I will try to give this a read this week On Thu, Nov 30, 2017 at 10:46 AM, Ali Sajassi (sajassi) <[email protected]> wrote:
> > Hi Alvaro, > > I have addressed all the comments from IESG (including Eric Rescorla’s > comments) but the status of this draft still shows "AD Followup". Can you > please progress this draft and let me know if there is anything else you > need from me. > > Regards, > Ali > > From: Cisco Employee <[email protected]> > Date: Thursday, November 9, 2017 at 1:42 PM > To: Cisco Employee <[email protected]>, Eric Rescorla <[email protected]>, The > IESG <[email protected]>, Alvaro Retana <[email protected]> > > Cc: "[email protected]" <[email protected]>, " > [email protected]" <[email protected]>, "draft-ietf-bess-evpn-etree@ > ietf.org" <[email protected]>, "[email protected]" < > [email protected]> > Subject: Re: Eric Rescorla's Discuss on draft-ietf-bess-evpn-etree-13: > (with DISCUSS) > > Hi Eric, > > Let me know if you have any further questions/comments. > > Cheers, > Ali > > From: Cisco Employee <[email protected]> > Date: Friday, October 27, 2017 at 10:06 AM > To: "Alvaro Retana (aretana)" <[email protected]>, Eric Rescorla < > [email protected]>, The IESG <[email protected]> > Cc: "[email protected]" <[email protected]>, " > [email protected]" <[email protected]>, "draft-ietf-bess-evpn-etree@ > ietf.org" <[email protected]>, "[email protected]" < > [email protected]> > Subject: Re: Eric Rescorla's Discuss on draft-ietf-bess-evpn-etree-13: > (with DISCUSS) > Resent-From: <[email protected]> > Resent-To: Cisco Employee <[email protected]>, <[email protected]>, < > [email protected]>, <[email protected]>, <[email protected]>, < > [email protected]> > Resent-Date: Friday, October 27, 2017 at 10:06 AM > > Hi Eric, > > The “leaf” or “root” designation of an Attachment Circuit (AC) is done by > the operator / service provider on the PE device (and not on a CE). So, CE > device has no control in changing a “leaf” designation to a “root”. I added > “the network operator / service provider” to the text. Furthermore, I added > additional text to address your second concern (e.g., regarding how to > avoid any exchange among leaf ACs): > > "Furthermore, this document provides additional security check by allowing > sites (or ACs) of an EVPN instance to be designated as "Root" or "Leaf" by > the network operator/ service provider and thus preventing any traffic > exchange among "Leaf" sites of that VPN through ingress filtering for known > unicast traffic and egress filtering for BUM traffic. Since by default and > for the purpose of backward compatibility, an AC that doesn't have a leaf > designation is considered as a root AC, in order to avoid any traffic > exchange among leaf ACs, the operator SHOULD configure the AC with a proper > role (leaf or root) before activating the AC." > > Cheers, > Ali > > From: "Alvaro Retana (aretana)" <[email protected]> > Date: Tuesday, September 26, 2017 at 6:03 AM > To: Eric Rescorla <[email protected]>, The IESG <[email protected]> > Cc: "[email protected]" <[email protected]>, " > [email protected]" <[email protected]>, "draft-ietf-bess-evpn-etree@ > ietf.org" <[email protected]>, "[email protected]" < > [email protected]> > Subject: Re: Eric Rescorla's Discuss on draft-ietf-bess-evpn-etree-13: > (with DISCUSS) > Resent-From: <[email protected]> > Resent-To: Cisco Employee <[email protected]>, <[email protected]>, < > [email protected]>, <[email protected]>, <[email protected]>, < > [email protected]> > Resent-Date: Tuesday, September 26, 2017 at 6:03 AM > > Hi! > > > > I don’t have anything in my archive either. :-( > > > > I just poked the authors… > > > > Alvaro. > > > > On 9/26/17, 5:59 AM, "Eric Rescorla" <[email protected]> wrote: > > > > I have some memory that someone responded that this wasn't a security > requirement, but I can't find that now. > > > > -Ekr > > > > > > On Sat, Sep 9, 2017 at 11:35 AM, Eric Rescorla <[email protected]> wrote: > > Eric Rescorla has entered the following ballot position for > draft-ietf-bess-evpn-etree-13: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-etree/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > It's not clear to me if the prohibition on leaf-to-leaf communications is > intended to be a security requirement. If so, it seems like it needs to > explicitly state why it is not possible for ACs which are leaf to pretend > to be > root. If not, then it should say so. Additionally, this solution appears to > rely very heavily on filtering, so I believe some text about what happens > during periods of filtering inconsistency (and what the impact on the > security > is). > > > > >
_______________________________________________ BESS mailing list [email protected] https://www.ietf.org/mailman/listinfo/bess
