Last Call Review of draft-ietf-6man-vpn-dest-opt-01
review-ietf-6man-vpn-dest-opt-01-genart-lc-dunbar-2025-02-04-00
| Request | Review of | draft-ietf-6man-vpn-dest-opt |
|---|---|---|
| Requested revision | No specific revision (document currently at 05) | |
| Type | IETF Last Call Review | |
| Team | General Area Review Team (Gen-ART) (genart) | |
| Deadline | 2025-02-04 | |
| Requested | 2025-01-21 | |
| Authors | Ron Bonica , Xing Li , Adrian Farrel , Yuji Kamite , Luay Jalil | |
| I-D last updated | 2025-04-17 (Latest revision 2025-04-05) | |
| Completed reviews |
Genart IETF Last Call review of -01
by Linda Dunbar
(diff)
Secdir IETF Last Call review of -01 by Peter E. Yee (diff) Genart Telechat review of -04 by Linda Dunbar (diff) Intdir Telechat review of -04 by Antoine Fressancourt (diff) Opsdir Telechat review of -04 by Susan Hares (diff) |
|
| Assignment | Reviewer | Linda Dunbar |
| State | Completed | |
| Request | IETF Last Call review on draft-ietf-6man-vpn-dest-opt by General Area Review Team (Gen-ART) Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/gen-art/I_QaLhWvjTHTVQR5XiCi1yN18h8 | |
| Reviewed revision | 01 (document currently at 05) | |
| Result | Not ready | |
| Completed | 2025-02-04 |
review-ietf-6man-vpn-dest-opt-01-genart-lc-dunbar-2025-02-04-00
I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://wiki.ietf.org/en/group/gen/GenArtFAQ>. Document: draft-ietf-6man-vpn-dest-opt-01 Reviewer: Linda Dunbar Review Date: 2025-02-04 IETF LC End Date: 2025-02-04 IESG Telechat date: Not scheduled for a telechat Summary: the document proposes an experiment to encode VPN service information within an IPv6 Destination Option to facilitate VPN deployments Major issues: - IPv6 Destination Options are typically meant for end-host processing, not for PE routers. Many IPv6 deployments drop packets with extension headers, particularly in transit networks. The draft assumes that ingress and egress PE routers will process the VPN Service Option, but if intermediate routers drop these packets, the approach may fail in real-world deployments. - There is a security risk of VPN boundaries being breached if an attacker injects a packet with a forged VPN Service Option. - The document does not clearly explain why this approach is preferable to SRv6 or MPLS-over-IPv6 Minor issues: Nits/editorial comments: Best Regards, Linda Dunbar