[secdir] Secdir review of draft-ietf-l2vpn-ipls-14

"Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com> Fri, 01 August 2014 09:40 UTC

Return-Path: <zhangdacheng@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id EB28A1A0496; Fri, 1 Aug 2014 02:40:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4s69yR4SSGGh; Fri, 1 Aug 2014 02:40:39 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63C7D1A04C2; Fri, 1 Aug 2014 02:40:38 -0700 (PDT)
Received: from (EHLO lhreml406-hub.china.huawei.com) ([]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BHU70955; Fri, 01 Aug 2014 09:40:36 +0000 (GMT)
Received: from nkgeml405-hub.china.huawei.com ( by lhreml406-hub.china.huawei.com ( with Microsoft SMTP Server (TLS) id; Fri, 1 Aug 2014 10:40:33 +0100
Received: from NKGEML507-MBS.china.huawei.com ([]) by nkgeml405-hub.china.huawei.com ([]) with mapi id 14.03.0158.001; Fri, 1 Aug 2014 17:40:28 +0800
From: "Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com>
To: "draft-ietf-l2vpn-ipls@tools.ietf.org" <draft-ietf-l2vpn-ipls.all@tools.ietf.org>
Thread-Topic: Secdir review of draft-ietf-l2vpn-ipls-14
Thread-Index: Ac+tbKBmSURf/kQdQ6KYONVa4goh8A==
Date: Fri, 01 Aug 2014 09:40:28 +0000
Message-ID: <C72CBD9FE3CA604887B1B3F1D145D05E7BCAD63E@nkgeml507-mbs.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_C72CBD9FE3CA604887B1B3F1D145D05E7BCAD63Enkgeml507mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Mss_mXIc5VEx1Itx2jryIAhnSN0
Cc: IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: [secdir] Secdir review of draft-ietf-l2vpn-ipls-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 09:40:41 -0000


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document proposes a 'simplified' type of VPLS which only support IP. In addition, in this solution the maintenance of the MAC forwarding tables is done via a control plane protocol, rather than via the MAC address learning procedures specified in [IEEE 802.1D]

I think this document is almost ready for publication. Two comments are as follows:

1) In security consideration, MD5 should not be recommended. So, "authenticating the LDP messages using MD5 authentication." could be changed to "authenticating the LDP messages by verifying keyed digests."

2) In this solution, a PE actively detects the presence of local CEs by snooping IP and ARP frames received over the ACs. As the PE discovers each locally attached CE, a unicast multipoint- to-point pseudowire (mp2p PW) associated exclusively with that CE is created by distributing the MAC address and optionally IP address of the CE along with a PW-Label to all the remote PE peers that participate in the same IPLS instance. So, IMHO, DDoS attacks by generating large amounts of bogus IP and ARP frames should be considered, and counter measures should be provided. For instance, MAC addresses of CEs should be distributed only in a limited frequency.