Re: [Last-Call] Secdir last call review of draft-ietf-bier-evpn-13
"Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net> Tue, 02 January 2024 21:40 UTC
Return-Path: <zzhang@juniper.net>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A0B0C14F68D; Tue, 2 Jan 2024 13:40:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="cD1eFSjy"; dkim=pass (1024-bit key) header.d=juniper.net header.b="KvE1ENoa"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5cdIyAJlPHRL; Tue, 2 Jan 2024 13:40:08 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD019C18DBA6; Tue, 2 Jan 2024 13:39:39 -0800 (PST)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 402G5HkT021602; Tue, 2 Jan 2024 13:39:39 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-transfer-encoding:mime-version; s=PPS1017; bh=J/onIKZxfLhaTzJjE6lzNPNwbEUt0zaFmXhaHBB7INk=; b=cD1eFSjyBpf0 iq3CNTo8TEoQaKUewoQwQOanWQawHOMrCH/f2zLL2VB6sVyVjpZ6SmtJ3AAASWwe 5mdaWgpgCw8aJmLkwaCCriHeUaAqojueVG1NPgb1RXvMAiDzTAqgPY38N69Wl/ki DHCDWfFz8cra0BocA58HOd81CLbohFtWXElh3mAhimIg4/0o3hL2NcPHTz6jkpTg 5bvmNMUHDH5QmDzGXHX0fBGi7Q8CZn3iJxsbImv2+bxZsxoGgPA2bQWGilTI/ttb biRFYyTtma9AYatTEP2cjvEBta5ULZZPTmTt6g4B1CqsTK+GtcRg7jcyLio/DhNv zFLLQxqh9g==
Received: from cy4pr02cu008.outbound.protection.outlook.com (mail-westcentralusazlp17012023.outbound.protection.outlook.com [40.93.6.23]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3vcnpx8jwg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Jan 2024 13:39:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U9zn73huE0hJi8FaWEvVBdf3qtYUUog/0a2MqOMJeuBk6aGjp2G7H6hzpkAXEWgfxw/WBhnJzMK20P+o0PnsI8kbcAjIhILIvHuq5OWiqGSXzznlslSIt4MB3aJ0BQT2qQRtJ+N2WMnMRse50kLcfWT+RaLOzGc7BSk/BS7PjMd8u1x/5MwkmAe6kMaITVQWbORy7Lyaqy1brLeHBXhK0uYLIsLrATP3kzOsbmKks2LT7MEsV7sVmQ175RJn1WN2AEXjMbwLoNUUiJxM2fEBayQHKZg9SLXFoe77sV/2SxMR6UBAfRolCIJg93MchjsB2izRe/M5dy3C6HzzYf1LMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=J/onIKZxfLhaTzJjE6lzNPNwbEUt0zaFmXhaHBB7INk=; b=jpVmYpidgbtzPkbNuma4yZNvtCKm7Aux57tJep9Kg6lgs4AjIbdP9up/Lqpvfg3maKHOoNIQe3fgpv+N/z19cOBmUMiM70uPJt2YMvPVIwL8BezPCthZuO/LhY9lXKDQRSQX1y9MClP/iFTKMh6z2yv/K02XSzmaG0tLN4Hj7MqzVRQG8EwroYQ9eMJb0BY70W21Z+KNH/Bw0Gs4qB9s/6DNjQ9ZWdLIzFzQn3gusYX3DsDnQVyQfsK6Xb0hccP2z/pKMcfsuDQ2G5586qTBjL0JQaCSFAyaHmuL6ubg0nLWIdNsWbFqUoqKMGZuawCuGEbU8jo4/NxOZGQUGn8sZw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J/onIKZxfLhaTzJjE6lzNPNwbEUt0zaFmXhaHBB7INk=; b=KvE1ENoaxqXVMPn1hw/r1PLT2hi4ty7yik2zYjJK8ihfDbFxg2q3VkKodjXju6tR2XkWXHDT+lazc295EWaLc7e5O4wDUq3uVgnoa99r6yR7FKnc0cK7ovb1pI5yKbtN4azJadHub3EbedjMEA3JF0CBsz3m8cR327jkhsoHxpk=
Received: from IA1PR05MB9550.namprd05.prod.outlook.com (2603:10b6:208:426::16) by DS0PR05MB9518.namprd05.prod.outlook.com (2603:10b6:8:11d::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.25; Tue, 2 Jan 2024 21:39:36 +0000
Received: from IA1PR05MB9550.namprd05.prod.outlook.com ([fe80::c683:c1f1:27d:3b03]) by IA1PR05MB9550.namprd05.prod.outlook.com ([fe80::c683:c1f1:27d:3b03%5]) with mapi id 15.20.7135.023; Tue, 2 Jan 2024 21:39:36 +0000
From: "Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net>
To: Mohit Sethi <mohit@iki.fi>, "secdir@ietf.org" <secdir@ietf.org>
CC: "bier@ietf.org" <bier@ietf.org>, "draft-ietf-bier-evpn.all@ietf.org" <draft-ietf-bier-evpn.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-bier-evpn-13
Thread-Index: AQHaPOolxI6CPSlcB0aLMiAA6CHu07DG8exg
Date: Tue, 02 Jan 2024 21:39:36 +0000
Message-ID: <IA1PR05MB9550EB2B7AA1B2ED2CB29785D461A@IA1PR05MB9550.namprd05.prod.outlook.com>
References: <170413791802.53656.1714323508767750456@ietfa.amsl.com>
In-Reply-To: <170413791802.53656.1714323508767750456@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=9614ac36-9f20-4cfc-9b47-324f7aad9182; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2024-01-02T19:57:12Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: IA1PR05MB9550:EE_|DS0PR05MB9518:EE_
x-ms-office365-filtering-correlation-id: a3603b48-c4a2-4d97-baed-08dc0bdb50fd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vdkAfLiTkSwsOIFPRvDp6en1vekW0EmfXqBg74uJnHo7qR5U/nlxI1L25SQQC5IoYWEU3IypuJhnBsooBeVRJ/8vFlhPeolzy1nO3ZV5s2Z0s5d021HdGS4ksGeN9Gw34qqagATKVy/z+W61McnvqJ/cIVmcIKfA9+7EIkAgNBdVvqPZSR0rQYjcwHuIKHXVNTf0A9P66JyfgRpwtEkdaG0nHiVXkNO4a1WkCh3zP8r0Oi7RB/NMx9JqbtyyQb5iYVDRppwS7q5N+Ze2gwZ6yvePcS7t+vNZ4iz40rSnLiNtwWlmJCp43VNe42GQ3Cw9jBV4mOK1BI1l5bBTdGc15kFHiUyc3HBz/OaSRRcNkaJXc0E7f1nWNhnjMhL8GTGdyOIvAfgFIs7KdhToqCV3vScUrJmlV02us5ySm99q1eLZmmRLWV3tI64p5rB2Mmz1j3iPywWWwtGaEUHvrd1cgrZOOBeAWkvgsu7uG5xYo02tVpaoPOCPUy+f7lmWZsnq66f6AmDfdDx6eRdncc6cPhYO+AqJXZevFkwIJgiVX4YuVLJ1se9sP9CI5Hph9e4gbA00S3MKBv53Efe9+hCCCluGDQx+Dswqml2T/WGFPNB7DpHLzSUHi+tj0zLivnwFLExdAevDfupMFZbc8S3/40q1swQrz2/ncScWsCMVDDgrq6KAPIdT2cFFIiuAc477S6nQ/OZWjJDSSa+ceYVoEa+tWu3jZHC+ibnO0H12ODc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:IA1PR05MB9550.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(396003)(136003)(376002)(39860400002)(346002)(230473577357003)(230373577357003)(230273577357003)(230922051799003)(230173577357003)(451199024)(1800799012)(64100799003)(186009)(26005)(38100700002)(2906002)(122000001)(83380400001)(110136005)(8676002)(8936002)(52536014)(54906003)(316002)(966005)(71200400001)(5660300002)(41300700001)(4326008)(66556008)(66476007)(7696005)(6506007)(64756008)(478600001)(66446008)(66946007)(76116006)(9686003)(86362001)(53546011)(38070700009)(33656002)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jNjRR5/S0Au3wOxhWOpaw3MxGixdF23N5qpLrSS3uOxCK/adUQWsRxx3Ze3t48JGjPtnjKP4xfNziaj6XTyARhpz/3GtCacYi05w2D8OduBBSPj32xGVBJFxuYWjSus9EdBHhMN8l2np09oGp3myaNYtNqAUdSEFXd5adQoudHarX3gSvzLCzIvG4s6+ermUjlObaZttkNOwacZ/DrPKlN9DnM3Cz8i81mwQW8pvLthnJ20uSN6kQMZJVcnuIZmvomkqZbKpIn3D2JDYFXr9bdo/yOw4PtoKIc70p5uNI0dRHWh2sI8PULuQQRch4hZIPsEKpDFDoHOgWTqyr8TNNY/rWDNzYPQhvQpY6+0Sl0tcU8nFAUyLa/w3W92cSeM74xW3URAoWaTk0+MJkHNTNCdswo1jn855BzROHL8MBM88A6eYjIDGSSHvO+EGwcUMu1Kp3xLv8lnAuWervbSS9JPi/4evTXVMEX2dCcfa86Ks4iPWIuoW5TktSXW2v2t4KfSlaWRtgV7+QC4sgib+2Nk+CJIpUrawpvFyMbsmMavqd+oRZ1ksNi7OOHQ6NDferXZDrtsPGNqZfqjV/ZFhYZ5cHac3c+fA5SRxhdRFIOT9iCHNybEr0+kiPrlszQapWMYK+6bDiLV6ycLU157riyJLwAmIx2aMYMrfWDg6m81+TmvdBvZj9kyeQuw91IBLm6pyePpyrY/UyqEZK4jitY+ZJ51rjLDvwZcjmhXsAd1GblYxBKFlQpHpJKvg/LgFFHN7KwGNNkR35QTX/dyw+8JduziEfslE9lezwI5z4eKcvCKJzuU2yvLc2gh+NpeOhGzVh5Ao51KRovEODZGqXELb3JiBnReGopADb7Ya3+nLtbMTPzaK7zheoGBoWhiWO52zhAA5jamCP8d7VSU41LBjbDGI8V/WvM18+HWYvnfWpaBvHtFJ7gpErMSKIXvPNanZ7d0ahQ5ZPSWVwwP/Mk5HQQbdgcM2raByqA+/1O8gMKzDADEKMHYoAQnqBd9mfMKVZWWcku8ugvQrOHSHrvtrLd6GWiyX4n8vpBSoXd4WGq3O+CbOpyadl3qU80et1dU7uAKAXXHIu4BpiLHiD4iwGl4n7yLG2vctReTKfGULNspAQODhf0F4UqIsaUY5DhnS0SEuBxtBiqw+L899a6CMmoqH3VvvIH5EBi58c0QSkenY1h5bIo3t3n5K4GPPefGa5vZsuhbn+9xC5oIr4nayDC1MuHTGP2kDGu2VRT8Lo1MCBxxiiM28Nlw34cPDaINAeQz8pA3+VhVtGHYqVH7raXH1V7B8D/DHmnYnbbP+iXb3/kwSP0UGU/LREykKWe0Q7awCU1XkzRXN9MCe1dpkr/X+VqfzHwW+NwvSLlJxtldhBv+gmplx43EzIHCO28lG0BEytNgoN3y4+xn9qtOCttYoZI1EwdtEjn2+Xv1vzAE4dQAIe+OpVFxUJ/kXp0E/wok05RDPK49PINRuVVYStJEW2Hb0zTYLV6+aNHHufitVzi9fiKsXA9x9pFuJD3kCQ87Vh8Yt+RruUT/Icw0s9kMEITQssLgha/f3Z9F8Pu11CwbFip52vqoUXSEU
Content-Type: text/plain; charset="utf-7"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: IA1PR05MB9550.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a3603b48-c4a2-4d97-baed-08dc0bdb50fd
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2024 21:39:36.4287 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BlLmpXV4aAe39pwWPHaUSqpuhzmRcoyGkL8TEiaFbACPFBsjtptp+qRlu+CyxFuja+Ovc1tYA7SjbcRkyC52fg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR05MB9518
X-Proofpoint-ORIG-GUID: cq3oXL_IXXAKB57Ag_mfsh__0OHej_OX
X-Proofpoint-GUID: cq3oXL_IXXAKB57Ag_mfsh__0OHej_OX
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-09_01,2023-12-07_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 phishscore=0 clxscore=1011 mlxscore=0 impostorscore=0 spamscore=0 bulkscore=0 adultscore=0 lowpriorityscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401020160
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/L419T9VQ10SYr7vTaHxbCUZGxko>
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-bier-evpn-13
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2024 21:40:13 -0000
Hi Mohit, Thank you very much for your comments. I posted revision -014. Please see zzh> below. Juniper Business Use Only -----Original Message----- From: Mohit Sethi via Datatracker <noreply@ietf.org> Sent: Monday, January 1, 2024 2:39 PM To: secdir@ietf.org Cc: bier@ietf.org; draft-ietf-bier-evpn.all@ietf.org; last-call@ietf.org Subject: Secdir last call review of draft-ietf-bier-evpn-13 [External Email. Be cautious of content] Reviewer: Mohit Sethi Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last-call comments. This document defines procedures for forwarding broadcast, unknown unicast, and multicast (BUM) traffic of Ethernet VPNs (EVPN) using Bit Index Explicit Replication (BIER). I am not at all familiar with this area and found the document somewhat difficult to parse and comprehend. However, that is not necessarily a problem since I am not the target audience in any case. Some nits from my limited understanding: The introduction mentions P-tunnels but it is explained a little later in section 1.1. Zzh> I changed it to "provider tunnels". I am not sure how should I interpret "As such, this document is also very much aligned with [RFC8556]." What is RFC8556 and in what sense is the current draft aligned? Zzh> I added " that specifies MVPN with BIER" after "... with [RFC8556]". Perhaps a reason or justification for this reuse could be helpful: "The same codepoint 0x0B that IANA has assigned for BIER for MVPN [RFC8556] is used for EVPN as well." Zzh> It's beyond that code point. The paragraph also says: For terseness, some background, terms and concepts are not repeated here. Additionally, some text is borrowed verbatim from [RFC8556]. Several acronyms such as NLRI,mLDP P2MP NVGRE, GENEVE, BD, VNI/VSID are used without expanding them on first use and without any definition in the terminology section? Zzh> BD was already expanded, though now I changed it to the more correct "Broadcast Domain". Zzh> I expanded NLRI. Zzh> VXLAN/NVGRE/GENEVE are first mentioned in the following context with relevant RFC references: For EVPN-VXLAN/NVGRE/GENEVE [RFC8365] [RFC7348] [RFC7637] [RFC8926], this field is a 24-bit VNI/VSID of global significance. Zzh> While I can expand them to Virtual Extensible LAN (VXLAN), Network Virtualization using Generic Routing Encapsulation (NVGRE), and Generic Network Virtualization Encapsulation (GENEVE), I am not sure if that does add value besides adding clutters? Zzh> Nonetheless, I added them and RSVP/mLDP-P2MP to the terminology section. The document is missing the boiler plate text and reference to BCP 14 [RFC2119] [RFC8174]. Zzh> Strange. I do see it in https://datatracker.ietf.org/doc/draft-ietf-bier-evpn/? Considering BCP 14, how should one interpret the phrase "they do NOT apply to EVPN"? Perhaps SHALL NOT or SHOULD NOT? The security considerations section simply provides references to [RFC7432] and [RFC8556] for security implications. I guess that is okay, but I noticed that [RFC8556] further references [RFC8279] and [RFC8296] for security considerations. Perhaps that is acceptable. One could consider stating that the security of this solution is based on the full trust of the complete end-to-end BIER network. There is no cryptography to ensure that a packet is not manipulated enroute and properties such as integrity confidentiality of the traffic is ensured at higher layers? Zzh> RFC7432 has the following: *Users of VPN services* are expected to take appropriate precautions (such as encryption) to protect the data exchanged over a VPN. Zzh> There is no difference whether BIER or some other kinds of tunnels are used. W/o end-to-end encryption, the security is based on the full trust of the complete *provider* network, which the BIER network is part of. Therefore, if it's ok with you I'd rather not saying more besides referring to RFC7432 and RFC8556 (which refers to RFC8279 and RFC8296). Zzh> Thanks! Zzh> Jeffrey
- [Last-Call] Secdir last call review of draft-ietf… Mohit Sethi via Datatracker
- Re: [Last-Call] Secdir last call review of draft-… Jeffrey (Zhaohui) Zhang