Re: [secdir] Secdir last call review of draft-ietf-bess-evpn-na-flags-05
"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com> Wed, 09 September 2020 06:28 UTC
Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B9443A0F8C; Tue, 8 Sep 2020 23:28:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aFJ8Jw3RH7Uj; Tue, 8 Sep 2020 23:28:52 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2090.outbound.protection.outlook.com [40.107.93.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEB643A0F8A; Tue, 8 Sep 2020 23:28:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HGwXBJhjth94cwGHiJP6GCH9LtSD6MpqWG5Tjv4aaMTQjf1h2MZw2WvXlebTz/Vamb6YGJweOkhp5Nn+1z17hPIx09pZMo241VsHYlyEXWYkrdgBE05o8SPTYS0j9/48tqluN13/OefJDNVjcQXHUE4VoZcoaPrYPsY0R/1HTM0ADz6TsCEGPxFz2oOMNFiFcg5LWTqnjeA5H2fINTvroFZgn7QTE4sd1w7e5wwo+zidY5h9cqcmSHk4GmMmnper5gC8RHQp3hCuLXuqRCGkSkhOjUDRJM86U7xagqmNiGouzipmVs1bJAnFPLV4gm7Idfv0r5ZoDSlJzCZ6Z1ICCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ItwNG8r6H07JbO31Nyabw/7SW3iFzNRiYc0QZQKO0Eg=; b=DGAtOIIfWuHxtcr2ZkB+9B74LrHZa5nyIGTF/lgJyHLGX63vB3CHEYjmoK/yXGo8fGwfOnP6v1H4uX3N03AYhtYmxn6xBW1p8RQK9ATP0U5sx18ibIXuvGJsHPTdaQvkhMXmE+WyjquGEtcK5HN2YdeDv3ZZ6d+1+Bj2mew4WV5rQFGKtBILtvNzjAN9WEVlfCc5/7cetUPX+aeBzwQlIJ5c0v9fqAzFAwyFjCvqBO1p5wGLXAwmdDs7D3J/A+oJ3KPKkmVrYqqnNEU2ONl0uz0rgUnD9U2tqB4vdX9EQeeGsslysX1k31bzcQ8fBO/sfVM9mjI5nAOjyFFNl6iV2Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ItwNG8r6H07JbO31Nyabw/7SW3iFzNRiYc0QZQKO0Eg=; b=A7K4dpl6cBszXtWTmTzkzt5YjnVc5OKppgfWlunCmePslpK6a3Ppl1O6FBXtyfbFmNhP50BL30ypMFDy2yZRJc+2s6kGMQOyQJ627Xrjv7b+JRy1tTFr1UCZGIBG4/mW1aOIUCAHtX1vGr0Cbjs8AHa+vQyOsNkq+06oAUwK9Hw=
Received: from MWHPR08MB3520.namprd08.prod.outlook.com (2603:10b6:301:61::15) by CO2PR0801MB2326.namprd08.prod.outlook.com (2603:10b6:102:8::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Wed, 9 Sep 2020 06:28:48 +0000
Received: from MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::19d8:bf7f:5bfa:e391]) by MWHPR08MB3520.namprd08.prod.outlook.com ([fe80::19d8:bf7f:5bfa:e391%4]) with mapi id 15.20.3326.030; Wed, 9 Sep 2020 06:28:48 +0000
From: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
To: Mališa Vučinić <malisa.vucinic@inria.fr>, "secdir@ietf.org" <secdir@ietf.org>
CC: "bess@ietf.org" <bess@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-bess-evpn-na-flags.all@ietf.org" <draft-ietf-bess-evpn-na-flags.all@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-bess-evpn-na-flags-05
Thread-Index: AQHWgE77COUFMwYRw0S3pallL7w4Fqlf43N4
Date: Wed, 09 Sep 2020 06:28:48 +0000
Message-ID: <MWHPR08MB352094152D6D5FEBB95F259DF7260@MWHPR08MB3520.namprd08.prod.outlook.com>
References: <159895797147.16761.14408621518778897643@ietfa.amsl.com>
In-Reply-To: <159895797147.16761.14408621518778897643@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: inria.fr; dkim=none (message not signed) header.d=none;inria.fr; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [135.245.20.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: da996268-1420-401b-64d1-08d854899c82
x-ms-traffictypediagnostic: CO2PR0801MB2326:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <CO2PR0801MB2326A35EB8BDC6497191AED2F7260@CO2PR0801MB2326.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: enZhwSjkbRP3KyfAZ8WsDFKKkwyisuYCcldiFBjS72QbnZYXO8UyoIap9ueMUjgxP0Fhxj9onU4DROsSO32AhMKHt6d4QWTh43++kq22QP0nno7LQI4JGP7MSuODxsp5Nv7HiGRWqRijCltNzQjlAxmTCTjk/30Xl9M7FxKPXyKvQCP4s2ZIpqAL9j9/VxU6eJSB9n4xkLjfRlaYYh4py85yvkrXT/LWZ0EvRBILYKnnLI4bh8ONcQS6lZDaF1g/A+vABfmIQhwjW+U5WUOqL6kJ4oinIU15vbZkCmgXjOgaUVPj7K6exgCKlqpRxmXtPQA8jaI8TY9ZzJnFTzToDg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR08MB3520.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(396003)(376002)(366004)(39860400002)(66476007)(66556008)(64756008)(53546011)(6506007)(55016002)(66446008)(76116006)(91956017)(66574015)(8936002)(8676002)(9686003)(71200400001)(316002)(83380400001)(110136005)(7696005)(66946007)(86362001)(478600001)(52536014)(26005)(54906003)(33656002)(186003)(5660300002)(2906002)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: P4wss+psZW/6ZsBfDI/UzNlF1VaPsoUrwUsO45LaQ9stjHrbWSPbY6XsK/ClL/M45WmySz9qNoZjcy3sbRbbGfY7xpMH9QB+V6hV0+ac8abzybHGfMGNCHiKDy0QPZQtM45RLkL1RnI0OXM2pkBPteArhPH+9SY6rY8v0tpKKC41/93Vncrwwe39pnfjtGfpw5Rcc2VZ2iot/MCFJjhyEtqytHnBtjSqTzLoSCtNiyGWNrhYgyWX9XEyNhzSMTj1ZV2288VKuoRPTcLbY3mGnTScvVV+KkmjMWMLeZCmFKjR46hJsOZpkGG+bnGI88Doh6cxMYjCJjxdmZGFpIrTo+V8Wxamj7EpgWqGEXKe5lmu/F1+vMp5wfuf9rOXuO50BAscd0p2NWW6Qswlo/iewdYtIHNp8AMPJusWmCLScBv9+lQsH0nr5GipwXT+DL4vtSom+2QDgoDfwscCnnAuBWFjLaVTvNSFBOm/G6SO4FUSovMugbMCfyz/Mfy0+SlZhxd0u66SBSHwWEb8uYKOGYN76rMCW/WPX2tEn/vPIdqPj8Bq0qfKasqv2wZYl+UO/nfClbok1ORr53kseQxP2K6yDOlWf1EoR0fPkfrLAJqjO8VuFm5GgySEjaRBVQnVP9/o6iOKlD5NjQnvh67YRg==
Content-Type: multipart/alternative; boundary="_000_MWHPR08MB352094152D6D5FEBB95F259DF7260MWHPR08MB3520namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR08MB3520.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: da996268-1420-401b-64d1-08d854899c82
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2020 06:28:48.3390 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u7ICBqvKHyqawgOaslkV+Xr1Hz844W9I/oegZheDguB6jc+xsVPzaX6ZfgN5H9X6ndrImDSrLTY6HULaDmWbqA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR0801MB2326
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/VBCNuQMOLalMYlPXMUmVKVb4fzY>
Subject: Re: [secdir] Secdir last call review of draft-ietf-bess-evpn-na-flags-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 06:28:54 -0000
Hi Mališa, Thank you for your review. The effect of receiving the wrong O or R flags will mean the receiving host will trigger the wrong RFC4861 procedures. I added this text, hopefully it is sufficient: For example, as specified in [RFC4861], the receiver of a NA message with O not set will not update its existing cache entry for the IP->MAC, hence the communication between the owner of the IP address and the receiver of the NA message with the wrong O flag will fail. Similarly, the receiver of a NA message with the wrong R flag, may update its Default Router List incorrectly adding or removing an entry. Let me know if you have further comments. Thanks. Jorge From: Mališa Vučinić via Datatracker <noreply@ietf.org> Date: Tuesday, September 1, 2020 at 12:59 PM To: secdir@ietf.org <secdir@ietf.org> Cc: bess@ietf.org <bess@ietf.org>, last-call@ietf.org <last-call@ietf.org>, draft-ietf-bess-evpn-na-flags.all@ietf.org <draft-ietf-bess-evpn-na-flags.all@ietf.org> Subject: Secdir last call review of draft-ietf-bess-evpn-na-flags-05 Reviewer: Mališa Vučinić Review result: Has Nits I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. The document specifies an extension to an Ethernet Virtual Private Network (EVPN) MAC/IP advertisement by defining an EVPN Extended Community carrying flags relevant to the ARP/ND resolution. The abstract of the document does not include enough background context for it to be useful to the general audience. Otherwise, the document is well written. The security considerations section should be further elaborated. For instance, the section includes a discussion on a possible misconfiguration of Router (R) /Override (O) flags but the discussion is limited to the fact that the misconfiguration of an IPv6/MAC binding on a given Provider Edge device (PE) will propagate, through the means of IPv6 Neighbor Solicitation messages, to other PEs in the same broadcast domain. I would like to understand better the effect of each flag, i.e. what kind of behavior in the network can an attacker cause by changing one of these flags on a particular device or in transit?
- [secdir] Secdir last call review of draft-ietf-be… Mališa Vučinić via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Rabadan, Jorge (Nokia - US/Mountain View)