Skip to main content

Last Call Review of draft-ietf-bess-evpn-mh-split-horizon-09
review-ietf-bess-evpn-mh-split-horizon-09-secdir-lc-sheffer-2024-06-30-00

Request Review of draft-ietf-bess-evpn-mh-split-horizon
Requested revision No specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-07-09
Requested 2024-06-25
Authors Jorge Rabadan , Kiran Nagaraj , Wen Lin , Ali Sajassi
I-D last updated 2024-06-30
Completed reviews Genart Early review of -08 by Jouni Korhonen (diff)
Rtgdir Early review of -04 by Himanshu C. Shah (diff)
Secdir Last Call review of -09 by Yaron Sheffer (diff)
Opsdir Last Call review of -10 by Susan Hares (diff)
Secdir Telechat review of -10 by Yaron Sheffer (diff)
Assignment Reviewer Yaron Sheffer
State Completed
Request Last Call review on draft-ietf-bess-evpn-mh-split-horizon by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/0Ss0uKHVL5ukc9nByXL6LgJZdPg
Reviewed revision 09 (document currently at 11)
Result Has nits
Completed 2024-06-30
review-ietf-bess-evpn-mh-split-horizon-09-secdir-lc-sheffer-2024-06-30-00
This document defines a way to explicitly share the multi-homing split horizon
procedures over BGP, for a large variety of NVO use cases. This reviewer is not
familiar with the EVPN ecosystem, and comments below may reflect my own
ignorance.

In general: the document is clear, and does not appear to create any novel
security risks.

2.1: the first two paragraphs are duplicates.

2.2: "A received A-D per ES route where Single-Active and SHT bits are
different from zero MUST be treat-as-withdraw" - IIUC, this is very fragile
behavior, where an incorrect flag results in the entire path being removed. Why
does this behavior make more sense than simply ignoring the SHT bits?

2.2: For the Geneve use case: is the value "10" always valid, or is it only
valid if the ESI-Label is present? The text is unclear.

4: "The security considerations relevant to multihoming" - is it clear to all
readers which security considerations these are? Are you referring to the
entirety of Sec. 19 of RFC7432?

4: "unauthorized changes to the SHT configuration by an attacker should not
cause traffic disruption" - when various kinds of misconfiguration are "treat
as withdraw", how does that NOT cause traffic disruption? I would assume that
when the route is withdrawn, eventually traffic is disrupted.

7: the Contributors section is empty.