Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review

Xuxiaohu <xuxiaohu@huawei.com> Wed, 25 November 2015 02:03 UTC

Return-Path: <xuxiaohu@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C978E1ACD89; Tue, 24 Nov 2015 18:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.786
X-Spam-Level:
X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CeEG-wKX97Sn; Tue, 24 Nov 2015 18:03:57 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9E61ACD94; Tue, 24 Nov 2015 18:03:56 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CAT59403; Wed, 25 Nov 2015 02:03:54 +0000 (GMT)
Received: from NKGEML403-HUB.china.huawei.com (10.98.56.34) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 25 Nov 2015 02:03:54 +0000
Received: from NKGEML512-MBS.china.huawei.com ([169.254.8.64]) by nkgeml403-hub.china.huawei.com ([10.98.56.34]) with mapi id 14.03.0235.001; Wed, 25 Nov 2015 10:03:50 +0800
From: Xuxiaohu <xuxiaohu@huawei.com>
To: Donald Eastlake <d3e3e3@gmail.com>, "draft-ietf-bess-virtual-subnet.all@ietf.org" <draft-ietf-bess-virtual-subnet.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: draft-ietf-bess-virtual-subnet-05 SECDIR Review
Thread-Index: AQHRJubJoyl7jdPptUCMuxAuG7Ys3Z6r+HIQ
Date: Wed, 25 Nov 2015 02:03:49 +0000
Message-ID: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52228@NKGEML512-MBS.china.huawei.com>
References: <CAF4+nEHEQoLZY0f9B50xTRLM=_CvWfZO8Bh2uVyWGJp3XDkoJw@mail.gmail.com>
In-Reply-To: <CAF4+nEHEQoLZY0f9B50xTRLM=_CvWfZO8Bh2uVyWGJp3XDkoJw@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.55]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.5655170B.0027, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.64, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: ec5edbbf21dd3c486e2008d34f50e1dd
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/tM2r9WOK5iAWkA0NKr4y1LPzVVg>
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 02:03:59 -0000

Hi Donald,

Thanks a lot for your review. Please see my response inline.

> -----Original Message-----
> From: Donald Eastlake [mailto:d3e3e3@gmail.com]
> Sent: Wednesday, November 25, 2015 2:34 AM
> To: draft-ietf-bess-virtual-subnet.all@ietf.org; iesg@ietf.org
> Cc: secdir@ietf.org
> Subject: draft-ietf-bess-virtual-subnet-05 SECDIR Review
> 
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  Document
> editors and WG chairs should treat these comments just like any other last call
> comments.
> 
> This Informational document describes a straightforward method using existing
> BGP/MPLS VPN technology along with ARP/ND proxying to interconnect parts of
> an IP subnet spread across two or more data centers including support of VM
> migration between data centers. (It also suggest that bridging techniques be
> used if non-iP traffic has to be supported.)
> 
> Security:
> 
> The Security Considerations section in its entirety is as follows:
> 
>    This document doesn't introduce additional security risk to BGP/MPLS
>    IP VPN, nor does it provide any additional security feature for BGP/
>    MPLS IP VPN.
> 
> While I don't think the Security Considerations section of this Informational
> document needs to be particularly large or heavy, I believe there is more to be
> said. Perhaps points such as the security of the L2 or IP addresses used by the
> hosts/servers in the data centers or the PE devices seeming like ideal
> concentration points to observe traffic metadata and content so systems along
> the lines of those described here should take that into account.

How about adding the following text to the security consideration section?

"Since the BGP/MPLS IP VPN signaling is reused without any change, those security considerations as described in [RFC4364] are applicable to this document. Meanwhile, since security issues associated with the NDP are inherited due to the use of NDP proxy, those security considerations and recommendations as described in [RFC6583] are applicable to this document as well."

> Other:
> 
> While I understand that many disagree with me, I believe that, except in special
> circumstances, front page authors should list a postal address and/or telephone
> number in the Authors Addresses section as well as an email address. In my
> opinion, the Authors Addresses section of this draft is an example of schlock
> corner cutting.

OK, I will fix it.

> Trivia:
> 
> Section 1, page 3, item b: "challenge on the forwarding" -> "challenge to the
> forwarding".
>     item c: "growing by multiples" -> "multiplying"

Will fix it.

> Section 1, page 4: "infrastructures and their corresponding experiences" ->
> "infrastructure and experience".

Will fix it

> Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting as an ARP
> or ND proxy, a PE router"

Will fix it.
 
> I'm not sure what the occurrences of "Infrastructure-as-a-Service (IaaS)" and
> "IaaS" add other than buzzword compliance think the draft would be improved
> by deleting them.

Will delete them. Thanks a lot again for your review.

Best regards,
Xiaohu

> Thanks,
> Donald
> =============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  155 Beaver Street, Milford, MA 01757 USA  d3e3e3@gmail.com