IETF Logo Mail Archive

Re: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05

<david.black@emc.com> Mon, 16 May 2011 01:46 UTC

Return-Path: <david.black@emc.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECA74E06D6; Sun, 15 May 2011 18:46:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.499
X-Spam-Level:
X-Spam-Status: No, score=-106.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTaGtaTDl2dC; Sun, 15 May 2011 18:46:46 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id B9567E06B9; Sun, 15 May 2011 18:46:46 -0700 (PDT)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p4G1kewN000822 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 15 May 2011 21:46:40 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd02.lss.emc.com [10.254.221.253]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Sun, 15 May 2011 21:46:21 -0400
Received: from mxhub06.corp.emc.com (mxhub06.corp.emc.com [128.221.46.114]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p4G1j9pm019266; Sun, 15 May 2011 21:45:09 -0400
Received: from mx14a.corp.emc.com ([169.254.1.163]) by mxhub06.corp.emc.com ([128.221.46.114]) with mapi; Sun, 15 May 2011 21:45:09 -0400
From: david.black@emc.com
To: jmh@joelhalpern.com
Date: Sun, 15 May 2011 21:45:02 -0400
Thread-Topic: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05
Thread-Index: AcwRg0p1jkZOw3YkSsSWu6YFhi6ycwANE1IQ
Message-ID: <7C4DFCE962635144B8FAE8CA11D0BF1E055F6937FA@MX14A.corp.emc.com>
References: <7C4DFCE962635144B8FAE8CA11D0BF1E055F69357F@MX14A.corp.emc.com> <4DCD4DEA.2050902@joelhalpern.com>
In-Reply-To: <4DCD4DEA.2050902@joelhalpern.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: dmcpherson@verisign.com, savi@ietf.org, gen-art@ietf.org, christian.vogt@ericsson.com, jeanmichel.combes@gmail.com, joel.halpern@ericsson.com, david.black@emc.com
Subject: Re: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2011 01:46:48 -0000

Joel,

If LACP is running active-passive across links to two different switches, there may be no physical network node common to the currently active and currently passive paths for some traffic.  If SAVI is set up poorly, a switch to the currently passive link could remove validation checks or black-hole traffic that was flowing on the previously active link. For example, binding an IP address to a single port or ports on a single switch is insufficient in such an environment (address validation binding needs to span switches).

The material in 5.2.4 on Multi-LAN Hosts looks like a starting point - wrt SAVI, active-passive link aggregation across multiple switches can be a way to get into that sort of trouble on a single LAN (!).  Beyond that, I think the notion that SAVI checks should be consistent across alternate paths for the same traffic is applicable at other scopes, e.g., all egresses from a multi-homed network to the ISP networks involved.

Thanks,
--David

> -----Original Message-----
> From: Joel M. Halpern [mailto:jmh@joelhalpern.com]
> Sent: Friday, May 13, 2011 11:28 AM
> To: Black, David
> Cc: dmcpherson@verisign.com; fred@cisco.com; joel.halpern@ericsson.com; gen-art@ietf.org;
> savi@ietf.org; christian.vogt@ericsson.com; jeanmichel.combes@gmail.com
> Subject: Re: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05
> 
> Thank you David.
> I think I understand the second part of your comment (about
> multi-instance hosts), and will have to look at the document more to see
> how to address that.
> 
> I am not sure I understand what the question is regarding the LACP /
> link group issue.  Is this really different from the issues that arise
> whenever the SAVI functionality is not on the leaf switch?  Where in the
> document do you think it would help to discuss this?
> 
> Thank you,
> Joel
> 
> On 5/13/2011 1:03 AM, david.black@emc.com wrote:
> > I am the assigned Gen-ART reviewer for this draft. For background on
> > Gen-ART, please see the FAQ at
> > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> >
> > Please resolve these comments along with any other Last Call comments
> > you may receive.
> >
> > Document: draft-ietf-savi-threat-scope-05
> > Reviewer: David L. Black
> > Review Date: 12 May 2011
> > IETF LC End Date: 18 May 2011
> >
> > Summary: This draft is on the right track, but has open issues, described in the review.
> >
> > This draft discusses the threats and deployment environment for IP source
> > address validation with particular attention to finer-grain validation that
> > could be used within a network to validate IP addresses closer to the sources
> > of network traffic than ingress to an ISP's network.
> >
> > Major issues:
> >
> > There is no discussion of link teaming or aggregation (e.g., via LACP); this
> > may affect source address validation functionality by requiring the same
> > validation checks on all aggregated ports.  An important case to discuss
> > is where the aggregated host links are connected to ports on different switches
> > (e.g., in an active/passive configuration).
> >
> > The discussion of multi-instance hosts in section 5.2.3 is incomplete
> > in several important aspects:
> >
> > (1) Some of the software switch implementations are single instance switches
> > whose implementation is distributed across multiple physical servers.  This
> > results in concerns similar to the link aggregation discussion above.
> >
> > (2) Live migration of virtual machines among physical servers causes
> > relocation of MAC addresses across switch ports.  A so-called "gratuitous ARP"
> > is often used to inform the network of the MAC address move; port-based
> > source address validation information needs to move in response to such ARPs.
> >
> > (3) MAC address relocation is also used as a failure recovery technique; the
> > surviving hardware element (e.g., host in a cluster) takes over the MAC
> > addresses of the failed hardware; like the previous case, a "gratuitous ARP"
> > is a common means of informing the network that the MAC address has moved,
> > and source address validation information needs to move in response to it.
> >
> > Minor issues:
> >
> > There doesn't seem to be much discussion of dynamic network reconfiguration,
> > which may change traffic egress points.  VRRP may be a useful example to
> > discuss beyond the typical routing protocol updates to forwarding tables.
> >
> > Nits/editorial comments:
> >
> > idnits 2.12.11 ran clean.
> >
> > Thanks,
> > --David
> > ----------------------------------------------------
> > David L. Black, Distinguished Engineer
> > EMC Corporation, 176 South St., Hopkinton, MA  01748
> > +1 (508) 293-7953             FAX: +1 (508) 293-7786
> > david.black@emc.com        Mobile: +1 (978) 394-7754
> > ----------------------------------------------------
> >
> >
> > _______________________________________________
> > savi mailing list
> > savi@ietf.org
> > https://www.ietf.org/mailman/listinfo/savi
> >

v2.23.0 | Report a Bug | By Email