Re: [secdir] Review of draft-ietf-bfd-vxlan-07
Greg Mirsky <gregimirsky@gmail.com> Tue, 04 June 2019 20:40 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C016D120614; Tue, 4 Jun 2019 13:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5YakCdyVKpD4; Tue, 4 Jun 2019 13:40:47 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F6B4120634; Tue, 4 Jun 2019 13:40:47 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id t28so9911233lje.9; Tue, 04 Jun 2019 13:40:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AYKgyIj9n1oAu/l0Hi6yXJGV0fClHcyso9ZiKqRFZiE=; b=RL7Rq4NHIpQlrT2a7gN3pDHl9usYvA8zA/4hFCxbgeY/l+RSAWNbkVPCGN3pC+2GfQ bdarTYYOyNyDViiCYfnkmztu5vLXMRSuIw8a9pWSiq0EXWwdieavLJ4Gb9GBxoGE2AY9 hp5A7JAlkD4IznNrFADpI9SPO6riQHrNPI4vbbG4sMWPomyL/XVLgwhJ5mFyTEiIBbmX aac+PFOVJd1Lw+i7qM7egAYkx0fNL1GqiCoXWIUKR6arYxNaJhQKWE05Y+x2yKnsFEbU TJwXJWp8b+jZsOHrROWs5wkHBijETW5ycGSyf1m4m+utlwvRkxP6X5q2P/OyXfDDPvyt iSxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AYKgyIj9n1oAu/l0Hi6yXJGV0fClHcyso9ZiKqRFZiE=; b=nKUQzmGyLuS5U33xt/yAW8+nVEWE0Rsqw0GaGgwos0NIuP94TqkcY4mevUQ2EXV+B6 ng7Ybc4UpFPbUr8H6QiIuDZninkHE6zrX0OtLcGkpGton1hOb5bV1MQ4kXNwJHdBgKgl 1bsfzOjvTRQCiX8HWlzDSobXuYNM6JvgLHiZo6opdW2+5NWhreU/Wv/2V5u6Bozyk1hF 8HVW8JL3rhsgElmfkdU9smXr42gVHf73t5MuaJV841KqY4HHOOoII025NLjabYncxZAG F7PfrQXHp6CsekFGc1Tn+TEdz6uZLZXCeXSq8QDBwobG6D4dth/H1RaegGo+TPJII35m GZRA==
X-Gm-Message-State: APjAAAVqZD0vCyM9P4VknHxRSjLQHicLyNWkko+MLp8t9Dhekw4EFzRL BwzS9xIU3YByQq3YxncaIJ0vXh1iBl3FOgxvrd8999fO
X-Google-Smtp-Source: APXvYqwJFl0CUzspEOeR7Q7f3xa5iZ4VU/jkJThasfc5LVHbzkMgnn1Z6r/0GT5k2D+7vsXXeD15G1HoqtSmrN4xMII=
X-Received: by 2002:a2e:56dd:: with SMTP id k90mr5496186lje.204.1559680845333; Tue, 04 Jun 2019 13:40:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAChzXmbSUko=KsWbAxTNvWAZjLig=hxhj3yAt-keh-hbbg8w8w@mail.gmail.com>
In-Reply-To: <CAChzXmbSUko=KsWbAxTNvWAZjLig=hxhj3yAt-keh-hbbg8w8w@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Tue, 04 Jun 2019 13:40:33 -0700
Message-ID: <CA+RyBmVtPGS3O7K3jzXkjXq91OMHSf_LKGBREqDJZzoAMjZ8pg@mail.gmail.com>
To: Shawn Emery <shawn.emery@gmail.com>
Cc: secdir@ietf.org, draft-ietf-bfd-vxlan.all@ietf.org, Shawn Emery <semery@uccs.edu>
Content-Type: multipart/alternative; boundary="000000000000bfc74c058a857ea1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/2uRDc1sCbsU7KnH4SVleF-EOQeM>
Subject: Re: [secdir] Review of draft-ietf-bfd-vxlan-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2019 20:41:00 -0000
Hi Shawn, thank you for the review, clear, directed questions, and helpful suggestions. Please find answers, notes in-lined and tagged GIM>>. Regards, Greg On Fri, May 24, 2019 at 10:45 PM Shawn Emery <shawn.emery@gmail.com> wrote: > Reviewer: Shawn M. Emery > Review result: Ready with issues > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > This draft specifies usage of the Bidirectional Forwarding Detection > (BFD) protocol on > Virtual eXtensible Local Area Network (VXLAN) tunnels. > > The security considerations section does exist and discusses the > introduction of a possible > DDoS attack due to the requirement of the protocol to set the IP TTL to > one hop. The prescription > outlined is to throttle this traffic. The section continues that BFD > sessions should also have an > upper limit, but does not give guidance on what is considered reasonable > to where it would affect > normal traffic vs. some form of DoS. > GIM>> The precise number would depend on many factors and thus we only recommend to have a knob to control the number of BFD sessions between a pair of VTEPs. Would the updated recommendation on the control of the number of concurrent sessions between a pair of VTEP as below address your concern: OLD TEXT: The implementation SHOULD have a reasonable upper bound on the number of BFD sessions that can be created between the same pair of VTEPs. NEW TEXT: If the implementation supports establishing multiple BFD sessions between the same pair of VTEPs, there SHOULD be a mechanism to control the maximum number of such session that can be active at the same time. > I believe that this section should also document the security > impact of deploying BFD on VXLANs for monitoring tunnel traffic. Which > additional information, > if any, can now be obtained with BFD usage? > GIM>> As stated in RFC 5880, BFD is designed to detect failures in the path between two BFD systems. BFD detects the loss of path continuity between forwarding engines used by BFD peers that participate in the given BFD session. As it is defined now, BFD is not used to monitor the tunnel traffic for possible performance degradation > > General comments: > > This standards track draft makes a normative reference to the base RFC, > 7348, which is informational. > Are there plans of making the base protocol a standards track > specification? Downward references > will need to be justified. > GIM>> As I understand, it is common practice to introduce to IETF process a de-facto standard as Informational track document and reference it as the normative document in a specification on the standard track. The flagged downref requires manual correction. > > Editorial comments: > > NVE is never expanded and not on the RFC Editors Abbreviation List. > GIM>> Thank you. Will expand as Network Virtualization Endpoint. > > Echo BFD is out of scope for the document, but does not describe the > reason for this or why state > this at all? > GIM>> I think that the main reason is that the BFD Echo mode is underspecified. RFC 5880 defined some of the mechanisms related to the Echo mode, but more standardization work may be required. > > Shawn. > -- >
- [secdir] Review of draft-ietf-bfd-vxlan-07 Shawn Emery
- Re: [secdir] Review of draft-ietf-bfd-vxlan-07 Greg Mirsky
- Re: [secdir] Review of draft-ietf-bfd-vxlan-07 Jeffrey Haas
- Re: [secdir] Review of draft-ietf-bfd-vxlan-07 Shawn Emery
- Re: [secdir] Review of draft-ietf-bfd-vxlan-07 Jeffrey Haas