Last Call Review of draft-ietf-bfd-vxlan-07
review-ietf-bfd-vxlan-07-secdir-lc-emery-2019-05-31-00

Reviewer: Shawn M. Emery
Review result: Ready with issues

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft specifies usage of the Bidirectional Forwarding Detection (BFD)
protocol on
Virtual eXtensible Local Area Network (VXLAN) tunnels.

The security considerations section does exist and discusses the
introduction of a possible
DDoS attack due to the requirement of the protocol to set the IP TTL to one
hop.  The prescription
outlined is to throttle this traffic.  The section continues that BFD
sessions should also have an
upper limit, but does not give guidance on what is considered reasonable to
where it would affect
normal traffic vs. some form of DoS.  I believe that this section should
also document the security
impact of deploying BFD on VXLANs for monitoring tunnel traffic.  Which
additional information,
if any, can now be obtained with BFD usage?

General comments:

This standards track draft makes a normative reference to the base RFC,
7348, which is informational.
Are there plans of making the base protocol a standards track
specification?  Downward references
will need to be justified.

Editorial comments:

NVE is never expanded and not on the RFC Editors Abbreviation List.
Echo BFD is out of scope for the document, but does not describe the reason
for this or why state
this at all?

Shawn.
--