Re: [secdir] Secdir review of draft-ietf-l2vpn-pbb-vpls-interop-05
"Ali Sajassi (sajassi)" <sajassi@cisco.com> Tue, 08 October 2013 20:58 UTC
Return-Path: <sajassi@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A727B21F9E83; Tue, 8 Oct 2013 13:58:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bVP5stxzV4qv; Tue, 8 Oct 2013 13:58:54 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 872A121F9FA4; Tue, 8 Oct 2013 13:58:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10128; q=dns/txt; s=iport; t=1381265933; x=1382475533; h=from:to:cc:subject:date:message-id:in-reply-to: mime-version; bh=0QLMHvqPrKeLlHGR9jUavxG3JW7CCiWynP1lHYRPm8c=; b=cjw2LuKlkA5KCpAL9rxoN8/oxWpe4UdylhGmrvfnKIW2hFhEOvWt8LYv eGZFussFFwCZumE4mpkcBE0FKdHFdV/QJWI9HMNkFSwjxmDJLnZIKkG9/ YoglKBR5In9/mg86sk4O4whIsBomrOwEoYZz1p5Fwiqumt7zIoge63I6d g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiQFAK9xVFKtJV2a/2dsb2JhbABZgkMjIYEKwSeBJRZ0giUBAQEEeRIBCA4DAwECCx0oERQJCAIEAQ0FCIdsAw8BsEsNiWuMV4I6IBEHgx+BBAOWGI4zhTaDJIIq
X-IronPort-AV: E=Sophos; i="4.90,1058,1371081600"; d="scan'208,217"; a="269690490"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-8.cisco.com with ESMTP; 08 Oct 2013 20:58:45 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r98KwjAW014134 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 8 Oct 2013 20:58:45 GMT
Received: from xmb-aln-x13.cisco.com ([fe80::5404:b599:9f57:834b]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0318.004; Tue, 8 Oct 2013 15:58:44 -0500
From: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
To: Matthew Lepinski <mlepinski.ietf@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: Secdir review of draft-ietf-l2vpn-pbb-vpls-interop-05
Thread-Index: AQHOwXX52ozvjzTagE+RqVrPZ6vifpnrLeyA
Date: Tue, 08 Oct 2013 20:58:44 +0000
Message-ID: <69670F7146898C4583F56DA9AD32F77B215BDA3C@xmb-aln-x13.cisco.com>
In-Reply-To: <CANTg3aAzAx-MaOin9b+EUmk2XbhP16HtKOGM-8-VOdvJsp1HLQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
x-originating-ip: [10.128.2.47]
Content-Type: multipart/alternative; boundary="_000_69670F7146898C4583F56DA9AD32F77B215BDA3Cxmbalnx13ciscoc_"
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 08 Oct 2013 14:01:16 -0700
Cc: "draft-ietf-l2vpn-pbb-vpls-interop.all@tools.ietf.org" <draft-ietf-l2vpn-pbb-vpls-interop.all@tools.ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-l2vpn-pbb-vpls-interop-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2013 20:58:59 -0000
Matthew, Thanks for your comments. I have incorporated them into rev06 of this document. Cheers, Ali From: Matthew Lepinski <mlepinski.ietf@gmail.com<mailto:mlepinski.ietf@gmail.com>> Date: Friday, October 4, 2013 10:52 PM To: "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>, "iesg@ietf.org<mailto:iesg@ietf.org>" <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: "draft-ietf-l2vpn-pbb-vpls-interop.all@tools.ietf.org<mailto:draft-ietf-l2vpn-pbb-vpls-interop.all@tools.ietf.org>" <draft-ietf-l2vpn-pbb-vpls-interop.all@tools.ietf.org<mailto:draft-ietf-l2vpn-pbb-vpls-interop.all@tools.ietf.org>> Subject: Secdir review of draft-ietf-l2vpn-pbb-vpls-interop-05 Resent-From: <draft-alias-bounces@tools.ietf.org<mailto:draft-alias-bounces@tools.ietf.org>> Resent-To: <florin.balus@alcatel-lucent.com<mailto:florin.balus@alcatel-lucent.com>>, <giheron@cisco.com<mailto:giheron@cisco.com>>, <nabil.n.bitar@verizon.com<mailto:nabil.n.bitar@verizon.com>>, Cisco Employee <sajassi@cisco.com<mailto:sajassi@cisco.com>>, <ssalam@cisco.com<mailto:ssalam@cisco.com>>, <stewart@g3ysx.org.uk<mailto:stewart@g3ysx.org.uk>> Resent-Date: Friday, October 4, 2013 10:52 PM I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: With the exception of the minor editorial issues below, I believe this document is ready to publish This is an informational document that describes how to use Hierarchical Virtual Private LAN Service (H-VPLS) [RFC 4762] with the IEEE's 802.1ah specification for Provider Backbone Bridging. In particular, the document lays out four deployment scenarios and describes how the two technologies inter-operate in each scenario (to achieve better scaling propertires than one would get without use of 802.1ah). The authors claim that the use of 802.1ah introduces no security concerns beyond the general considerations in any H-VPLS deployment, which are documented in RFC 4762 (and RFC 4111). I am inclined to agree. Although I don't have a deep enough knowledge of H-VPLS to be certain, I think that some of the security concerns documents in RFC 4762 (e.g., traffic isolation and certain kinds of denial of service attacks) are actually somewhat alleviated through the use of Provider Backbone Bridging. EDITORIAL COMMENTS: As someone who does not ordinarily read L2VPN documents, I would find it very helpful if you could expand each acronym the first time it is used. In particular, I would have found it very helpful if you had expanded VPLS when it appears in the first sentence of the introduction. (I also would have found it quite helpful to include a reference to 4762 early in the introduction as well.) Additionally, In understanding the security considerations for this document, I personally found it very useful to read portions of RFC 4111. RFC 4111 is referenced by RFC 4762, but I think it would be helpful to provide a direct reference to RFC 4111 in the security considerations for this document. (As opposed to just referencing RFC 4762.) This is a small editorial point, but as a reader, I would prefer a direct link to a document that is likely to be of interest, as opposed to following a sequence of references.
- [secdir] Secdir review of draft-ietf-l2vpn-pbb-vp… Matthew Lepinski
- Re: [secdir] Secdir review of draft-ietf-l2vpn-pb… Ali Sajassi (sajassi)