Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review
Xuxiaohu <xuxiaohu@huawei.com> Wed, 25 November 2015 02:03 UTC
Return-Path: <xuxiaohu@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C978E1ACD89; Tue, 24 Nov 2015 18:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.786
X-Spam-Level:
X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CeEG-wKX97Sn; Tue, 24 Nov 2015 18:03:57 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9E61ACD94; Tue, 24 Nov 2015 18:03:56 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CAT59403; Wed, 25 Nov 2015 02:03:54 +0000 (GMT)
Received: from NKGEML403-HUB.china.huawei.com (10.98.56.34) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 25 Nov 2015 02:03:54 +0000
Received: from NKGEML512-MBS.china.huawei.com ([169.254.8.64]) by nkgeml403-hub.china.huawei.com ([10.98.56.34]) with mapi id 14.03.0235.001; Wed, 25 Nov 2015 10:03:50 +0800
From: Xuxiaohu <xuxiaohu@huawei.com>
To: Donald Eastlake <d3e3e3@gmail.com>, "draft-ietf-bess-virtual-subnet.all@ietf.org" <draft-ietf-bess-virtual-subnet.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: draft-ietf-bess-virtual-subnet-05 SECDIR Review
Thread-Index: AQHRJubJoyl7jdPptUCMuxAuG7Ys3Z6r+HIQ
Date: Wed, 25 Nov 2015 02:03:49 +0000
Message-ID: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52228@NKGEML512-MBS.china.huawei.com>
References: <CAF4+nEHEQoLZY0f9B50xTRLM=_CvWfZO8Bh2uVyWGJp3XDkoJw@mail.gmail.com>
In-Reply-To: <CAF4+nEHEQoLZY0f9B50xTRLM=_CvWfZO8Bh2uVyWGJp3XDkoJw@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.55]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.5655170B.0027, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.64, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: ec5edbbf21dd3c486e2008d34f50e1dd
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/tM2r9WOK5iAWkA0NKr4y1LPzVVg>
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 02:03:59 -0000
Hi Donald, Thanks a lot for your review. Please see my response inline. > -----Original Message----- > From: Donald Eastlake [mailto:d3e3e3@gmail.com] > Sent: Wednesday, November 25, 2015 2:34 AM > To: draft-ietf-bess-virtual-subnet.all@ietf.org; iesg@ietf.org > Cc: secdir@ietf.org > Subject: draft-ietf-bess-virtual-subnet-05 SECDIR Review > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. Document > editors and WG chairs should treat these comments just like any other last call > comments. > > This Informational document describes a straightforward method using existing > BGP/MPLS VPN technology along with ARP/ND proxying to interconnect parts of > an IP subnet spread across two or more data centers including support of VM > migration between data centers. (It also suggest that bridging techniques be > used if non-iP traffic has to be supported.) > > Security: > > The Security Considerations section in its entirety is as follows: > > This document doesn't introduce additional security risk to BGP/MPLS > IP VPN, nor does it provide any additional security feature for BGP/ > MPLS IP VPN. > > While I don't think the Security Considerations section of this Informational > document needs to be particularly large or heavy, I believe there is more to be > said. Perhaps points such as the security of the L2 or IP addresses used by the > hosts/servers in the data centers or the PE devices seeming like ideal > concentration points to observe traffic metadata and content so systems along > the lines of those described here should take that into account. How about adding the following text to the security consideration section? "Since the BGP/MPLS IP VPN signaling is reused without any change, those security considerations as described in [RFC4364] are applicable to this document. Meanwhile, since security issues associated with the NDP are inherited due to the use of NDP proxy, those security considerations and recommendations as described in [RFC6583] are applicable to this document as well." > Other: > > While I understand that many disagree with me, I believe that, except in special > circumstances, front page authors should list a postal address and/or telephone > number in the Authors Addresses section as well as an email address. In my > opinion, the Authors Addresses section of this draft is an example of schlock > corner cutting. OK, I will fix it. > Trivia: > > Section 1, page 3, item b: "challenge on the forwarding" -> "challenge to the > forwarding". > item c: "growing by multiples" -> "multiplying" Will fix it. > Section 1, page 4: "infrastructures and their corresponding experiences" -> > "infrastructure and experience". Will fix it > Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting as an ARP > or ND proxy, a PE router" Will fix it. > I'm not sure what the occurrences of "Infrastructure-as-a-Service (IaaS)" and > "IaaS" add other than buzzword compliance think the draft would be improved > by deleting them. Will delete them. Thanks a lot again for your review. Best regards, Xiaohu > Thanks, > Donald > ============================= > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com
- [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR… Donald Eastlake
- Re: [secdir] draft-ietf-bess-virtual-subnet-05 SE… Xuxiaohu
- Re: [secdir] draft-ietf-bess-virtual-subnet-05 SE… Donald Eastlake
- Re: [secdir] draft-ietf-bess-virtual-subnet-05 SE… Xuxiaohu