Re: [secdir] secdir review of draft-ietf-l2vpn-pbb-evpn-09 (resend)

Kathleen Moriarty <> Thu, 05 February 2015 00:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E0A941A00E5; Wed, 4 Feb 2015 16:21:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n2q0D8vAX9rf; Wed, 4 Feb 2015 16:21:36 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c03::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5C0611A00CD; Wed, 4 Feb 2015 16:21:36 -0800 (PST)
Received: by with SMTP id pv20so4584525lab.7; Wed, 04 Feb 2015 16:21:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=J+L9Rb/FB7nrjKYqbuJRuQxlEK/9Zz8YT/kWndLxaA8=; b=tmmCIim/5T+U/DL9eg2AmAM08yK3tItCz7HGM9SyVeuUBtYHhTTvDLZhZZEO1diUEB hSrsBF7pKVMBSuvby6je7YnamTGXk5fNoSJiYts3uZS8ljXRSg5E93zdYVe3iNDqwZTU 07G+BOMCBocsa5eHlhsBO9Ok1BhJS80R2jhoPqcuz/TJdagJnvqYELz8qCQUhMUDNZcL zH/MH2Lwau6atR5ZKm0V75DMi1HNGGXf4DBySlHoSM0QWxZjBOXalQExbRilqk1U1+hV +lUHPOxRjs+6ftC9kV5KBXQidWNFCho3E3v8gXLStZ7yCXZjCj7YOsyzuCs6gLYDLZfS 6RWA==
MIME-Version: 1.0
X-Received: by with SMTP id km16mr794424lbb.75.1423095694828; Wed, 04 Feb 2015 16:21:34 -0800 (PST)
Received: by with HTTP; Wed, 4 Feb 2015 16:21:34 -0800 (PST)
In-Reply-To: <000001d03566$6ec169d0$4c443d70$>
References: <000001d03566$6ec169d0$4c443d70$>
Date: Wed, 04 Feb 2015 19:21:34 -0500
Message-ID: <>
From: Kathleen Moriarty <>
To: "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>,, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-l2vpn-pbb-evpn-09 (resend)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Feb 2015 00:21:44 -0000

Thanks, Adrian for resending and Catherine for the helpful review.

On Wed, Jan 21, 2015 at 5:38 AM, Adrian Farrel <> wrote:
> Again, re-sending with fixed subject line for people who auto-file.
> From: iesg [] On Behalf Of Catherine Meadows
> Sent: 20 January 2015 21:49
> To:;;
> Cc: Catherine Meadows
> Subject: secdir review of draft-ietf-12vpn-pbb-evpn-09 (resend)
> I messed up the authors’ address when I sent this review last week, so I’m
> trying again.
> Cathy
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> This draft describes a method for integrating Ethernet Provider Backbone
> Bridge (PBB) with Ethernet VPN (EVPN) to
> improve the delivery of MAC addresses, in particular with respect to
> scalability.
> I don’t see any security concerns with this draft, but I do have some
> comments on the Security Considerations section.
> It is very short, and all it says that the security considerations in the
> EVPN draft apply directly to this draft. I assume that
> it is also the case that this draft introduces no new security
> considerations.  If so, you should say so, and you should
> also say why.  Also, I was wondering if the mechanisms introduced in this
> draft, by introducing a greater degree of organization
> in the delivery of MAC addresses, makes it easier to detect duplicated MACs,
> which were mentioned as a security risk in the
> Security Considerations of the EVPN draft.  If this is the case, it would be
> a good thing to mention here.

Keying off of Adrian's question in his discuss, I think what Catherine
is asking here (please correct me if I am wrong), is to know if the
risk in the EVPN draft of duplicated MACs is mitigated with this draft
since MACs are aggregated (better organized and duplicates removed).
If so, should that be mentioned?  The solution advantages section
(10.1, 10.2, and 10.3 specifically) talks about the aggregation, but
is there a security advantage too?  10.5 sounds as if you might get
more granularity for forwarding policies as well.

> I’d consider the draft somewhere between ready with nits and ready with
> issues.  I don’t see any real security issues
> here, just a Security Considerations section that needs to be expanded a
> little, but this seems to be a little more than what the
> secdir guidelines would call a nit.

If none of those apply and change anything from the referenced
section, the simple statement that no additional security
considerations are added could be helpful.

Thank you,

> Catherine Meadows
> Naval Research Laboratory
> Code 5543
> 4555 Overlook Ave., S.W.
> Washington DC, 20375
> phone: 202-767-3490
> fax: 202-404-7942
> email:


Best regards,