Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review

Donald Eastlake <d3e3e3@gmail.com> Wed, 25 November 2015 03:36 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D85FA1ACE8B; Tue, 24 Nov 2015 19:36:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVtOZAr597Ft; Tue, 24 Nov 2015 19:36:00 -0800 (PST)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17C971ACE89; Tue, 24 Nov 2015 19:36:00 -0800 (PST)
Received: by oies6 with SMTP id s6so22509511oie.1; Tue, 24 Nov 2015 19:35:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=qy0ck2Vc6LhRBAzchao8KFX6yPTM6E3BCEYItnGMi2k=; b=O6QxKDwSYyyJ42GB4UWLw+7wTgtotlVJtR6Q5+ivvqi8ITD+lte7UpL59YmlfhGvF7 IYs7/DuznkzRJtlz1Zn2Seg49dvRSi5c1OwSb/+ZhtJPYLtzcMfTTVpDw9L5h9Jmsn71 MgUWEVhOxhMwBdZnfg+jnZE5kktT6fsVkO64Usb6nAFjWLOH5oyTq/XLdutWrAahGSEF 7GpRJPJY6RQfGr9y5Ug5U/oiJRw8O1VOREpayeFHMEiRmukc6dKZ/kK77IadLudHSU8l zTiYxCSl7WO5Djthpg5IG3Z3VPYiOOFlCLRTtlkB4coz2uHv0fxhBe3psXMZbYN0GoIO vtzw==
X-Received: by 10.202.72.132 with SMTP id v126mr21609710oia.84.1448422559417; Tue, 24 Nov 2015 19:35:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.19.102 with HTTP; Tue, 24 Nov 2015 19:35:45 -0800 (PST)
In-Reply-To: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52228@NKGEML512-MBS.china.huawei.com>
References: <CAF4+nEHEQoLZY0f9B50xTRLM=_CvWfZO8Bh2uVyWGJp3XDkoJw@mail.gmail.com> <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52228@NKGEML512-MBS.china.huawei.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 24 Nov 2015 22:35:45 -0500
Message-ID: <CAF4+nEHa91AoCV=LOZvXYL2A2moNzV3PX6jFqojw1wjGQv6PAQ@mail.gmail.com>
To: Xuxiaohu <xuxiaohu@huawei.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Zha5VeGRZbbwCt6TERbqjHv3y38>
Cc: "draft-ietf-bess-virtual-subnet.all@ietf.org" <draft-ietf-bess-virtual-subnet.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 03:36:02 -0000

Hi Xiaohu,

On Tue, Nov 24, 2015 at 9:03 PM, Xuxiaohu <xuxiaohu@huawei.com> wrote:
> Hi Donald,
>
> Thanks a lot for your review. Please see my response inline.
>
>> -----Original Message-----
>> From: Donald Eastlake [mailto:d3e3e3@gmail.com]
>> Sent: Wednesday, November 25, 2015 2:34 AM
>> To: draft-ietf-bess-virtual-subnet.all@ietf.org; iesg@ietf.org
>> Cc: secdir@ietf.org
>> Subject: draft-ietf-bess-virtual-subnet-05 SECDIR Review
>>
>>...
>>
>> Security:
>>
>> The Security Considerations section in its entirety is as follows:
>>
>>    This document doesn't introduce additional security risk to BGP/MPLS
>>    IP VPN, nor does it provide any additional security feature for BGP/
>>    MPLS IP VPN.
>>
>> While I don't think the Security Considerations section of this Informational
>> document needs to be particularly large or heavy, I believe there is more to be
>> said. Perhaps points such as the security of the L2 or IP addresses used by the
>> hosts/servers in the data centers or the PE devices seeming like ideal
>> concentration points to observe traffic metadata and content so systems along
>> the lines of those described here should take that into account.
>
> How about adding the following text to the security consideration section?
>
> "Since the BGP/MPLS IP VPN signaling is reused without any change, those security considerations as described in [RFC4364] are applicable to this document. Meanwhile, since security issues associated with the NDP are inherited due to the use of NDP proxy, those security considerations and recommendations as described in [RFC6583] are applicable to this document as well."

Adding that would be a good. I have read the security considerations
referred to above and they cover most of my concerns. So I would be
satisfied if you added that text.

Thanks for offering to fix all the things below.

Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

>> Other:
>>
>> While I understand that many disagree with me, I believe that, except in special
>> circumstances, front page authors should list a postal address and/or telephone
>> number in the Authors Addresses section as well as an email address. In my
>> opinion, the Authors Addresses section of this draft is an example of schlock
>> corner cutting.
>
> OK, I will fix it.
>
>> Trivia:
>>
>> Section 1, page 3, item b: "challenge on the forwarding" -> "challenge to the
>> forwarding".
>>     item c: "growing by multiples" -> "multiplying"
>
> Will fix it.
>
>> Section 1, page 4: "infrastructures and their corresponding experiences" ->
>> "infrastructure and experience".
>
> Will fix it
>
>> Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting as an ARP
>> or ND proxy, a PE router"
>
> Will fix it.
>
>> I'm not sure what the occurrences of "Infrastructure-as-a-Service (IaaS)" and
>> "IaaS" add other than buzzword compliance think the draft would be improved
>> by deleting them.
>
> Will delete them. Thanks a lot again for your review.
>
> Best regards,
> Xiaohu
>
>> Thanks,
>> Donald
>> =============================
>>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>  155 Beaver Street, Milford, MA 01757 USA  d3e3e3@gmail.com