Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07

"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com> Fri, 09 February 2018 11:45 UTC

Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DA3A127775 for <secdir@ietfa.amsl.com>; Fri, 9 Feb 2018 03:45:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnwVQnTkgpMa for <secdir@ietfa.amsl.com>; Fri, 9 Feb 2018 03:45:11 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0130.outbound.protection.outlook.com [104.47.0.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BB87126BF0 for <secdir@ietf.org>; Fri, 9 Feb 2018 03:45:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=jLc0eXnUM+HFSx0kYwIfNlhSpoNl7cz9mCd2xQp0Jx8=; b=nC1tCec8bwNl0B2fGvZgm769zFKPDghHyxxplaUe3Y+yYsW33bL3yJkGSPRZLfRzc3dFxucEqkMt2n6wXXsTXDfCmPgHsBVBad9Ou+u4q7UrScE9dOE0Ws4+eFHvEQFqM0F9enl8SnKq2QcHaaBxtc4+aiQ/VqdqngL91uxuJjI=
Received: from AM4PR07MB3409.eurprd07.prod.outlook.com (10.171.189.158) by AM4SPR8PMB258.eurprd07.prod.outlook.com (10.167.90.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.506.9; Fri, 9 Feb 2018 11:45:07 +0000
Received: from AM4PR07MB3409.eurprd07.prod.outlook.com ([fe80::7047:bc78:522d:6085]) by AM4PR07MB3409.eurprd07.prod.outlook.com ([fe80::7047:bc78:522d:6085%2]) with mapi id 15.20.0506.007; Fri, 9 Feb 2018 11:45:05 +0000
From: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
To: Stephen Kent <stkent@verizon.net>, Alvaro Retana <aretana.ietf@gmail.com>, "Henderickx, Wim (Nokia - BE/Antwerp)" <wim.henderickx@nokia.com>, "sajassi@cisco.com" <sajassi@cisco.com>, "uttaro@att.com" <uttaro@att.com>, "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "Vigoureux, Martin (Nokia - FR/Paris-Saclay)" <martin.vigoureux@nokia.com>, "secdir@ietf.org" <secdir@ietf.org>, "Palislamovic, Senad (Nokia - US)" <senad.palislamovic@nokia.com>
Thread-Topic: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07
Thread-Index: AQHTnFHz0wf12N+xhkuJ9V8mooRWQaORnxaAgAAMgwCACPeYgP//93+AgABf34CAAPYvAIAAHjsA
Date: Fri, 9 Feb 2018 11:45:05 +0000
Message-ID: <D2A2602E-EE89-4D71-AE77-A3F7472FF3AD@nokia.com>
References: <e507416e-202b-defb-b8e9-cd3cb75c877a@verizon.net> <CAMMESsyfe=NL-HwMES5yCUgDhSzkdrN6cpycV3WjNKEJscPo3w@mail.gmail.com> <18631468-67d6-e3ca-0bef-92cdcb3ccd66@verizon.net> <9D77D57C-E135-479E-8328-69470CC4FF31@nokia.com> <e9be0bd4-4c82-75ec-ec3c-7b8677c93fd8@verizon.net> <AA54F427-E09D-4E49-BE03-051EDAF5EEC7@nokia.com> <8e511c57-4af2-8dbb-9c54-72fdee74b9c3@verizon.net>
In-Reply-To: <8e511c57-4af2-8dbb-9c54-72fdee74b9c3@verizon.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.a.0.180204
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jorge.rabadan@nokia.com;
x-originating-ip: [88.27.177.143]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4SPR8PMB258; 7:7lmfkU5uSatRxii9uX6lRI0JffzyibrPoY9nEUwXyZIDJWwCng+aUBGfhmAzcmLUB76dJVpbYK+EWZajV/hhhGNdweBS/jVZHK1ySk/I6jnNvRINnWpix85np4Qt9dpClOyY5tMB+UDTbD6EbvnhZfR4AJvbXnQjYX9ldyvNVjpcIcV6TWnAMGHH2kNsex8px6/glKXnQv9fddIrXAaZA3yYVqzYL6/hZEfnflOKZwW26f5dOGiX6UF+ICWsn5vU
x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10019020)(39380400002)(396003)(39860400002)(366004)(346002)(376002)(189003)(199004)(8936002)(2950100002)(97736004)(6636002)(561944003)(3280700002)(53936002)(6436002)(2201001)(39060400002)(6486002)(83716003)(6306002)(54896002)(86362001)(229853002)(82746002)(8676002)(76176011)(33656002)(81166006)(6512007)(81156014)(6246003)(25786009)(7736002)(186003)(2501003)(105586002)(8656006)(83506002)(106356001)(66066001)(59450400001)(99286004)(3660700001)(6506007)(53546011)(36756003)(14454004)(26005)(478600001)(5660300001)(5250100002)(93886005)(2900100001)(316002)(110136005)(58126008)(3846002)(6116002)(68736007)(102836004)(2906002)(921003)(1121003); DIR:OUT; SFP:1102; SCL:1; SRVR:AM4SPR8PMB258; H:AM4PR07MB3409.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 71d01976-ce66-416f-08d2-08d56fb29031
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7193020); SRVR:AM4SPR8PMB258;
x-ms-traffictypediagnostic: AM4SPR8PMB258:
x-microsoft-antispam-prvs: <AM4SPR8PMB25833F89CD87C4A686F31F4F7F20@AM4SPR8PMB258.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(82608151540597)(85827821059158)(97927398514766)(88262167912993)(95692535739014)(18271650672692)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(3231101)(11241501184)(806099)(2400082)(944501161)(10201501046)(93006095)(93001095)(6055026)(6041288)(20161123562045)(20161123564045)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:AM4SPR8PMB258; BCL:0; PCL:0; RULEID:; SRVR:AM4SPR8PMB258;
x-forefront-prvs: 057859F9C5
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Af82Eb7TnqoXOo9MyJHNM4CyzAu+g6lKJVLxV+HbVaEMhG1O170FTORaS0S0lQHsPrMYz6jzKk5JEd1RxIur4/H/XqJIhMNiflVVUm+Z3OkQ4oUMLVxIC74Itdvwu67b
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D2A2602EEE894D71AE77A3F7472FF3ADnokiacom_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 71d01976-ce66-416f-08d2-08d56fb29031
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2018 11:45:05.5850 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4SPR8PMB258
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/slxNVxynNQKvc5nzmyqgbgd7uc8>
Subject: Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 11:45:13 -0000

Steve,

Your proposal looks very good to me.
I’ll add it to the document.

Thank you!
Jorge


From: Stephen Kent <stkent@verizon.net>;
Date: Friday, February 9, 2018 at 11:57 AM
To: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>;, Alvaro Retana <aretana.ietf@gmail.com>;, "Henderickx, Wim (Nokia - BE/Antwerp)" <wim.henderickx@nokia.com>;, "sajassi@cisco.com"; <sajassi@cisco.com>;, "uttaro@att.com"; <uttaro@att.com>;, "stephane.litkowski@orange.com"; <stephane.litkowski@orange.com>;, "Vigoureux, Martin (Nokia - FR/Paris-Saclay)" <martin.vigoureux@nokia.com>;, "secdir@ietf.org"; <secdir@ietf.org>;, "Palislamovic, Senad (Nokia - US)" <senad.palislamovic@nokia.com>;
Subject: Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07


Jorge,
[JORGE] hmm... how about this instead:
“The standards produced by the SIDR WG, which address secure route origin authentication (e.g., RFCs 6480-93) and route advertisement security (e.g., RFCs 8205-11) do not apply to the EVPN family, hence they are not relevant to [RFC7432] or this document.”

The reason is because EVPN conveys Ethernet address space but also some other information.
First, I'm not sure if the sentence immediately above is intended to be part of the text, or if it is a comment to me.  I'm, assuming the latter, in which case I think more info would help the reader to understand why those RFCs are not applicable. Saying that the RFCs "do not apply to the EVPN family" does not seem clear enough, although I agree that noting RFC 7432 is a good idea.. How about:

“The standards produced by the SIDR WG address secure route origin authentication (e.g., RFCs 6480-93) and route advertisement security (e.g., RFCs 8205-11). They protect the integrity and authenticity of IP address advertisements and ASN/IP prefix bindings. This document, and  [RFC7432], use BGP to convey other info, e.g., MAC addresses, and thus the protections offered by the SIDR WG RFCs are not applicable in this context."

Steve