Last Call Review of draft-ietf-l2vpn-vpls-mib-14
review-ietf-l2vpn-vpls-mib-14-secdir-lc-melnikov-2014-02-19-00

I have reviewed this document as part of the security directorate's 


ongoing effort to review all IETF documents being processed by the IESG. 


These comments were written primarily for the benefit of the security 


area directors.  Document editors and working group chairs should treat 


these comments just like any other last call comments.






This document describes managed objects for configuring and/or 


monitoring Virtual Private LAN services, including LDP and BGP extensions.






The document says that information in 3 defined MIB modules is not 


sensitive and thus not really worth protecting from passive monitoring. 


I doubt a bit this claim, as it seems that observing  information from 


the MIB tables can help an attacker to mount other types of attacks on a 


particular VPLS.


It also looks like gaining write access can enable Denial-of-Service 


attack on the monitoring system itself and/or on the underlying 


infrastructure.






I also agree with Benoit Claise's DISCUSS that the document should 


follow the recommended MIB-security template:



  

http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security



Other than that, I have no security concerns in regards to this document.