Last Call Review of draft-ietf-bess-orf-covering-prefixes-03
review-ietf-bess-orf-covering-prefixes-03-secdir-lc-weis-2015-03-02-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should
treat these comments just like any other last call comments.

This document defines a new type of Outbound Route Filter (ORF),
which is a directive sent to a BGP speaker requesting it to drop
packets matching the filter. This can be used to avoid propogating
traffic that will be filtered after delivery. The new ORF type is
a Covering Prefixes ORF (CP-ORF), which has additional flexibility
in specififying which addresses are to be filtered.

The CP-ORF is stated as being useful within Virutal Hub-and-Spoke
VPNs and EVPNs, both of which include a set of cooperating BGP
speakers implementing a private network. Given that there is a
general trust between the BGP speakers, the security considerations
of the CP-ORF are few. The Security Considerations section describes
how a BGP speaker can limit resource usage, and there is a pointer
to the Security Considerations section of RFC 4271, which describes
more generally how a BGP speaker can reject ORFs due to an 
unwillingness to use additional resources.

I consider this document Ready To Publish.

Brian