Hi Derek,
Thank you very much for reviewing.
The Security section (along with the other sections) has been improved quite a bit in the latest revision compared to version 09.
All in all, a forged BM packet sent into an EVPN PE will reach all the remote EVPN PEs of the same Broadcast Domain. The Assisted-Replication solution makes that replication no worse than
that, i.e. forged BM packets injected into an EVPN PE acting as an AR-LEAF will be forwarded to all the remote EVPN PE/NVEs of the same Broadcast Domain.
Thanks.
Jorge
From: Derek Atkins via Datatracker <noreply@xxxxxxxx>
Date: Thursday, October 7, 2021 at 2:53 PM
To: secdir@xxxxxxxx <secdir@xxxxxxxx>
Cc: bess@xxxxxxxx <bess@xxxxxxxx>, draft-ietf-bess-evpn-optimized-ir.all@xxxxxxxx <draft-ietf-bess-evpn-optimized-ir.all@xxxxxxxx>, last-call@xxxxxxxx <last-call@xxxxxxxx>
Subject: Secdir last call review of draft-ietf-bess-evpn-optimized-ir-09
Reviewer: Derek Atkins
Review result: Ready
Hi,
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written with the intent of improving
security requirements and considerations in IETF drafts. Comments
not addressed in last call may be included in AD reviews during the
IESG review. Document editors and WG chairs should treat these
comments just like any other last call comments.
Summary:
* Ready to Publish
Details:
* It is unclear to me how one would protect from a (D)DoS attack with
a forged BM packet sent into the replicator and prevent
amplification attacks.
-derek
|
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
