Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review

Xuxiaohu <> Wed, 25 November 2015 02:03 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C978E1ACD89; Tue, 24 Nov 2015 18:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.786
X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CeEG-wKX97Sn; Tue, 24 Nov 2015 18:03:57 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9E9E61ACD94; Tue, 24 Nov 2015 18:03:56 -0800 (PST)
Received: from (EHLO ([]) by (MOS 4.3.7-GA FastPath queued) with ESMTP id CAT59403; Wed, 25 Nov 2015 02:03:54 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 25 Nov 2015 02:03:54 +0000
Received: from ([]) by ([]) with mapi id 14.03.0235.001; Wed, 25 Nov 2015 10:03:50 +0800
From: Xuxiaohu <>
To: Donald Eastlake <>, "" <>, "" <>
Thread-Topic: draft-ietf-bess-virtual-subnet-05 SECDIR Review
Thread-Index: AQHRJubJoyl7jdPptUCMuxAuG7Ys3Z6r+HIQ
Date: Wed, 25 Nov 2015 02:03:49 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.5655170B.0027, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: ec5edbbf21dd3c486e2008d34f50e1dd
Archived-At: <>
Cc: "" <>
Subject: Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Nov 2015 02:03:59 -0000

Hi Donald,

Thanks a lot for your review. Please see my response inline.

> -----Original Message-----
> From: Donald Eastlake []
> Sent: Wednesday, November 25, 2015 2:34 AM
> To:;
> Cc:
> Subject: draft-ietf-bess-virtual-subnet-05 SECDIR Review
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  Document
> editors and WG chairs should treat these comments just like any other last call
> comments.
> This Informational document describes a straightforward method using existing
> BGP/MPLS VPN technology along with ARP/ND proxying to interconnect parts of
> an IP subnet spread across two or more data centers including support of VM
> migration between data centers. (It also suggest that bridging techniques be
> used if non-iP traffic has to be supported.)
> Security:
> The Security Considerations section in its entirety is as follows:
>    This document doesn't introduce additional security risk to BGP/MPLS
>    IP VPN, nor does it provide any additional security feature for BGP/
> While I don't think the Security Considerations section of this Informational
> document needs to be particularly large or heavy, I believe there is more to be
> said. Perhaps points such as the security of the L2 or IP addresses used by the
> hosts/servers in the data centers or the PE devices seeming like ideal
> concentration points to observe traffic metadata and content so systems along
> the lines of those described here should take that into account.

How about adding the following text to the security consideration section?

"Since the BGP/MPLS IP VPN signaling is reused without any change, those security considerations as described in [RFC4364] are applicable to this document. Meanwhile, since security issues associated with the NDP are inherited due to the use of NDP proxy, those security considerations and recommendations as described in [RFC6583] are applicable to this document as well."

> Other:
> While I understand that many disagree with me, I believe that, except in special
> circumstances, front page authors should list a postal address and/or telephone
> number in the Authors Addresses section as well as an email address. In my
> opinion, the Authors Addresses section of this draft is an example of schlock
> corner cutting.

OK, I will fix it.

> Trivia:
> Section 1, page 3, item b: "challenge on the forwarding" -> "challenge to the
> forwarding".
>     item c: "growing by multiples" -> "multiplying"

Will fix it.

> Section 1, page 4: "infrastructures and their corresponding experiences" ->
> "infrastructure and experience".

Will fix it

> Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting as an ARP
> or ND proxy, a PE router"

Will fix it.
> I'm not sure what the occurrences of "Infrastructure-as-a-Service (IaaS)" and
> "IaaS" add other than buzzword compliance think the draft would be improved
> by deleting them.

Will delete them. Thanks a lot again for your review.

Best regards,

> Thanks,
> Donald
> =============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  155 Beaver Street, Milford, MA 01757 USA