Re: Opsdir last call review of draft-ietf-bess-evpn-proxy-arp-nd-04

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Joe,

My apologies for the delay.

Thank you very much for the very useful review.
We took all your comments and made the corresponding changes in the new version.

Please see more in-line with [JORGE] along with your comments.
Thanks.
Jorge


-----Original Message-----
From: Joe Clarke <jclarke@xxxxxxxxx>
Date: Thursday, August 30, 2018 at 6:11 AM
To: "ops-dir@xxxxxxxx" <ops-dir@xxxxxxxx>
Cc: "draft-ietf-bess-evpn-proxy-arp-nd.all@xxxxxxxx" <draft-ietf-bess-evpn-proxy-arp-nd.all@xxxxxxxx>, "ietf@xxxxxxxx" <ietf@xxxxxxxx>, "bess@xxxxxxxx" <bess@xxxxxxxx>
Subject: Opsdir last call review of draft-ietf-bess-evpn-proxy-arp-nd-04
Resent-From: <alias-bounces@xxxxxxxx>
Resent-To: <jorge.rabadan@xxxxxxxxx>, <senthil.sathappan@xxxxxxxxx>, <kiran.nagaraj@xxxxxxxxx>, <wim.henderickx@xxxxxxxxx>, <greg.hankins@xxxxxxxxx>, <thomas.king@xxxxxxxxxx>, <daniel.melzer@xxxxxxxxxx>, <nordmark@xxxxxxxxx>, <matthew.bocci@xxxxxxxxx>, <stephane.litkowski@xxxxxxxxxx>, <mankamis@xxxxxxxxx>, <martin.vigoureux@xxxxxxxxx>, <db3546@xxxxxxx>, <aretana.ietf@xxxxxxxxx>, Matthew Bocci <matthew.bocci@xxxxxxxxx>
Resent-Date: Thursday, August 30, 2018 at 6:11 AM

    Reviewer: Joe Clarke
    Review result: Has Issues
    
    I have been assigned to do an OPS DIR review of draft-ietf-bess-proxy-arp-nd. 
    This document describes how the proxy ARP/ND functions of EVPN can be used to
    mitigate the impact of address resolution in large broadcast domains.  While
    the text does support the abstract and describes how such proxy functions can
    help prevent flooding of broadcast traffic into the EVPNs, I found something
    noticeably missing from an operational point of view.  This was especially
    apparent since the concept of an ARP-Sponge was also discussed.  That is, one
    of the big operational headaches of a large broadcast domain is with negative
    ARP/ND (especially ARP).  We actually see this in the IETF conference networks
    due to internet backscatter (we might be considered a DC in this regard). 
    While the proxy functions can mitigate the positive address resolution, they
    will not help with negative caching.  I feel that should be discussed, at least
    in the security recommendations, assuming there is not a proposal for adding
    capabilities to the EVPN proxy functions to further mitigate this.

[JORGE] not sure what you mean by "negative caching". If you refer to the ability of certain routers/servers to inject dummy MACs into the ARP caches so that hosts stop ARPing for absent IPs, the solution actually may help, since there is an option to suppress unknown ARP-Requests/NS flooding explained in Section 4.5. Should you choose to enable this option on the Proxy-ARP/ND functions of the PEs, you no longer flood unknown ARP-Requests, and therefore there is no longer need to inject those dummy MAC addresses to stop the flooding. A host may keep ARP'ing for an absent host, but at least those messages won't bother the entire BD. I added this text in the security section:
--------------
  "The procedures in this document reduce the amount of ARP/ND message
   flooding, which in itself provides a protection to "slow path"
   software processors of routers and Tenant Systems in large BDs. The
   ARP/ND requests that are replied by the Proxy-ARP/ND function (hence
   not flooded) are normally targeted to existing hosts in the BD.
   ARP/ND requests targeted to absent hosts are still normally flooded,
   however the suppression of Unknown ARP-Requests and NS messages
   described in Section 4.5. can provide an additional level of security
   against ARP-Requests/NS messages issued to non-existing hosts." 
--------------
    
    An overall nit is that you seem to mix capitalization of various terms like
    Ethernet, Proxy-ARP, Layer-2, etc.  It would be good to normalize these for
    easier reading.
[JORGE] done in the posted revision. Thanks.
    
    Other comments and nits on a per-section basis are found below.
    
    Section 2.1:
    
    In general, I found this section lacking when compared with the IXP section
    below it.  You describe that large DCs may have a problem with broadcasts, but
    that is a known quantity.  What I was expecting is to see more on how this
    document is applicable to that scenario like you did with the subsequent IXP
    section.
[JORGE] ok, I added a bit more text in Section 2.1.
    
    ===
    
    Section 4
    
    "When CE3 sends an ARP Request asking for IP1..."
    
    Technically, CE3 is asking for the MAC address of IP1.
[JORGE] true. Fixed, thx.
    
    ===
    
    Section 4.2
    
    s/potential Layer-2 switches seating/potential Layer-2 switches sitting/
[JORGE] done, thx.
    
    ===
    
    Section 4.4
    
    You say that a dynamic Proxy-ARP/ND entry SHOULD be flushed.  It MUST be
    flushed if the age-time expires.  I think this should be restated applying the
    SHOULD to whether or not an age-time is implemented.  IMHO, if an age-time is
    implemented, keeping an entry in the table after it has aged out is incorrect
    behavior.  An implementation MUST NOT do that.
[JORGE] Agreed. Changed to "MUST be flushed".
    
    ===
    
    Section 6.5
    
    LAG is not listed in your glossary of abbreviations.
[JORGE] added, thx.
    
    ===
    
    Section 7
    
    Typically the conventions section is located at the top of a document, after
    the abstract.
[JORGE] changed, thank you.
    
    






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux