On 9/27/13 6:06 AM, Zu Qiang wrote: > [Zu Qiang] Just for my clarification, are you saying HA is not in the > scope of network security? Or are you saying security is not in the > scope of this version of the charter. If "High availability" is the > problem, do you have a proposed text? The R1 requirement is to avoid > DoS / DDOS attacks as a network design requirement. For instance, > neither the NVA nor the NVE shall become the bottleneck of the > control plane signalling. This is something that can be avoided at > NVO3 architecture design, isn't it?
I think probably not - part of the problem here is that you haven't specified what you mean by "high availability" (and I'll note that underspecification is a consistent problem throughout your document). If you're talking about something like failover, which I think you might be (?), it's largely orthogonal to the problem of communication among network elements, and it's hard. You'd need to deal with problem around detecting events, moving device state, and so on. Out of scope. I could answer your points one by one but I think that it'd be a little beside the point, since we have a security requirements draft that's been accepted by the working group. A better approach might be to propose individual requirements on the mailing list and then start discussion around them. Also, I'll note that you justified having written this draft by saying that there were subtle security issues in the nvo3 architecture that were not addressed by the security requirements draft, but you did not explain what those were, nor did you give the reasoning behind most of your requirements. And to be honest, I did not see much of anything that was not in the working group draft that was both correct and in-scope. Melinda _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
