[secdir] Secdir last call review of draft-ietf-mpls-sfc-encapsulation-02

Paul Wouters <paul@nohats.ca> Sun, 17 February 2019 23:57 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B01F2128D52; Sun, 17 Feb 2019 15:57:46 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
To: secdir@ietf.org
Cc: mpls@ietf.org, draft-ietf-mpls-sfc-encapsulation.all@ietf.org, ietf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.91.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <155044786665.4047.16182077722084116649@ietfa.amsl.com>
Date: Sun, 17 Feb 2019 15:57:46 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/JRoAu9WaZvDVNnw8GPacIjxlLUw>
Subject: [secdir] Secdir last call review of draft-ietf-mpls-sfc-encapsulation-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Feb 2019 23:57:47 -0000

Reviewer: Paul Wouters
Review result: Ready

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready

While I'm not familiar with the Service Function Chaining (SFC) architecture
and the Network Service Header (NSH), the Security Considerations in this
document seem to be correct in pointing out that:

  This document simply
   defines one additional transport encapsulation.  The NSH was
   specially constructed to be agnostic to its transport encapsulation.
   As as result, in general this additional encapsulation is no more or
   less secure than carrying the NSH in any other encapsulation.