Last Call Review of draft-ietf-pwe3-dynamic-ms-pw-19
review-ietf-pwe3-dynamic-ms-pw-19-secdir-lc-wierenga-2014-01-09-00

Hi,

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

The draft describes extensions to the pseudowire control protocol to
dynamically place the segments of the multi-segment pseudowire among a set of
Provider Edge (PE) routers.

The draft is relatively straightforward and clear, but from a security PoV I
did take issue with the statement in the security considerations that goes:

"This document specifies only extensions to the protocols already defined in
[RFC4447], and [RFC6073]. The extensions defined in this document do not affect
the security considerations for those protocols."

When you essentially propose a mechanism to insert dynamically men in the
middle you can imo not just state that nothing changes. In the meanwhile I have
talked to some people that are much more cognisant about pseudowires than I am,
and I have let myself be convinced that this indeed not introducing new attack
vectors (as compared to static PW and normal MPLS networks), and that existing
threats can be mitigated by doing end to end connection verification, but I
believe that others, like me would be helped by a short discussion pertaining
to this.

Hope this helps,

Klaas