Re: [secdir] SecDir review of draft-ietf-l2vpn-evpn-req-05
"Ali Sajassi (sajassi)" <sajassi@cisco.com> Wed, 11 December 2013 00:54 UTC
Return-Path: <sajassi@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B41441AE2F6; Tue, 10 Dec 2013 16:54:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.502
X-Spam-Level:
X-Spam-Status: No, score=-9.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9DdvpWdo_A95; Tue, 10 Dec 2013 16:54:23 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) by ietfa.amsl.com (Postfix) with ESMTP id 294A91AE2F3; Tue, 10 Dec 2013 16:54:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4021; q=dns/txt; s=iport; t=1386723258; x=1387932858; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=opr6wOT3KWAXzvKbO095rr6YZUFkRKK9eVN3MCN696A=; b=NUF3IYyw8ifPYTFkwkYZ3VKDCEGfqOCFaZAuaH6t4JHlQcHIeb4LoMuw kQEPsrK55UKwepBHwlq0OBzm8A2sQQXoboJx/25lrvqdaL8bnpMtatElH xpT7vQ4HeLUxv0+tDuBwFZUzNJd82Af/DReGZ67jKg7I7WSP9+50SIN1S g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAG+3p1KtJXG//2dsb2JhbABZgmYhgQu5IYEgFnSCLDorCB4BCDZCJQEBBAESG4dnAcFDF48MhDQEmBSSE4Mpgio
X-IronPort-AV: E=Sophos;i="4.93,868,1378857600"; d="scan'208";a="5840908"
Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by alln-iport-6.cisco.com with ESMTP; 11 Dec 2013 00:54:12 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id rBB0sC4Y015669 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 11 Dec 2013 00:54:12 GMT
Received: from xmb-aln-x13.cisco.com ([fe80::5404:b599:9f57:834b]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.03.0123.003; Tue, 10 Dec 2013 18:54:11 -0600
From: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
To: Tina TSOU <Tina.Tsou.Zouting@huawei.com>, "Org Iesg@Ietf." <iesg@ietf.org>, "Org Secdir@Ietf." <secdir@ietf.org>, "draft-ietf-l2vpn-evpn-req.all@tools.ietf.org" <draft-ietf-l2vpn-evpn-req.all@tools.ietf.org>
Thread-Topic: SecDir review of draft-ietf-l2vpn-evpn-req-05
Thread-Index: Ac7r4iSTTLuLU6ECRayqapxZmS2AZQKGJe6A
Date: Wed, 11 Dec 2013 00:54:11 +0000
Message-ID: <CECCE85A.AC339%sajassi@cisco.com>
In-Reply-To: <36B74C19-0B78-40BC-8B7E-A161AD644DB3@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
x-originating-ip: [10.128.2.142]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2BDD8814FB8E7042B16D7C1FCFA36133@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 11 Dec 2013 02:10:58 -0800
Subject: Re: [secdir] SecDir review of draft-ietf-l2vpn-evpn-req-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 00:54:25 -0000
Hi Tina, Thanks for your review. I have incorporated all your comments. Please refer inline for details on resolutions ... On 11/27/13 6:32 PM, "Tina TSOU" <Tina.Tsou.Zouting@huawei.com> wrote: >Dear all, >I have reviewed this document as part of the security directorate's >ongoing effort to review all IETF documents being processed by the IESG. >These comments were written primarily for the benefit of the security >area directors. Document editors and WG chairs should treat these >comments just like any other last call comments. > >This document specify the requirement for an Ethernet VPN (EVPN) >solution, to address the issues mentioned in this draft. > >Some comments are below. > >1. In Section 4.2, it says: > "The solution MUST also be able to leverage > work in the MPLS WG that is in progress to improve the load balancing > capabilities of the network based on entropy labels [RFC6790]." > > Since this work is already published as RFC, the sentence should be >rewritten as: > "The solution MUST also be able to leverage the MPLS load balancing > capabilities based on entropy labels [RFC6790]." Agreed. > > >2. In Section 4.2, it says: > "For example consider a scenario in which CE1 is multi-homed to PE1 > and PE2, and CE2 is multi-homed to PE3 and PE4 running in all-active > mode. Furthermore, consider that there exist three ECMPs between any > of the CE1's and CE2's multi-homed PEs. Traffic from CE1 to CE2 can > be forwarded on twelve different paths over MPLS/IP core as follow: > CE1 load balances traffic to both PE1 and PE2. Each of the PE1 and > PE2 have three ECMPs to PE3 and PE4 for the total of twelve paths. > Finally, when traffic arrives at PE3 and PE4, it gets forwarded to > CE2 over the Ethernet channel (aka link bundle)." > > It seems "ECMP", "ECMP path" and "path" are messed up in this paragraph. >To make it straight, the following is suggested: > "For example consider a scenario in which CE1 is multi-homed to PE1 > and PE2, and CE2 is multi-homed to PE3 and PE4 running in all-active > mode. Furthermore, consider that there exist three ECMP paths between >any > of the CE1's and CE2's multi-homed PEs. Traffic from CE1 to CE2 can > be forwarded on twelve different paths over MPLS/IP core as follow: > CE1 load balances traffic to both PE1 and PE2. Each of the PE1 and > PE2 have three paths to PE3 and PE4 for the total of twelve paths. > Finally, when traffic arrives at PE3 and PE4, it gets forwarded to > CE2 over the Ethernet channel (aka link bundle)." Agreed. > > >3. In Section 12 "Security Considerations", it says: > "...The requirement is to introduce no > new vulnerabilities beyond those of [RFC4761] and [RFC4762] when MAC > learning is performed in data-plane and beyond that of [RFC4364] when > MAC learning is performed in control plane." > >Though BGP is used similarly in E-VPN, some new vulnerabilities will >inevitably be introduced, such as MAC forgery in BGP, and how to protect >against individual MACs may pose a challenge. > >4. Section 12 "Security Considerations" >It is very brief. It does not mention when using multi-homing. I have updated the section 12 as follow: Any protocol extensions developed for the EVPN solution shall include the appropriate security analysis. Besides the security requirements covered in [RFC4761] and [RFC4762] when MAC learning is performed in data-plane and in [RFC4364] when MAC learning is performed in control plane, the following additional requirements need to be covered. (R13) A solution MUST be capable of detecting and properly handling a situation where the same MAC address appears behind two different Ethernet Segment (whether inadvertently or intentionally). (R14) A solution MUST be capable of associating a MAC address to a specific Ethernet Segment such that MAC mobility for this kind of MAC addresses are disallowed. Regards, Ali > > >Thank you, >Tina
- [secdir] SecDir review of draft-ietf-l2vpn-evpn-r… Tina TSOU
- Re: [secdir] SecDir review of draft-ietf-l2vpn-ev… Ali Sajassi (sajassi)