[secdir] SECDIR review of draft-ietf-l2vpn-pbb-vpls-pe-model
Phillip Hallam-Baker <hallam@gmail.com> Tue, 25 June 2013 13:35 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9206121E80AA; Tue, 25 Jun 2013 06:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqF66jqTrkag; Tue, 25 Jun 2013 06:35:29 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) by ietfa.amsl.com (Postfix) with ESMTP id C8C5E21E80A8; Tue, 25 Jun 2013 06:35:28 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id k10so756553wiv.11 for <multiple recipients>; Tue, 25 Jun 2013 06:35:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=MhTbweCKCpr4O45QgrqGFp79BRI//1MD7U8fzAAYpeQ=; b=fEGs0+WyRiEQCKvbW2NEw60NN5oUnZ1gvCy1BrUuScmmoSu033Bq4o3DovNgUVhMh0 /r48Yhorqu5VR+W44RE9sp57yxCu3EqA3UuwuxnFLjN8c5DKWNU2p4I0+Mdym5iBjbj/ vzd9rX1mG72+QUWHmIb2iD3TbKW0DPD07EL7HKWmRbTE3jKSSIQB7ygs+s1jf3vxOiDS V7zBpkKpxlwwUOrSH259O54oRq2rVZiFMGtyJSquzC+63j5Gt2nfY/Y1bAPk7KEjvkXB AWwsDTyLMbYFH7T4yOKmWnlFzbxuoNG5UHTF8bpFiFs5OLftT8jqt5xsj9fD6OFqB2dQ /NHg==
MIME-Version: 1.0
X-Received: by 10.194.240.201 with SMTP id wc9mr12417371wjc.1.1372167327918; Tue, 25 Jun 2013 06:35:27 -0700 (PDT)
Received: by 10.194.54.10 with HTTP; Tue, 25 Jun 2013 06:35:27 -0700 (PDT)
Date: Tue, 25 Jun 2013 09:35:27 -0400
Message-ID: <CAMm+LwiT0B744XbN02FQ7UniHOYmJg0=KQUNyQq8MTHWCZBtFQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>, IETF Discussion Mailing List <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-l2vpn-pbb-vpls-pe-model@ietf.org
Content-Type: multipart/alternative; boundary="089e013d1bea27333f04dffa9a9c"
Subject: [secdir] SECDIR review of draft-ietf-l2vpn-pbb-vpls-pe-model
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 13:35:30 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The draft is an informational document describing an architecture for moving packets about based on MAC addresses. While the existence of such architectures and devices is likely relevant to Internet Protocol networking, the draft does not explain how the architecture described is relevant. The draft does not contain a substantive Security Considerations, there is instead a reference: No new security issues are introduced beyond those that are described in [RFC4761 <http://tools.ietf.org/html/rfc4761>] and [RFC4762 <http://tools.ietf.org/html/rfc4762>]. The references in turn contain references A more comprehensive description of the security issues involved in L2VPNs is covered in [RFC4111 <http://tools.ietf.org/html/rfc4111>]. This is a pity if the principle purpose of the document is to explain the differences between IP layer inter-networking and Layer 2 (aka Ethernet layer) networking and the main differences are in the area of security and scalability. One of the main reasons to prefer L2 networking over IP is the dependence certain LAN protocols still have on the use of broadcast techniques. But broadcast techniques are by their very nature unscalable. Given n nodes the cost of broadcast traffic rises as n^2 as every machine on the network has to process the spam from all the rest. >From a security point of view the L2 approach results in a true peered network which has unfortunate effects on security. Absent mechanisms to authenticate network control messages, every additional machine added to the network is an additional potential point of pollution. -- Website: http://hallambaker.com/
- [secdir] SECDIR review of draft-ietf-l2vpn-pbb-vp… Phillip Hallam-Baker