[secdir] Review of draft-ietf-bfd-vxlan-07
Shawn Emery <shawn.emery@gmail.com> Sat, 25 May 2019 05:45 UTC
Return-Path: <shawn.emery@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02A6120123; Fri, 24 May 2019 22:45:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aM0oJmRTdDTG; Fri, 24 May 2019 22:45:27 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E3F612004C; Fri, 24 May 2019 22:45:24 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id j24so10426987ljg.1; Fri, 24 May 2019 22:45:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=UVTC3SDDSDAlGJvwoIFtnShwmSL2pX6Bi/JoeUmKzGY=; b=n/mrNQYEt/jHce3/xwq+MP/Fqhn1LVJ45+PS99kUvx2M8zCJN0wc2PP/qCq7VzEe4z mTYBmgOgeAkduEIJDVA7Gkj34yxhLzdrBh4jJzfs1IrgcGpJtodhDNynuaKbSmUT4aNY OWRuc978JKzEiiFbeO9eGg2vPZFQxaOd01+aC2TL8iNW2OOBQssucsf8kWA2EM3OioA+ hKwx7KUbHQjOWciWo+f8uOWM+kumsVa87PPrgeKAwAC2AM0WdyaCQ7h0AQ0p16QpteZr jKgZ71DRNluFVJipnz5t5DXY5ihz/UlxcMVpXHAN3qQ5YeANTiERGR+1Kb7Kh9KlYGoO euQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=UVTC3SDDSDAlGJvwoIFtnShwmSL2pX6Bi/JoeUmKzGY=; b=OkX3sZwH4p3AhVvKwIgSBknuovCWj/0rQrunfnaezn9+RSMC4MCryHInD4Q0NuRSLF M2JGjxT6nDcNfnr/dT4MD/uuETYGyJmchu/gkHImqW3yK4RxaqrB8/Qhzj+d1FJydlQI aWcWXp6fVAUZWSVnL+7hpdIUqe3h8LxAEpAywAX7E0u+65jZAgooetbNBlfZBuACIqzt RUxsBQWRGUzCHpmA5DGa0OYAaYmTrcI6c51B8ymzPIJK287WsgowiodDgwGq9rRdAg3e /GGz6pbjbz/QlV2sNQEiz31qsNoHUHK0XxD5wlPPIFEC5Fc6c48c85s/jxTtffAajZjA MYqA==
X-Gm-Message-State: APjAAAW55JqIJfmipAu3KD7z46raG7Zd0Rx+0mc75MEzeVgIegIloHNk qNiH4CESyxn9vGoSJsIF63XkJBowhp05QJ9Uvl8ucpn/vhE=
X-Google-Smtp-Source: APXvYqzlA3fKldC57A8oN5egu0dR0F8I4EaDF7BSsfpmoZNopJSyKFKCULTMrjFLNbbHn9DSGx78CvkKXbW5V5c3Ta8=
X-Received: by 2002:a2e:9496:: with SMTP id c22mr7947655ljh.71.1558763122079; Fri, 24 May 2019 22:45:22 -0700 (PDT)
MIME-Version: 1.0
From: Shawn Emery <shawn.emery@gmail.com>
Date: Fri, 24 May 2019 23:45:10 -0600
Message-ID: <CAChzXmbSUko=KsWbAxTNvWAZjLig=hxhj3yAt-keh-hbbg8w8w@mail.gmail.com>
To: secdir@ietf.org, draft-ietf-bfd-vxlan.all@ietf.org
Cc: Shawn Emery <semery@uccs.edu>
Content-Type: multipart/alternative; boundary="0000000000002e3e8c0589afd2df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/B3HQM1b66p_WtB0zUk57vVCAygc>
Subject: [secdir] Review of draft-ietf-bfd-vxlan-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 05:45:30 -0000
Reviewer: Shawn M. Emery Review result: Ready with issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft specifies usage of the Bidirectional Forwarding Detection (BFD) protocol on Virtual eXtensible Local Area Network (VXLAN) tunnels. The security considerations section does exist and discusses the introduction of a possible DDoS attack due to the requirement of the protocol to set the IP TTL to one hop. The prescription outlined is to throttle this traffic. The section continues that BFD sessions should also have an upper limit, but does not give guidance on what is considered reasonable to where it would affect normal traffic vs. some form of DoS. I believe that this section should also document the security impact of deploying BFD on VXLANs for monitoring tunnel traffic. Which additional information, if any, can now be obtained with BFD usage? General comments: This standards track draft makes a normative reference to the base RFC, 7348, which is informational. Are there plans of making the base protocol a standards track specification? Downward references will need to be justified. Editorial comments: NVE is never expanded and not on the RFC Editors Abbreviation List. Echo BFD is out of scope for the document, but does not describe the reason for this or why state this at all? Shawn. --
- [secdir] Review of draft-ietf-bfd-vxlan-07 Shawn Emery
- Re: [secdir] Review of draft-ietf-bfd-vxlan-07 Greg Mirsky
- Re: [secdir] Review of draft-ietf-bfd-vxlan-07 Jeffrey Haas
- Re: [secdir] Review of draft-ietf-bfd-vxlan-07 Shawn Emery
- Re: [secdir] Review of draft-ietf-bfd-vxlan-07 Jeffrey Haas