, bess@ietf.org, Matthew Bocci <matthew.bocci@nokia.com>, matthew.bocci@nokia.com, jeanmichel.combes@orange.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.24.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Éric Vyncke <evyncke@cisco.com>
Message-ID: <161123842361.25230.14225434357147230236@ietfa.amsl.com>
Date: Thu, 21 Jan 2021 06:13:44 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/qoPLcYcKVIMrPQtPjKyRFBx9VCg>
Subject: [bess] Éric Vyncke's Discuss on draft-ietf-bess-evpn-proxy-arp-nd-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2021 14:13:44 -0000
Éric Vyncke has entered the following ballot position for draft-ietf-bess-evpn-proxy-arp-nd-11: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-proxy-arp-nd/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thank you for the work put into this document. This system could indeed be very useful but I am afraid that this is a very complex system especially for IPv6 NDP. Minor regret in the shepherd write-up as the WG summary did not include any comment on the WG consensus. Thanks to Jean-Michel Combes for its Internet directorate review at: https://datatracker.ietf.org/doc/review-ietf-bess-evpn-proxy-arp-nd-11-intdir-telechat-combes-2021-01-20/ as Jean-Michel added some important comments, please review them as well as I support them especially those around DAD that should be a blocking DISCUSS point. I also second Erik Kline's DISCUSS points. Question to the authors and BESS WG chairs: was this document submitted to a 6MAN/V6OPS WGs review ? This is where all IPv6 experts live :-) Please find below some blocking DISCUSS points, some non-blocking COMMENT points (but replies would be appreciated), and some nits. I hope that this helps to improve the document, Regards, -éric == DISCUSS == Would RFC 8929 be enough to solve the problem ? -- Section 3 -- "A Proxy-ARP/ND implementation MAY support all those sub-functions or only a subset of them.", I am afraid that it is mandatory that the reply and duplicate-ip must be coupled: either both of them are active or none of them are active else the system allows for duplicate IP addresses. -- Section 3.1 -- "A Proxy-ARP/ND implementation SHOULD support static, dynamic and EVPN-learned entries." why not a MUST ? Or at least for dynamic & EVPN-learned ? or at least one ? "Upon receiving traffic from the CE... the PE will activate the IP->MAC and advertise it in EVPN" it is unspecified how many bindings can be advertised in the case of multiple static MAC for one IP... only one or all ? -- Section 3.2 -- Why not flooding to all other PEs the ARP/NS with unknown options ? It would be safer. -- Section 3.6 -- This function MUST be a mandatory part of the list of functions of section 3. -- Section 5.2 -- An easy to fix: "Any unknown source MAC->IP entries" isn't it IP->MAC as in the rest of the document including the terminology section ? -- Section 5.4 -- "traffic to unknown entries is discarded" which traffic (section 5.5 is much better to this point suggest to copy the text)? The NDP/ARP or normal data plane traffic ? Where is this behavior specified in the 6 sub-functions of section 3 ? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Consider adding a section about host not doing GARP or doing no DAD or optimistic DAD. -- Section 1 -- Is there any reason why the terminology section is not alphabetically sorted ? -- Section 2.1 -- I would have assumed that the multicast nature of IPv6 address resolution would cause more problems than IPv4 ARP. The use of link-local multicast groups do not usually help as MLD snooping is often disabled in switches for link-local. Not to mention that there could be more IPv6 addresses per node than IPv4 address and IPv6 addresses keep changing. Do the authors have data to back this section ? -- Section 2.2 -- Unsure about the meaning of "large layer-2 peering network"... Do we peer at layer-2 ? Now, I understand what is meant of course but the wording appears strange to me (not being an English native), may I suggest "large layer-2 network for peering" ? Please expand GARP in "Unsolicited GARP". Also, this is a pleonasm as gratuitous ARP are by definition "unsolicited" ;-) The definition of a CE in an IXP network would be welcome. I am afraid that I do not agree with "The issue may be better in IPv6 routers" even if the IPv6 addresses are static in this environment (i.e., no RFC 4941 addresses). -- Section 3 -- An IPv6 example would also be useful as NS is not like ARP. Should the default behavior/sub-function of flooding be added to the list of 1) to 6) ? -- Section 3.1 -- "Upon receiving traffic from the CE"... but with which IP address ? (OK guessable but let's be clear in a standard specification). It also seems to me like a local policy / feature that do not require standardization. "Note that MAC and IPs with value 0 SHOULD NOT be learned" unsure why it is a singular MAC and plural IP ;-) "only if the ARP/NA message creating the entry was NOT flooded before" what is meant by 'flooded' ? Suggestion to add some descriptions of the impact of a rebooting/new PE with an empty cache while other PE have caches. -- Section 3.1.1 -- Should RFC 4861 also be mentioned in "The use of the R Flag in NA messages has an impact on how hosts select their default gateways when sending packets off-link" ? "Static entries SHOULD have the R Flag information added by the management interface.", else what is the default setting of te R-flag ? "This configured R Flag SHOULD be an administrative choice with a default value of 1", so all other CE will appear as a router ? Not critical in the case of IXP as it is a default free zone but in a DC (suggest s/SHOULD/MAY/)? Is there a recommended setting for the O-flag? -- Section 3.2 -- Is "'anycast' is enabled in the BD" specified somewhere in this document ? Suggest to split the point d) in three items: one for each flag. Why is there no IPv6 equivalent of e) ? In point f), "or discarded" can a packet with known IP->MAC mapping be discarded as well ? -- Section 3.4 -- Please expand "IRB" Should "flushed if the owner is no longer in the network" be complemented with a BGP withdrawal ? Is there any security exposure (control plane DoS) by forcing the PE without IRB to have an IPv6 LLA ? -- Section 3.6 -- Strong suggestion to s/the PE MAY send a CONFIRM message to the former owner of the IP/the PE SHOULD send a CONFIRM message to the former owner of the IP/ Unsure why CONFIRM is in uppercase BTW. "If the PE does not receive an answer within a given timer" is there a recommended value for this timer ? I have re-read three times the "anti-spoofing MAC" part, and, I still do not understand it... Is MAC-AS the black-hole address (then why not using a all 0 MAC address) or an alternative MAC address (but then who modifies the frame header to the CE) ? -- Section 5.1 -- "in the peering network" is this use case only valid in the case of IXP ? -- Section 5.2 -- "The Proxy-ARP/ND function is enabled" but what about the sub-functions enumerated in section 3 ? "by snooping ARP/ND messages issued by the CEs" isn't the learning sub-function ? -- Section 5.3 (and others) -- Why is this section apparently limited to IXP only ? -- Section 5.5 -- There is a big overlap between this clear/good sub-sections and the previous ones. Suggest to keep only this one + section 5.6. -- Section 5.6 -- "IPv6 'anycast' may be required in DCs, while it is not a requirement in IXP networks." I have doubts that anycast is never used in IXP networks. Let's rather say "seldom used in IXP networks". -- Section 6 -- Nothing is said about putting some limits on the number of entries for an IP address... Else, this could lead to a DoS against the proxy & BGP sessions. "For example, IXPs should disable all unneeded control protocols, and block unwanted protocols from CEs so that only IPv4, ARP and IPv6 Ethertypes are permitted on the peering network. In addition, port security features and ACLs can provide an additional level of security." While the above text is a good recommendation, I wonder what it the relationship with this document ? == NITS == -- Abstract -- s/(DBs)/(BDs)/ -- Section 2.2 -- s/IPv4 layer-3 addresses/IPv4 addresses/ -- Section 3.1 -- Please use lower hexadecimal number, e.g., s/0x86dd/0x86dd/ -- Section 5.5 -- The "IXP-LAN" terminology is only used in this section while others are using "peering network" or "IXP networks". Let's choose only one ;-)
- [bess] Éric Vyncke's Discuss on draft-ietf-bess-e… Éric Vyncke via Datatracker
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Eric Vyncke (evyncke)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Eric Vyncke (evyncke)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Eric Vyncke (evyncke)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Eric Vyncke (evyncke)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Joshi, Vinayak
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Joshi, Vinayak
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Joshi, Vinayak
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Pascal Thubert (pthubert)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Joshi, Vinayak
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Pascal Thubert (pthubert)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Eric Vyncke (evyncke)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Eric Vyncke (evyncke)
- Re: [bess] Éric Vyncke's Discuss on draft-ietf-be… Rabadan, Jorge (Nokia - US/Mountain View)