Hi all,
I'm opposed to adoption of this draft since it insufficently (not at all) addresses how this work relates to the DHCP LEASEQUERY protocols (RFC 4388 / 5007 + a whole bunch of extensions, notably active & bulk leasequery). This isn't to say that there is no need for carrying this in EVPN, but it needs to be clear why a different mechanism for the same function is being introduced. Just, redundant work shouldn't be adopted by the WG. At minimum, IMHO, the document needs to contextualize itself relative to LEASEQUERY. The primary advantage *and* disadvantage of an EVPN solution seems to be that it is constrained to not have active interactions with the overlay DHCP service. This may be key to being able to deploy it at all in some scenarios, but it also by that same distinction loses access to well-established DHCP synchronization mechanisms. It is also unclear how exactly DHCP snooping in general would be deployed, considering that its configuration generally has the operator of the overlay define "trusted uplink ports" or "trusted servers". In an EVPN setup, this would be the overlay tenant/operator/user, but configuration for the mechanism described in this draft would reside in the underlay. Are the operators expected to come up with a coordination mechanism? Or is this really only indended for overlay==underlay operator cases? Or is this just silently assuming the EVPN side is trusted? This draft specifies how the snooping database is exchanged, but not how DHCP snooping works on top of EVPN to begin with. All of this IMHO needs to be clear to understand whether this is useful WG work. It might be. But it needs to acknowledge LEASEQUERY and make an argument in relation to that. Hope this helps, equi P.S.: note that, while this is AFAIK not called out specifically in any RFC, you can also run LEASEQUERY between snoopers without involving the actual DHCP server(s). Some vendors have AIUI been shipping this (independent of EVPN, but usable in that context) for a while. On Thu, Mar 05, 2026 at 12:45:00PM -0800, Zhaohui Zhang via Datatracker wrote: > This message starts a bess WG Call for Adoption of: > draft-sajassi-bess-evpn-first-hop-security-05 > > This Working Group Call for Adoption ends on 2026-03-25. An extra is given in > consideration of IETF25. > > Abstract: > The Dynamic Host Configuration Protocol (DHCP) snoop database stores > valid IPv4-to-MAC and IPv6-to-MAC bindings by snooping on DHCP > messages. These bindings are used by security functions like Dynamic > Address Resolution Protocol Inspection (DAI), Neighbor Discovery > Inspection (NDI), IPv4 Source Guard, and IPv6 Source Guard to > safeguard against traffic received with a spoofed address. These > functions are collectively referred to as First Hop Security (FHS). > This document proposes BGP extensions and new procedures for Ethernet > VPN (EVPN) will distribute and synchronize the DHCP snoop database to > support FHS. Such synchronization is needed to support EVPN host > mobility and multi-homing. > > Please reply to this message and indicate whether or not you support adoption > of this Internet-Draft by the bess WG. Comments to explain your preference > are greatly appreciated. Please reply to all recipients of this message and > include this message in your response. > > Authors, and WG participants in general, are reminded of the Intellectual > Property Rights (IPR) disclosure obligations described in BCP 79 [2]. > Appropriate IPR disclosures required for full conformance with the provisions > of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any. > Sanctions available for application to violators of IETF IPR Policy can be > found at [3]. > > Thank you. > [1] https://datatracker.ietf.org/doc/bcp78/ > [2] https://datatracker.ietf.org/doc/bcp79/ > [3] https://datatracker.ietf.org/doc/rfc6701/ > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-sajassi-bess-evpn-first-hop-security/ > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-sajassi-bess-evpn-first-hop-security-05 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-sajassi-bess-evpn-first-hop-security-05 > > Thanks. > BESS Chairs > > _______________________________________________ > BESS mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ BESS mailing list -- [email protected] To unsubscribe send an email to [email protected]
