Re: [secdir] Secdir review of draft-ietf-l2vpn-ipls-14

"Shah, Himanshu" <> Tue, 14 October 2014 21:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9BE321ACD36; Tue, 14 Oct 2014 14:08:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SibjsAZx7SKr; Tue, 14 Oct 2014 14:08:07 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ABE601ACD29; Tue, 14 Oct 2014 14:08:04 -0700 (PDT)
Received: from pps.filterd ( []) by (8.14.5/8.14.5) with SMTP id s9EL54gK017503; Tue, 14 Oct 2014 17:07:55 -0400
Received: from ( []) by with ESMTP id 1q13wds52b-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 14 Oct 2014 17:07:55 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 14 Oct 2014 17:07:54 -0400
Received: from ([::1]) by ([::1]) with mapi; Tue, 14 Oct 2014 17:07:54 -0400
From: "Shah, Himanshu" <>
To: "Zhangdacheng (Dacheng)" <>, "" <>
Date: Tue, 14 Oct 2014 17:07:52 -0400
Thread-Topic: Secdir review of draft-ietf-l2vpn-ipls-14
Thread-Index: Ac+tbKBmSURf/kQdQ6KYONVa4goh8A6YqBzQ
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US, en-CA
Content-Language: en-US
acceptlanguage: en-US, en-CA
X-TM-AS-Product-Ver: SMEX-
X-TM-AS-Result: No--15.970600-8.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
Content-Type: multipart/alternative; boundary="_000_40746B2300A8FC4AB04EE722A593182B7B575438ONWVEXCHMB04cie_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.28, 0.0.0000 definitions=2014-10-14_08:2014-10-14,2014-10-14,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1410140202
X-Mailman-Approved-At: Tue, 14 Oct 2014 14:13:09 -0700
Cc: IESG <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-l2vpn-ipls-14
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Oct 2014 21:08:11 -0000

Hi Dacheng,
Thanks for your review and suggestions for improvements.
I also apologize for the delay in the response.

My comments in line.


From: Zhangdacheng (Dacheng) []
Sent: Friday, August 01, 2014 2:40 AM
Subject: Secdir review of draft-ietf-l2vpn-ipls-14


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document proposes a 'simplified' type of VPLS which only support IP. In addition, in this solution the maintenance of the MAC forwarding tables is done via a control plane protocol, rather than via the MAC address learning procedures specified in [IEEE 802.1D]

I think this document is almost ready for publication. Two comments are as follows:

1)       In security consideration, MD5 should not be recommended. So, "authenticating the LDP messages using MD5 authentication." could be changed to "authenticating the LDP messages by verifying keyed digests."

Himanshu> OK, I will change the text.

2) In this solution, a PE actively detects the presence of local CEs by snooping IP and ARP frames received over the ACs. As the PE discovers each locally attached CE, a unicast multipoint- to-point pseudowire (mp2p PW) associated exclusively with that CE is created by distributing the MAC address and optionally IP address of the CE along with a PW-Label to all the remote PE peers that participate in the same IPLS instance. So, IMHO, DDoS attacks by generating large amounts of bogus IP and ARP frames should be considered, and counter measures should be provided. For instance, MAC addresses of CEs should be distributed only in a limited frequency.

[himanshu>] I believe the rate control should be left up to the implementation.