Re: [secdir] SECDIR early review of draft-dunbar-armd-arp-nd-scaling-practices-07

Tina TSOU <Tina.Tsou.Zouting@huawei.com> Tue, 04 March 2014 07:41 UTC

Return-Path: <Tina.Tsou.Zouting@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A7E31A03C3; Mon, 3 Mar 2014 23:41:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.747
X-Spam-Level:
X-Spam-Status: No, score=-4.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yYWuKmO9qggs; Mon, 3 Mar 2014 23:41:14 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id C38581A03AC; Mon, 3 Mar 2014 23:41:12 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml203-edg.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BEF08651; Tue, 04 Mar 2014 07:41:08 +0000 (GMT)
Received: from LHREML406-HUB.china.huawei.com (10.201.5.243) by lhreml203-edg.huawei.com (172.18.7.221) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 4 Mar 2014 07:40:37 +0000
Received: from SZXEML452-HUB.china.huawei.com (10.82.67.195) by lhreml406-hub.china.huawei.com (10.201.5.243) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 4 Mar 2014 07:41:03 +0000
Received: from szxeml557-mbs.china.huawei.com ([169.254.6.77]) by szxeml452-hub.china.huawei.com ([10.82.67.195]) with mapi id 14.03.0158.001; Tue, 4 Mar 2014 15:40:51 +0800
From: Tina TSOU <Tina.Tsou.Zouting@huawei.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Thread-Topic: SECDIR early review of draft-dunbar-armd-arp-nd-scaling-practices-07
Thread-Index: AQHPKfsc65F4O1ntVkqzN1q05nHFcJrAX++QgAAGE6CADsvlkP//o8EA
Date: Tue, 04 Mar 2014 07:40:51 +0000
Message-ID: <FFA8BFED-259D-4483-8EA5-124F65A403AB@huawei.com>
References: <4A95BA014132FF49AE685FAB4B9F17F645CBE303@dfweml701-chm.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F645CBE303@dfweml701-chm.china.huawei.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_FFA8BFED259D44838EA5124F65A403ABhuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Ea-ea6VErvk3FmS5-5O6ASSY5bg
Cc: "draft-dunbar-arms-arp-nd-scalling-practices.all@tools.ietf.org" <draft-dunbar-arms-arp-nd-scalling-practices.all@tools.ietf.org>, "Org Iesg@Ietf." <iesg@ietf.org>, "Org Secdir@Ietf." <secdir@ietf.org>
Subject: Re: [secdir] SECDIR early review of draft-dunbar-armd-arp-nd-scaling-practices-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 07:41:18 -0000

Dear Linda,

The changes are OK to me.

In addition, the subject draft provides a brief description of common data center network designs for context, examines the ARP/ND scaling issues that arise in these designs, and concludes that the key issue is processing load on the L2/L3 boundary routers. It then proceeds to describe some practices for reducing that load. The description employs a mixture of bases for its organization:

(a) network design approach
 -- layer 3 to access switches or VMs (sec. 4)
 -- layer 2 measures (sec. 5.1)
 -- static ARP/ND entries on switches (sec. 5.2)
 -- ARP/ND proxying (sec. 5.3)
 -- overlay models (sec. 6)

(b) individual cases (secs. 5.1.1, 5.1.2, 5.1.3)

(c) IPv4 ARP vs. IPv6 ND (interspersed in all sections mentioned above except sec. 6. In addition, sec. 5.4 discusses multicast issues and is thus specifically related to ND.)

Because of the differences between ARP and ND and resulting applicability of the different measures described in sections 4-6, the reviewer's recommendation would be to reorganize the text by pulling ARP-specific and ND-specific discussions into separate sections of their own referring back to the remaining text. In this way sec. 5.4 in particular would fit more neatly into the framework. More importantly, it would become clear that scalability of IPv6 ND needs more work.

It is interesting to note that improving the scalability of ND is a matter under active discussion in 6man and v6ops but partly from a different angle: coping with battery-limited devices that are not always awake. Informational references to the relevant drafts (draft-chakrabarti-nordmark-6man-efficient-nd-05, draft-yourtchenko-colitti-nd-reduce-multicast-00, and draft-vyncke-6man-mcast-not-efficient-01) may be useful to add.

The Security Considerations section is currently just a 'motherhood'statement. Specific points are raised in the body of the text, such as the relationship of the bidirectional nature of ND to the correct operation of SeND. Any such specific points should be reflected in the Security Considerations section too.

Nits
====

-- Section 5.1 section header: s/APR/ARP/

-- Section 7 first bullet last sentence:

OLD

" ...  to have comprehensive study in making those changes."

NEW

" ... to make those changes only after comprehensive study."

-- Section 7 second bullet: s/Create an/Create/

-- References need updating to most recent versions.


Thank you,
Tina


From: Linda Dunbar
Sent: Friday, February 21, 2014 5:32 PM
To: Tina TSOU; 'secdir@ietf.org<mailto:secdir@ietf.org>'; 'iesg@ietf.org<mailto:iesg@ietf.org>'; 'draft-dunbar-armd-arp-nd-scaling-practices@tools.ietf.org<mailto:draft-dunbar-armd-arp-nd-scaling-practices@tools.ietf.org>'
Subject: RE: SECDIR early review of draft-dunbar-armd-arp-nd-scaling-practices-07

Tina,

Please see the attached 08 version for the changes to address your comments. Please let me know if they are OK.

Thanks, Linda

From: Linda Dunbar
Sent: Friday, February 21, 2014 5:27 PM
To: Tina TSOU; secdir@ietf.org<mailto:secdir@ietf.org>; iesg@ietf.org<mailto:iesg@ietf.org>; draft-dunbar-armd-arp-nd-scaling-practices@tools.ietf.org<mailto:draft-dunbar-armd-arp-nd-scaling-practices@tools.ietf.org>
Subject: RE: SECDIR early review of draft-dunbar-armd-arp-nd-scaling-practices-07

Tina,

Thank you very much for the review.

Replies are inserted below

From: Tina TSOU [mailto:Tina.Tsou.Zouting@huawei.com]
Sent: Friday, February 14, 2014 9:08 PM
To: secdir@ietf.org<mailto:secdir@ietf.org>; iesg@ietf.org<mailto:iesg@ietf.org>; draft-dunbar-armd-arp-nd-scaling-practices@tools.ietf.org<mailto:draft-dunbar-armd-arp-nd-scaling-practices@tools.ietf.org>
Subject: SECDIR early review of draft-dunbar-armd-arp-nd-scaling-practices-07

Dear  all,
I have reviewed this document as part of the security directorate's ongoing effort to for early review of WG drafts.  These comments were written primarily for the benefit of the security area directors.  Document editors and working group chairs should treat these comments just like any other comments.

Section 1:
Please expand ToR upon first occurrence.
[Linda] ToR is already defined in the Terminology section. Is it still necessary to expand?

Section 2, page 3/4:
Could you please clarify the difference between "node" and "end station"? Are they synonyms?
[Linda] Node can be switches/routers. “end station” doesn’t route or forward traffic. Packets are terminated by “end station”.



Section 5.1.1:

Shouldn't it be possible to avoid ND load by proper setting of the ReachableTime variable? -- This wouldn't require any protocol changes.

[Linda] Do you mean changing the setting on GuestOS? The issue is that many Guest OSs are out of network’s control. If Network can control Guest OS’s behavior, many things can be easier.


Section 5.1.1:

Snooping ARP packets probably means increased load (a disadvantage you didn't mention).
[Linda] yes, it increase the load, but in a controlled way. So the routers can process them within its capacity. So, it is not really disadvantage.

Section 5.1.1:

When address resolution is needed to deliver a packet, some routers just drop the packet when they engage in ARP (see http://tools.ietf.org/html/rfc6274#section-4.2.3) The same is true for
IPv6 ND.

[Linda] correct. The behavior is described in the second paragraph of Section 5.1.2:
Solution: To protect a router from being overburdened by resolving target MAC addresses, one solution is for the router to limit the rate of resolving target MAC addresses for inbound traffic whose target is not in the router’s ARP/ND cache. When the rate is exceeded, the incoming traffic whose target is not in the ARP/ND cache is dropped.


Section 8:

While this document does not introduce new issues itself, it should at least mention how the same ARP/ND issues may be intentionally triggered by an attacker. For example, you may reference RFC 6583

[Linda] Sure. Will add in the new version.

* Nits

Section 4, page 4:
> There are no address
>    resolution issue in this design.

Replace "issue" with "issues"
[Linda] In the latest draft ( 07 version: https://datatracker.ietf.org/doc/draft-dunbar-armd-arp-nd-scaling-practices/) it is already changed:

There is no address resolution issue in this design.



Section 5.1.1, page 5:

"Ipv6" -> "IPv6"

[Linda ] In the latest draft (07 version), it is already changed.


Section 5.1.2:

Please expand UNA (possibly in the terminology section) -- you probably mean "Unsolicited..", but this should be explicit.
[Linda] in the latest draft (07 version), UNA is already listed under the Terminology section.

Thank you very much for the review and comments.

Linda

Thank you,
Tina

From: secdir [mailto:secdir-bounces@ietf.org] On Behalf Of Matthew Lepinski
Sent: Friday, February 14, 2014 2:52 AM
To: secdir@ietf.org<mailto:secdir@ietf.org>; iesg@ietf.org<mailto:iesg@ietf.org>; draft-housley-pkix-oids.all@tools.ietf.org<mailto:draft-housley-pkix-oids.all@tools.ietf.org>
Subject: [secdir] SECDIR review of draft-housley-pkix-oids

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and working group chairs should treat these comments just like any other last call comments.

This document returns control of the PKIX object identifier arc to IANA. That is, it establishes a new IANA registry for OIDs in the PKIX arc and populates that registry with the existing OID assignments. Finally, the document establishes expert review as the criteria for future additions to the registry and includes guidance that for review.

After reviewing the document, I agree with the author that this document introduces no new security concerns.

I found no issues in the document and I believe it is ready for publication.

-------------------------------

Nits

The author should consider including an expansion of the acronym SMI, which is used frequently in the document. (I believe in this context SMI = Structure of Management Information)

In Section 3:
s/be related to X.509 certificate/be related to X.509 certificates/

In Section 3.1:
s/to points to this document/to point to this document/



<draft-dunbar-armd-arp-nd-scaling-practices-08.docx>