Last Call Review of draft-ietf-bfd-vxlan-07
review-ietf-bfd-vxlan-07-secdir-lc-emery-2019-05-31-00

Request Review of draft-ietf-bfd-vxlan
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-05-31
Requested 2019-05-17
Authors Juniper Networks, Sudarsan Paragiri, Vengada Govindan, Mallik Mudigonda, Gregory Mirsky
Draft last updated 2019-05-31
Completed reviews Rtgdir Last Call review of -07 by Joel Halpern (diff)
Opsdir Last Call review of -07 by Jürgen Schönwälder (diff)
Genart Last Call review of -07 by Erik Kline (diff)
Tsvart Last Call review of -07 by Olivier Bonaventure (diff)
Secdir Last Call review of -07 by Shawn Emery (diff)
Assignment Reviewer Shawn Emery
State Completed
Review review-ietf-bfd-vxlan-07-secdir-lc-emery-2019-05-31
Posted at https://mailarchive.ietf.org/arch/msg/secdir/B3HQM1b66p_WtB0zUk57vVCAygc
Reviewed rev. 07 (document currently at 08)
Review result Has Issues
Review completed: 2019-05-31

Review
review-ietf-bfd-vxlan-07-secdir-lc-emery-2019-05-31

Reviewer: Shawn M. Emery
Review result: Ready with issues

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft specifies usage of the Bidirectional Forwarding Detection (BFD)
protocol on
Virtual eXtensible Local Area Network (VXLAN) tunnels.

The security considerations section does exist and discusses the
introduction of a possible
DDoS attack due to the requirement of the protocol to set the IP TTL to one
hop.  The prescription
outlined is to throttle this traffic.  The section continues that BFD
sessions should also have an
upper limit, but does not give guidance on what is considered reasonable to
where it would affect
normal traffic vs. some form of DoS.  I believe that this section should
also document the security
impact of deploying BFD on VXLANs for monitoring tunnel traffic.  Which
additional information,
if any, can now be obtained with BFD usage?

General comments:

This standards track draft makes a normative reference to the base RFC,
7348, which is informational.
Are there plans of making the base protocol a standards track
specification?  Downward references
will need to be justified.

Editorial comments:

NVE is never expanded and not on the RFC Editors Abbreviation List.
Echo BFD is out of scope for the document, but does not describe the reason
for this or why state
this at all?

Shawn.
--