Hi Derek, Thank you very much for reviewing.
The Security section (along with the other sections) has been improved quite a bit in the latest revision compared to version 09. All in all, a forged BM packet sent into an EVPN PE will reach all the remote EVPN PEs of the same Broadcast Domain. The Assisted-Replication solution makes that replication no worse than that, i.e. forged BM packets injected into an EVPN PE acting as an AR-LEAF will be forwarded to all the remote EVPN PE/NVEs of the same Broadcast Domain. Thanks. Jorge From: Derek Atkins via Datatracker <nore...@ietf.org> Date: Thursday, October 7, 2021 at 2:53 PM To: sec...@ietf.org <sec...@ietf.org> Cc: bess@ietf.org <bess@ietf.org>, draft-ietf-bess-evpn-optimized-ir....@ietf.org <draft-ietf-bess-evpn-optimized-ir....@ietf.org>, last-c...@ietf.org <last-c...@ietf.org> Subject: Secdir last call review of draft-ietf-bess-evpn-optimized-ir-09 Reviewer: Derek Atkins Review result: Ready Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: * Ready to Publish Details: * It is unclear to me how one would protect from a (D)DoS attack with a forged BM packet sent into the replicator and prevent amplification attacks. -derek
_______________________________________________ BESS mailing list BESS@ietf.org https://www.ietf.org/mailman/listinfo/bess
