[savi] Gen-ART review of draft-ietf-savi-threat-scope-05
<david.black@emc.com> Fri, 13 May 2011 05:08 UTC
Return-Path: <david.black@emc.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 962D7E0681; Thu, 12 May 2011 22:08:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0aspSjcT--Y; Thu, 12 May 2011 22:08:09 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id 8A985E065D; Thu, 12 May 2011 22:08:09 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p4D582dm011063 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 May 2011 01:08:03 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd04.lss.emc.com [10.254.222.226]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Fri, 13 May 2011 01:07:49 -0400
Received: from mxhub06.corp.emc.com (mxhub06.corp.emc.com [128.221.46.114]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p4D55NGf026945; Fri, 13 May 2011 01:05:24 -0400
Received: from mx14a.corp.emc.com ([169.254.1.163]) by mxhub06.corp.emc.com ([128.221.46.114]) with mapi; Fri, 13 May 2011 01:05:23 -0400
From: david.black@emc.com
To: dmcpherson@verisign.com, fred@cisco.com, joel.halpern@ericsson.com, gen-art@ietf.org
Date: Fri, 13 May 2011 01:03:18 -0400
Thread-Topic: Gen-ART review of draft-ietf-savi-threat-scope-05
Thread-Index: AcwRKxLMGPOwf18pRUizv8st+VLKCw==
Message-ID: <7C4DFCE962635144B8FAE8CA11D0BF1E055F69357F@MX14A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Mailman-Approved-At: Fri, 13 May 2011 08:21:06 -0700
Cc: savi@ietf.org, david.black@emc.com, christian.vogt@ericsson.com, jeanmichel.combes@gmail.com
Subject: [savi] Gen-ART review of draft-ietf-savi-threat-scope-05
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2011 05:08:10 -0000
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-savi-threat-scope-05 Reviewer: David L. Black Review Date: 12 May 2011 IETF LC End Date: 18 May 2011 Summary: This draft is on the right track, but has open issues, described in the review. This draft discusses the threats and deployment environment for IP source address validation with particular attention to finer-grain validation that could be used within a network to validate IP addresses closer to the sources of network traffic than ingress to an ISP's network. Major issues: There is no discussion of link teaming or aggregation (e.g., via LACP); this may affect source address validation functionality by requiring the same validation checks on all aggregated ports. An important case to discuss is where the aggregated host links are connected to ports on different switches (e.g., in an active/passive configuration). The discussion of multi-instance hosts in section 5.2.3 is incomplete in several important aspects: (1) Some of the software switch implementations are single instance switches whose implementation is distributed across multiple physical servers. This results in concerns similar to the link aggregation discussion above. (2) Live migration of virtual machines among physical servers causes relocation of MAC addresses across switch ports. A so-called "gratuitous ARP" is often used to inform the network of the MAC address move; port-based source address validation information needs to move in response to such ARPs. (3) MAC address relocation is also used as a failure recovery technique; the surviving hardware element (e.g., host in a cluster) takes over the MAC addresses of the failed hardware; like the previous case, a "gratuitous ARP" is a common means of informing the network that the MAC address has moved, and source address validation information needs to move in response to it. Minor issues: There doesn't seem to be much discussion of dynamic network reconfiguration, which may change traffic egress points. VRRP may be a useful example to discuss beyond the typical routing protocol updates to forwarding tables. Nits/editorial comments: idnits 2.12.11 ran clean. Thanks, --David ---------------------------------------------------- David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 david.black@emc.com Mobile: +1 (978) 394-7754 ----------------------------------------------------
- [savi] Gen-ART review of draft-ietf-savi-threat-s… david.black
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel M. Halpern
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… david.black
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel M. Halpern
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… david.black
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel M. Halpern
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Jari Arkko
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel Halpern
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel Halpern
- [savi] Gen-ART review of draft-ietf-savi-threat-s… Black, David
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Black, David
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Ted Lemon
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Black, David
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel Halpern
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel M. Halpern
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Black, David
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Ted Lemon
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel Halpern
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel M. Halpern
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Black, David
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Joel Halpern Direct
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Black, David
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Russ Housley
- Re: [savi] Gen-ART review of draft-ietf-savi-thre… Ted Lemon