IETF Logo Mail Archive

Re: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05

"Joel M. Halpern" <jmh@joelhalpern.com> Mon, 16 May 2011 17:09 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 319F3E0784; Mon, 16 May 2011 10:09:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5XVrxEzx0wrI; Mon, 16 May 2011 10:09:23 -0700 (PDT)
Received: from hgblob.out.tigertech.net (hgblob.out.tigertech.net [74.114.88.71]) by ietfa.amsl.com (Postfix) with ESMTP id 4D321E074A; Mon, 16 May 2011 10:09:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hgblob.tigertech.net (Postfix) with ESMTP id 1C44F3254008; Mon, 16 May 2011 10:09:23 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at hgblob.tigertech.net
Received: from [192.168.1.4] (pool-173-66-76-136.washdc.fios.verizon.net [173.66.76.136]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by hgblob.tigertech.net (Postfix) with ESMTPSA id 1928F3245458; Mon, 16 May 2011 10:09:22 -0700 (PDT)
Message-ID: <4DD15A40.2010209@joelhalpern.com>
Date: Mon, 16 May 2011 13:09:20 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: david.black@emc.com
References: <7C4DFCE962635144B8FAE8CA11D0BF1E055F69357F@MX14A.corp.emc.com> <4DCD4DEA.2050902@joelhalpern.com> <7C4DFCE962635144B8FAE8CA11D0BF1E055F6937FA@MX14A.corp.emc.com> <4DD142AE.5030409@joelhalpern.com> <7C4DFCE962635144B8FAE8CA11D0BF1E055F693A04@MX14A.corp.emc.com>
In-Reply-To: <7C4DFCE962635144B8FAE8CA11D0BF1E055F693A04@MX14A.corp.emc.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: dmcpherson@verisign.com, savi@ietf.org, gen-art@ietf.org, christian.vogt@ericsson.com, jeanmichel.combes@gmail.com, joel.halpern@ericsson.com
Subject: Re: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2011 17:09:24 -0000

I can plan to make these changes at the end of the last call.
Joel

On 5/16/2011 12:56 PM, david.black@emc.com wrote:
> Joel,
>
> I think the LACP discussion could be added to 4.1.1.
>
> I also think that there's a general theme that needs to be covered across all of 4.1.1 - 4.1.4: When there are multiple traffic egress points from a domain (4.1.1 - 4.1.4 cover four different types of domains), the SAVI checks on all the egresses should be coordinated and consistent in order to avoid surprises when the traffic switches to a different egress point.
>
> Thanks,
> --David
>
>> -----Original Message-----
>> From: Joel M. Halpern [mailto:jmh@joelhalpern.com]
>> Sent: Monday, May 16, 2011 11:29 AM
>> To: Black, David
>> Cc: dmcpherson@verisign.com; fred@cisco.com; joel.halpern@ericsson.com; gen-art@ietf.org;
>> savi@ietf.org; christian.vogt@ericsson.com; jeanmichel.combes@gmail.com
>> Subject: Re: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05
>>
>> Looking at the draft more carefully (when I am more awake, sorry), I
>> think what you are asking is that more text be put in section 4.1, maybe
>> a subsection?  That additional text would talk about placement on a
>> switch that is not directly attached to the client, but is not as far
>> upstream as the first hop router?  That text would include mention of
>> the effect of spanning tree variation and LACP path changes.
>>
>> Sorry I was dense,
>> Joel
>>
>> On 5/15/2011 9:45 PM, david.black@emc.com wrote:
>>> Joel,
>>>
>>> If LACP is running active-passive across links to two different switches, there may be no physical
>> network node common to the currently active and currently passive paths for some traffic.  If SAVI
>> is set up poorly, a switch to the currently passive link could remove validation checks or black-
>> hole traffic that was flowing on the previously active link. For example, binding an IP address to a
>> single port or ports on a single switch is insufficient in such an environment (address validation
>> binding needs to span switches).
>>>
>>> The material in 5.2.4 on Multi-LAN Hosts looks like a starting point - wrt SAVI, active-passive
>> link aggregation across multiple switches can be a way to get into that sort of trouble on a single
>> LAN (!).  Beyond that, I think the notion that SAVI checks should be consistent across alternate
>> paths for the same traffic is applicable at other scopes, e.g., all egresses from a multi-homed
>> network to the ISP networks involved.
>>>
>>> Thanks,
>>> --David
>>>
>>>> -----Original Message-----
>>>> From: Joel M. Halpern [mailto:jmh@joelhalpern.com]
>>>> Sent: Friday, May 13, 2011 11:28 AM
>>>> To: Black, David
>>>> Cc: dmcpherson@verisign.com; fred@cisco.com; joel.halpern@ericsson.com; gen-art@ietf.org;
>>>> savi@ietf.org; christian.vogt@ericsson.com; jeanmichel.combes@gmail.com
>>>> Subject: Re: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05
>>>>
>>>> Thank you David.
>>>> I think I understand the second part of your comment (about
>>>> multi-instance hosts), and will have to look at the document more to see
>>>> how to address that.
>>>>
>>>> I am not sure I understand what the question is regarding the LACP /
>>>> link group issue.  Is this really different from the issues that arise
>>>> whenever the SAVI functionality is not on the leaf switch?  Where in the
>>>> document do you think it would help to discuss this?
>>>>
>>>> Thank you,
>>>> Joel
>>>>
>>>> On 5/13/2011 1:03 AM, david.black@emc.com wrote:
>>>>> I am the assigned Gen-ART reviewer for this draft. For background on
>>>>> Gen-ART, please see the FAQ at
>>>>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>>>>>
>>>>> Please resolve these comments along with any other Last Call comments
>>>>> you may receive.
>>>>>
>>>>> Document: draft-ietf-savi-threat-scope-05
>>>>> Reviewer: David L. Black
>>>>> Review Date: 12 May 2011
>>>>> IETF LC End Date: 18 May 2011
>>>>>
>>>>> Summary: This draft is on the right track, but has open issues, described in the review.
>>>>>
>>>>> This draft discusses the threats and deployment environment for IP source
>>>>> address validation with particular attention to finer-grain validation that
>>>>> could be used within a network to validate IP addresses closer to the sources
>>>>> of network traffic than ingress to an ISP's network.
>>>>>
>>>>> Major issues:
>>>>>
>>>>> There is no discussion of link teaming or aggregation (e.g., via LACP); this
>>>>> may affect source address validation functionality by requiring the same
>>>>> validation checks on all aggregated ports.  An important case to discuss
>>>>> is where the aggregated host links are connected to ports on different switches
>>>>> (e.g., in an active/passive configuration).
>>>>>
>>>>> The discussion of multi-instance hosts in section 5.2.3 is incomplete
>>>>> in several important aspects:
>>>>>
>>>>> (1) Some of the software switch implementations are single instance switches
>>>>> whose implementation is distributed across multiple physical servers.  This
>>>>> results in concerns similar to the link aggregation discussion above.
>>>>>
>>>>> (2) Live migration of virtual machines among physical servers causes
>>>>> relocation of MAC addresses across switch ports.  A so-called "gratuitous ARP"
>>>>> is often used to inform the network of the MAC address move; port-based
>>>>> source address validation information needs to move in response to such ARPs.
>>>>>
>>>>> (3) MAC address relocation is also used as a failure recovery technique; the
>>>>> surviving hardware element (e.g., host in a cluster) takes over the MAC
>>>>> addresses of the failed hardware; like the previous case, a "gratuitous ARP"
>>>>> is a common means of informing the network that the MAC address has moved,
>>>>> and source address validation information needs to move in response to it.
>>>>>
>>>>> Minor issues:
>>>>>
>>>>> There doesn't seem to be much discussion of dynamic network reconfiguration,
>>>>> which may change traffic egress points.  VRRP may be a useful example to
>>>>> discuss beyond the typical routing protocol updates to forwarding tables.
>>>>>
>>>>> Nits/editorial comments:
>>>>>
>>>>> idnits 2.12.11 ran clean.
>>>>>
>>>>> Thanks,
>>>>> --David
>>>>> ----------------------------------------------------
>>>>> David L. Black, Distinguished Engineer
>>>>> EMC Corporation, 176 South St., Hopkinton, MA  01748
>>>>> +1 (508) 293-7953             FAX: +1 (508) 293-7786
>>>>> david.black@emc.com        Mobile: +1 (978) 394-7754
>>>>> ----------------------------------------------------
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> savi mailing list
>>>>> savi@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/savi
>>>>>
>>>
>>>
>
>

v2.23.0 | Report a Bug | By Email