Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07

Stephen Kent <stkent@verizon.net> Fri, 09 February 2018 10:57 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CFA51200C1 for <secdir@ietfa.amsl.com>; Fri, 9 Feb 2018 02:57:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qD08v_fJjhw for <secdir@ietfa.amsl.com>; Fri, 9 Feb 2018 02:56:59 -0800 (PST)
Received: from omr-m003e.mx.aol.com (omr-m003e.mx.aol.com [204.29.186.3]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B4CC126BF0 for <secdir@ietf.org>; Fri, 9 Feb 2018 02:56:59 -0800 (PST)
Received: from mtaout-maa02.mx.aol.com (mtaout-maa02.mx.aol.com [172.26.222.142]) by omr-m003e.mx.aol.com (Outbound Mail Relay) with ESMTP id 5ED1B3800095; Fri, 9 Feb 2018 05:56:58 -0500 (EST)
Received: from Steves-MacBook-Pro.local (0x5374657665732d4d6163426f6f6b2d50726f2e6c6f63616c [202.56.236.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mtaout-maa02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 4411B3800008A; Fri, 9 Feb 2018 05:56:55 -0500 (EST)
To: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>, Alvaro Retana <aretana.ietf@gmail.com>, "Henderickx, Wim (Nokia - BE/Antwerp)" <wim.henderickx@nokia.com>, "sajassi@cisco.com" <sajassi@cisco.com>, "uttaro@att.com" <uttaro@att.com>, "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "Vigoureux, Martin (Nokia - FR/Paris-Saclay)" <martin.vigoureux@nokia.com>, "secdir@ietf.org" <secdir@ietf.org>, "Palislamovic, Senad (Nokia - US)" <senad.palislamovic@nokia.com>
References: <e507416e-202b-defb-b8e9-cd3cb75c877a@verizon.net> <CAMMESsyfe=NL-HwMES5yCUgDhSzkdrN6cpycV3WjNKEJscPo3w@mail.gmail.com> <18631468-67d6-e3ca-0bef-92cdcb3ccd66@verizon.net> <9D77D57C-E135-479E-8328-69470CC4FF31@nokia.com> <e9be0bd4-4c82-75ec-ec3c-7b8677c93fd8@verizon.net> <AA54F427-E09D-4E49-BE03-051EDAF5EEC7@nokia.com>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <8e511c57-4af2-8dbb-9c54-72fdee74b9c3@verizon.net>
Date: Fri, 9 Feb 2018 05:56:52 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <AA54F427-E09D-4E49-BE03-051EDAF5EEC7@nokia.com>
Content-Type: multipart/alternative; boundary="------------F48EC307A061DB0E17B8D9FC"
x-aol-global-disposition: G
x-aol-sid: 3039ac1ade8e5a7d7e770ae2
X-AOL-IP: 202.56.236.238
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/4jLFuPYdA2jRQwyn61xZMRf-Iek>
Subject: Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 10:57:01 -0000

Jorge,

> [JORGE] hmm... how about this instead:
>
> “The standards produced by the SIDR WG, which address secure route 
> origin authentication (e.g., RFCs 6480-93) and route advertisement 
> security (e.g., RFCs 8205-11) do not apply to the EVPN family, hence 
> they are not relevant to [RFC7432] or this document.”
>
> The reason is because EVPN conveys Ethernet address space but also 
> some other information.
>
First, I'm not sure if the sentence immediately above is intended to be 
part of the text, or if it is a comment to me.  I'm, assuming the 
latter, in which case I think more info would help the reader to 
understand why those RFCs are not applicable. Saying that the RFCs "do 
not apply to the EVPN family" does not seem clear enough, although I 
agree that noting RFC 7432 is a good idea.. How about:

“The standards produced by the SIDR WG address secure route origin 
authentication (e.g., RFCs 6480-93) and route advertisement security 
(e.g., RFCs 8205-11). They protect the integrity and authenticity of IP 
address advertisements and ASN/IP prefix bindings. This document, and 
[RFC7432], use BGP to convey other info, e.g., MAC addresses, and thus 
the protections offered by the SIDR WG RFCs are not applicable in this 
context."

Steve