[secdir] Secdir review of draft-ietf-l2vpn-pbb-vpls-interop-05
Matthew Lepinski <mlepinski.ietf@gmail.com> Sat, 05 October 2013 02:52 UTC
Return-Path: <mlepinski.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A71521F9D9A; Fri, 4 Oct 2013 19:52:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZTqDhBDq5Fxg; Fri, 4 Oct 2013 19:52:22 -0700 (PDT)
Received: from mail-qc0-x22e.google.com (mail-qc0-x22e.google.com [IPv6:2607:f8b0:400d:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 0229421F9E44; Fri, 4 Oct 2013 19:52:20 -0700 (PDT)
Received: by mail-qc0-f174.google.com with SMTP id n9so3342751qcw.5 for <multiple recipients>; Fri, 04 Oct 2013 19:52:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=WFjuHYnKXBFj9m2OkSfq+JOfjBYLmBkbeGTilhteidM=; b=rQ8Xd0e83Q7rm1klbVI6PJycNPAD6jWzuUKH12X/u8CrDf9Pyes9l7jXxtzO/l2w5N Ys8osQfLb1YgZ8Thth60U/ZHxIywzOt+Syif0nvMFFb27H831jDHK61fUn6SoR2v0CCK HVKyE8ifwkePSMtxLsrG0lpocjPAqlHahyT2dNJSyKM0txTdANdSSSkEgbW5lZmfhLmA OyvaVdb8jPgv3PcYACIoK460PWhHOG/1a7JeEjBr7ktMve0DsKup5mt1hWmMwD92GRZt agsw+d04hSDHUEl5KlcbqnzqmTmngwEQ8SARguHYdO7FlICovUcNE1SyvtMV1vXckH7Y CIpw==
MIME-Version: 1.0
X-Received: by 10.224.126.197 with SMTP id d5mr22656795qas.1.1380941540500; Fri, 04 Oct 2013 19:52:20 -0700 (PDT)
Received: by 10.49.81.9 with HTTP; Fri, 4 Oct 2013 19:52:20 -0700 (PDT)
Date: Fri, 04 Oct 2013 22:52:20 -0400
Message-ID: <CANTg3aAzAx-MaOin9b+EUmk2XbhP16HtKOGM-8-VOdvJsp1HLQ@mail.gmail.com>
From: Matthew Lepinski <mlepinski.ietf@gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="e89a8f13ea9afa29af04e7f5816d"
Cc: draft-ietf-l2vpn-pbb-vpls-interop.all@tools.ietf.org
Subject: [secdir] Secdir review of draft-ietf-l2vpn-pbb-vpls-interop-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2013 02:52:27 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: With the exception of the minor editorial issues below, I believe this document is ready to publish This is an informational document that describes how to use Hierarchical Virtual Private LAN Service (H-VPLS) [RFC 4762] with the IEEE's 802.1ah specification for Provider Backbone Bridging. In particular, the document lays out four deployment scenarios and describes how the two technologies inter-operate in each scenario (to achieve better scaling propertires than one would get without use of 802.1ah). The authors claim that the use of 802.1ah introduces no security concerns beyond the general considerations in any H-VPLS deployment, which are documented in RFC 4762 (and RFC 4111). I am inclined to agree. Although I don't have a deep enough knowledge of H-VPLS to be certain, I think that some of the security concerns documents in RFC 4762 (e.g., traffic isolation and certain kinds of denial of service attacks) are actually somewhat alleviated through the use of Provider Backbone Bridging. EDITORIAL COMMENTS: As someone who does not ordinarily read L2VPN documents, I would find it very helpful if you could expand each acronym the first time it is used. In particular, I would have found it very helpful if you had expanded VPLS when it appears in the first sentence of the introduction. (I also would have found it quite helpful to include a reference to 4762 early in the introduction as well.) Additionally, In understanding the security considerations for this document, I personally found it very useful to read portions of RFC 4111. RFC 4111 is referenced by RFC 4762, but I think it would be helpful to provide a direct reference to RFC 4111 in the security considerations for this document. (As opposed to just referencing RFC 4762.) This is a small editorial point, but as a reader, I would prefer a direct link to a document that is likely to be of interest, as opposed to following a sequence of references.
- [secdir] Secdir review of draft-ietf-l2vpn-pbb-vp… Matthew Lepinski
- Re: [secdir] Secdir review of draft-ietf-l2vpn-pb… Ali Sajassi (sajassi)