Re: [Pals] Stephen Farrell's No Objection on draft-ietf-l2vpn-vpls-pe-etree-10: (with COMMENT)
Jiangyuanlong <jiangyuanlong@huawei.com> Fri, 04 December 2015 09:19 UTC
Return-Path: <jiangyuanlong@huawei.com>
X-Original-To: pals@ietfa.amsl.com
Delivered-To: pals@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F40381A88B4; Fri, 4 Dec 2015 01:19:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5o1ZDv_2hQlB; Fri, 4 Dec 2015 01:19:08 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E48B41A87CB; Fri, 4 Dec 2015 01:19:06 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml406-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CEZ73735; Fri, 04 Dec 2015 09:19:04 +0000 (GMT)
Received: from SZXEMA413-HUB.china.huawei.com (10.82.72.72) by lhreml406-hub.china.huawei.com (10.201.5.243) with Microsoft SMTP Server (TLS) id 14.3.235.1; Fri, 4 Dec 2015 09:19:02 +0000
Received: from SZXEMA506-MBS.china.huawei.com ([169.254.4.102]) by SZXEMA413-HUB.china.huawei.com ([10.82.72.72]) with mapi id 14.03.0235.001; Fri, 4 Dec 2015 17:18:45 +0800
From: Jiangyuanlong <jiangyuanlong@huawei.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-l2vpn-vpls-pe-etree-10: (with COMMENT)
Thread-Index: AQHRLckG4CemMX0T2EuN+OiNTq+1lZ66YCPA
Date: Fri, 04 Dec 2015 09:18:44 +0000
Message-ID: <3B0A1BED22CAD649A1B3E97BE5DDD68B91600B18@szxema506-mbs.china.huawei.com>
References: <20151203124855.28537.59385.idtracker@ietfa.amsl.com>
In-Reply-To: <20151203124855.28537.59385.idtracker@ietfa.amsl.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.66.76.118]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.56615A88.01E2, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.102, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 51784f1eb5a11bfce82930623d39d1a3
Archived-At: <http://mailarchive.ietf.org/arch/msg/pals/TG1tl7bZb_9TROb3OOJ-TMWZ3cc>
Cc: "Dr. Nabil N. Bitar" <nabil.n.bitar@verizon.com>, "draft-ietf-l2vpn-vpls-pe-etree@ietf.org" <draft-ietf-l2vpn-vpls-pe-etree@ietf.org>, "draft-ietf-l2vpn-vpls-pe-etree.all@ietf.org" <draft-ietf-l2vpn-vpls-pe-etree.all@ietf.org>, "pals-chairs@ietf.org" <pals-chairs@ietf.org>, "pals@ietf.org" <pals@ietf.org>, "stbryant@cisco.com" <stbryant@cisco.com>
Subject: Re: [Pals] Stephen Farrell's No Objection on draft-ietf-l2vpn-vpls-pe-etree-10: (with COMMENT)
X-BeenThere: pals@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Pseudowire And LDP-enabled Services dicussion list." <pals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pals>, <mailto:pals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pals/>
List-Post: <mailto:pals@ietf.org>
List-Help: <mailto:pals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pals>, <mailto:pals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 09:19:11 -0000
Hi Stephen, Thanks a lot for the detailed comments, please see the inline comments. Best regards, Yuanlong > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Thursday, December 03, 2015 8:49 PM > To: The IESG > Cc: draft-ietf-l2vpn-vpls-pe-etree@ietf.org; Dr. Nabil N. Bitar; > draft-ietf-l2vpn-vpls-pe-etree.all@ietf.org; pals-chairs@ietf.org; > stbryant@cisco.com; pals@ietf.org > Subject: Stephen Farrell's No Objection on draft-ietf-l2vpn-vpls-pe-etree-10: (with > COMMENT) > > Stephen Farrell has entered the following ballot position for > draft-ietf-l2vpn-vpls-pe-etree-10: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-l2vpn-vpls-pe-etree/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > Could you explain a bit to me how prevention of leaf-to-leaf > communication is enforced? I wasn't clear about that from a quick > read, sorry. (I know it might not be quite in scope, being an > implementation issue, but I'd like to know if it's easy to explain.) > [YJ] In a nutshell, a PE will not send packets it receives tagged with a leaf VLAN to any leaf nodes. More specifically, for a PE including a bridge module with IEEE 802.1-2014 capability: For each port of the bridge module, there is an egress VLAN translation table which indicates how to translate a VLAN for a frame received from T-VSI. If a port is attached with a leaf node, then leaf VLAN is translated to 0xFFF, and the frame will be discarded automatically. On the other hand, if a port is attached with a root node, then leaf VLAN is translated to a normal VLAN (or removed) and the frame will be delivered to the root node. > Are there possible attacks on signalling - e.g. to send fake packets > saying some node is a root, when it's a leaf? If so shouldn't those > be recognised in the security considerations? > [YJ] if a PE is compromised or LDP is spoofed by some middle-man (though rarely for carrier networks), this may happen indeed. It seems the Security considerations in LDP protocol (RFC3036/5036) already cover the signaling security as a whole, and indirectly referenced in this document (by referring to Security considerations of RFC4762). One argument would be: this fake root situation is no worse than the construction of a VPLS where every CE node is actually a root (a PE could choose to do so if it is compromised). > I think section 9 should describe the kind of node compromises that > would invalidate the "no leaf to leaf" protections that are needed > for this to work. The intent should be just to allow implementers to > realise when a node that they are designing or deploying might need > to be (better) protected against compromise. Were is possible to say > something useful about how to mitigate such compromises, that'd > be good too. (But it may amount to "harden your kit" I guess, which > could be enough to say if one knows which bits of kit need hardening > against what.) > [YJ] it seems authenticity and integrity measures are needed for LDP session messages, as dictated by RFC3036/5036. Not sure whether it make sense to add a note for service providers in the document, such as: if a root node or root VLAN is inappropriately configured, service frames may be leaked out unintentionally. Thanks again, Yuanlong
- [Pals] Stephen Farrell's No Objection on draft-ie… Stephen Farrell
- Re: [Pals] Stephen Farrell's No Objection on draf… Jiangyuanlong
- Re: [Pals] Stephen Farrell's No Objection on draf… Stephen Farrell