Last Call Review of draft-ietf-bess-virtual-subnet-05
review-ietf-bess-virtual-subnet-05-secdir-lc-eastlake-2015-11-26-00
| Request | Review of | draft-ietf-bess-virtual-subnet |
|---|---|---|
| Requested revision | No specific revision (document currently at 07) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2015-11-24 | |
| Requested | 2015-11-12 | |
| Authors | Xiaohu Xu , Christian Jacquenet , Robert Raszuk , Truman Boyes , Brendan Fee | |
| I-D last updated | 2015-11-26 | |
| Completed reviews |
Secdir Last Call review of -05
by Donald E. Eastlake 3rd
(diff)
Opsdir Last Call review of -05 by Jouni Korhonen (diff) Rtgdir Early review of -02 by Ron Bonica (diff) |
|
| Assignment | Reviewer | Donald E. Eastlake 3rd |
| State | Completed | |
| Request | Last Call review on draft-ietf-bess-virtual-subnet by Security Area Directorate Assigned | |
| Reviewed revision | 05 (document currently at 07) | |
| Result | Has issues | |
| Completed | 2015-11-26 |
review-ietf-bess-virtual-subnet-05-secdir-lc-eastlake-2015-11-26-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. Document editors and WG chairs should treat these comments just
like any other last call comments.
This Informational document describes a straightforward method using
existing BGP/MPLS VPN technology along with ARP/ND proxying to
interconnect parts of an IP subnet spread across two or more data
centers including support of VM migration between data centers. (It
also suggest that bridging techniques be used if non-iP traffic has to
be supported.)
Security:
The Security Considerations section in its entirety is as follows:
This document doesn't introduce additional security risk to BGP/MPLS
IP VPN, nor does it provide any additional security feature for BGP/
MPLS IP VPN.
While I don't think the Security Considerations section of this
Informational document needs to be particularly large or heavy, I
believe there is more to be said. Perhaps points such as the security
of the L2 or IP addresses used by the hosts/servers in the data
centers or the PE devices seeming like ideal concentration points to
observe traffic metadata and content so systems along the lines of
those described here should take that into account.
Other:
While I understand that many disagree with me, I believe that, except
in special circumstances, front page authors should list a postal
address and/or telephone number in the Authors Addresses section as
well as an email address. In my opinion, the Authors Addresses section
of this draft is an example of schlock corner cutting.
Trivia:
Section 1, page 3, item b: "challenge on the forwarding" -> "challenge
to the forwarding".
item c: "growing by multiples" -> "multiplying"
Section 1, page 4: "infrastructures and their corresponding
experiences" -> "infrastructure and experience".
Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting
as an ARP or ND proxy, a PE router"
I'm not sure what the occurrences of "Infrastructure-as-a-Service
(IaaS)" and "IaaS" add other than buzzword compliance think the draft
would be improved by deleting them.
Thanks,
Donald
=============================
Donald E. Eastlake 3rd +1-508-333-2270 (cell)
155 Beaver Street, Milford, MA 01757 USA
d3e3e3 at gmail.com