Skip to main content

Last Call Review of draft-ietf-nvo3-use-case-15
review-ietf-nvo3-use-case-15-secdir-lc-eastlake-2017-01-03-00

Request Review of draft-ietf-nvo3-use-case
Requested revision No specific revision (document currently at 17)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-01-04
Requested 2016-12-21
Authors Lucy Yong , Linda Dunbar , Mehmet Toy , Aldrin Isaac , Vishwas Manral
Draft last updated 2017-01-03
Completed reviews Rtgdir Last Call review of -15 by Henning Rogge (diff)
Secdir Last Call review of -15 by Donald E. Eastlake 3rd (diff)
Genart Last Call review of -15 by Ralph Droms (diff)
Opsdir Last Call review of -15 by Tim Wicinski (diff)
Tsvart Telechat review of -15 by David L. Black (diff)
Assignment Reviewer Donald E. Eastlake 3rd
State Completed
Review review-ietf-nvo3-use-case-15-secdir-lc-eastlake-2017-01-03
Reviewed revision 15 (document currently at 17)
Result Has Issues
Completed 2017-01-03
review-ietf-nvo3-use-case-15-secdir-lc-eastlake-2017-01-03-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This draft described use cases for network virtualization overlay networks
focusing on Data Center use. I think this document is Ready with issues.

Security:

As an Informational use case document, security is not a major focus of this
draft. Nevertheless:

The existing Security Considerations section says that Data Center operators
need to provide tenants with a virtual network that is "isolated from other
tenants' traffic as well as from underlay networks". But I don't think tenants
can, in general, be protected from the underlay network. I would say that
tenants are vulnerable to observation and data modification/injection by the
operator of the underlay and should only use operators they trust.

The existing Security Considerations section says that tenants need to be
isolated from each other but I believe there will always be covert channels,
based on resource contention and the like, by which tenants can communicate
with each other and the best that can be done is to limit the bandwidth of such
communications.

Minor:

"BUM" and "ASBR" used without definition or expansion.

Wording: I think the wording is off in some places for a reader for whom
English is their native language. See attached for suggestions. I probably
haven't caught all the wording glitches.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com