Re: [secdir] Security Directorate review of draft-ietf-pwe3-dynamic-ms-pw-20

"Bocci, Matthew (Matthew)" <> Mon, 06 January 2014 16:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C330C1AE06C; Mon, 6 Jan 2014 08:01:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AP_42JdROzak; Mon, 6 Jan 2014 08:01:44 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id F03791AE06D; Mon, 6 Jan 2014 08:01:43 -0800 (PST)
Received: from ( []) by (8.13.8/IER-o) with ESMTP id s06G1XuI009345 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 6 Jan 2014 10:01:34 -0600 (CST)
Received: from ( []) by (GMO) with ESMTP id s06G1XRS026177 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Jan 2014 17:01:33 +0100
Received: from ([]) by ([]) with mapi id 14.02.0247.003; Mon, 6 Jan 2014 17:01:33 +0100
From: "Bocci, Matthew (Matthew)" <>
To: "Klaas Wierenga (kwiereng)" <>, "" <>, "" <>, "" <>
Thread-Topic: Security Directorate review of draft-ietf-pwe3-dynamic-ms-pw-20
Thread-Index: AQHPCsTfytZKjSSLZEyTvepq9ynOw5p3ytOA
Date: Mon, 6 Jan 2014 16:01:32 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 06 Jan 2014 09:12:35 -0800
Subject: Re: [secdir] Security Directorate review of draft-ietf-pwe3-dynamic-ms-pw-20
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Jan 2014 16:01:47 -0000


Thank you very much for your review. I will add a short discussion to the
security considerations section, as you propose.



On 06/01/2014 09:51, "Klaas Wierenga (kwiereng)" <>

>I have reviewed this document as part of the security directorate's
>ongoing effort to review all IETF documents being processed by the
>IESG.  These comments were written primarily for the benefit of the
>security area directors.  Document editors and WG chairs should treat
>these comments just like any other last call comments.
>The draft describes extensions to the pseudowire control protocol to
>dynamically place the segments of the multi-segment pseudowire among a
>set of Provider Edge (PE) routers.
>The draft is relatively straightforward and clear, but from a security
>PoV I did take issue with the statement in the security considerations
>that goes:
>"This document specifies only extensions to the protocols already defined
>in [RFC4447], and [RFC6073]. The extensions defined in this document do
>not affect the security considerations for those protocols."
>When you essentially propose a mechanism to insert dynamically men in the
>middle you can imo not just state that nothing changes. In the meanwhile
>I have talked to some people that are much more cognisant about
>pseudowires than I am, and I have let myself be convinced that this
>indeed not introducing new attack vectors (as compared to static PW and
>normal MPLS networks), and that existing threats can be mitigated by
>doing end to end connection verification, but I believe that others, like
>me would be helped by a short discussion pertaining to this.
>Hope this helps,