[secdir] secdir review of draft-ietf-12vpn-pbb-evpn-09 (resend)

Catherine Meadows <catherine.meadows@nrl.navy.mil> Tue, 20 January 2015 21:49 UTC

Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 010C81A0029; Tue, 20 Jan 2015 13:49:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id HMMhgVWy9bpy; Tue, 20 Jan 2015 13:49:33 -0800 (PST)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil [IPv6:2001:480:20:118:118::211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDC991A0027; Tue, 20 Jan 2015 13:49:30 -0800 (PST)
Received: from ashurbanipal.fw5540.net (fw5540.nrl.navy.mil []) by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id t0KLnQLd022237 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 20 Jan 2015 16:49:27 -0500
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary="Apple-Mail=_458D4C1B-FE83-4DAA-94B1-9F5EB8646029"
Date: Tue, 20 Jan 2015 16:49:26 -0500
Message-Id: <978A8F4D-77E2-4B04-B638-EC321F95D122@nrl.navy.mil>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-l2vpn-pbb-evpn.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/rq06HHslqpJHf_F0xzpCY2LG5BE>
Subject: [secdir] secdir review of draft-ietf-12vpn-pbb-evpn-09 (resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2015 21:49:35 -0000

I messed up the authors’ address when I sent this review last week, so I’m
trying again.


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This draft describes a method for integrating Ethernet Provider Backbone Bridge (PBB) with Ethernet VPN (EVPN) to
improve the delivery of MAC addresses, in particular with respect to scalability.  

I don’t see any security concerns with this draft, but I do have some comments on the Security Considerations section.
It is very short, and all it says that the security considerations in the EVPN draft apply directly to this draft. I assume that
it is also the case that this draft introduces no new security considerations.  If so, you should say so, and you should
also say why.  Also, I was wondering if the mechanisms introduced in this draft, by introducing a greater degree of organization
in the delivery of MAC addresses, makes it easier to detect duplicated MACs, which were mentioned as a security risk in the
Security Considerations of the EVPN draft.  If this is the case, it would be a good thing to mention here.

I’d consider the draft somewhere between ready with nits and ready with issues.  I don’t see any real security issues
here, just a Security Considerations section that needs to be expanded a little, but this seems to be a little more than what the
secdir guidelines would call a nit.

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil