[secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review

Donald Eastlake <d3e3e3@gmail.com> Tue, 24 November 2015 18:34 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C311A3BA3; Tue, 24 Nov 2015 10:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.149
X-Spam-Level:
X-Spam-Status: No, score=0.149 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6VzdzfgcBZb; Tue, 24 Nov 2015 10:34:32 -0800 (PST)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 206D71A1BEE; Tue, 24 Nov 2015 10:34:32 -0800 (PST)
Received: by obbnk6 with SMTP id nk6so20289906obb.2; Tue, 24 Nov 2015 10:34:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=yKYgqhbqzEydebB/UYXc2iJzIgKsLDXmXoZAwOkiL0U=; b=jq/rQBTQ8s+WsTokYEKBFeD/cdpD5poZI7W2F3yAGyYzkdT1zg4iUa4W+Lhedc+Eq7 Fb4DDN0BS+xnx4Nkt4WYvhQUFaWhNJp6dS0jh2104r9+Dmdbxs0ysUymmRHlxKIoGGQf xv94/7e84Jw0q6QHTHmLfdBaxCpm6m+GnaFbURv2qtjN06WuGyUQ26qEbeDOx4JTCyMF wmqVMJk4Xp/2tUIwL/mJvu1dtEiHeC0pS6X2vDX+fnGGpV3yvB5D9TlyO3OW4Z/Tg4Iw HmAhb1x1nQ9GbsC2i85+Y3XEPJRVFoUkmO5CIa88rrNp3gNYP0nVHbBXYU/k/bMbghz9 Z4jQ==
X-Received: by 10.60.54.168 with SMTP id k8mr7938109oep.51.1448390071594; Tue, 24 Nov 2015 10:34:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.19.102 with HTTP; Tue, 24 Nov 2015 10:34:17 -0800 (PST)
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 24 Nov 2015 13:34:17 -0500
Message-ID: <CAF4+nEHEQoLZY0f9B50xTRLM=_CvWfZO8Bh2uVyWGJp3XDkoJw@mail.gmail.com>
To: draft-ietf-bess-virtual-subnet.all@ietf.org, "iesg@ietf.org" <iesg@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/daHCfhiD6_jVDm-AFxEiXV4ak8E>
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 18:34:33 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This Informational document describes a straightforward method using
existing BGP/MPLS VPN technology along with ARP/ND proxying to
interconnect parts of an IP subnet spread across two or more data
centers including support of VM migration between data centers. (It
also suggest that bridging techniques be used if non-iP traffic has to
be supported.)

Security:

The Security Considerations section in its entirety is as follows:

   This document doesn't introduce additional security risk to BGP/MPLS
   IP VPN, nor does it provide any additional security feature for BGP/
   MPLS IP VPN.

While I don't think the Security Considerations section of this
Informational document needs to be particularly large or heavy, I
believe there is more to be said. Perhaps points such as the security
of the L2 or IP addresses used by the hosts/servers in the data
centers or the PE devices seeming like ideal concentration points to
observe traffic metadata and content so systems along the lines of
those described here should take that into account.

Other:

While I understand that many disagree with me, I believe that, except
in special circumstances, front page authors should list a postal
address and/or telephone number in the Authors Addresses section as
well as an email address. In my opinion, the Authors Addresses section
of this draft is an example of schlock corner cutting.

Trivia:

Section 1, page 3, item b: "challenge on the forwarding" -> "challenge
to the forwarding".
    item c: "growing by multiples" -> "multiplying"

Section 1, page 4: "infrastructures and their corresponding
experiences" -> "infrastructure and experience".

Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting
as an ARP or ND proxy, a PE router"

I'm not sure what the occurrences of "Infrastructure-as-a-Service
(IaaS)" and "IaaS" add other than buzzword compliance think the draft
would be improved by deleting them.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com