>[Zu Qiang] ARP or ND are sent in the TS data plane. A good implementation is >that the NVE will only need to query the NVA for the first ARP message. Or it >does not need to query the NVA in the push model. So how the faked ARP >can flood the NVE-NVA control signalling? > >Normally a good NVE implementation shall have some kind firewall function >on the TS data traffic to drop any DOS type data plane traffic. This can avoid >any flood on NVE-NVE data plane. Unless you want to add TS data plane FW >requirement in the NVE, otherwise I don't see any new security issue here. > >Dacheng: Let's assume a scenario. An attacker generates large amount of fake >ARP packet to query different non-existing hosts. In this case, when a NVE >receive an ARP request which it does not know the answer, it may try to >consult NVA, which may result DoS attacks. So, the capability of filtering the >first packet is not sufficient here. We all know there are various way to deal >with this type of attack. But we cannot say there is no security issue, right?
[Zu Qiang] I never say there is no security issue. I said there is no NEW security issue here. Data plane firewall is needed anyway. As an generic architecture consideration, the control plane design SHALL minimize the amplification effects which have the potential to be used by attackers to carry out reflection attacks. This is not a new security requirements. _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
