Last Call Review of draft-ietf-nvo3-use-case-15
review-ietf-nvo3-use-case-15-secdir-lc-eastlake-2017-01-03-00
Request | Review of | draft-ietf-nvo3-use-case |
---|---|---|
Requested revision | No specific revision (document currently at 17) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2017-01-04 | |
Requested | 2016-12-21 | |
Authors | Lucy Yong , Linda Dunbar , Mehmet Toy , Aldrin Isaac , Vishwas Manral | |
I-D last updated | 2017-01-03 | |
Completed reviews |
Rtgdir Last Call review of -15
by Henning Rogge
(diff)
Secdir Last Call review of -15 by Donald E. Eastlake 3rd (diff) Genart Last Call review of -15 by Ralph Droms (diff) Opsdir Last Call review of -15 by Tim Wicinski (diff) Tsvart Telechat review of -15 by David L. Black (diff) |
|
Assignment | Reviewer | Donald E. Eastlake 3rd |
State | Completed | |
Request | Last Call review on draft-ietf-nvo3-use-case by Security Area Directorate Assigned | |
Reviewed revision | 15 (document currently at 17) | |
Result | Has issues | |
Completed | 2017-01-03 |
review-ietf-nvo3-use-case-15-secdir-lc-eastlake-2017-01-03-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. This draft described use cases for network virtualization overlay networks focusing on Data Center use. I think this document is Ready with issues. Security: As an Informational use case document, security is not a major focus of this draft. Nevertheless: The existing Security Considerations section says that Data Center operators need to provide tenants with a virtual network that is "isolated from other tenants' traffic as well as from underlay networks". But I don't think tenants can, in general, be protected from the underlay network. I would say that tenants are vulnerable to observation and data modification/injection by the operator of the underlay and should only use operators they trust. The existing Security Considerations section says that tenants need to be isolated from each other but I believe there will always be covert channels, based on resource contention and the like, by which tenants can communicate with each other and the best that can be done is to limit the bandwidth of such communications. Minor: "BUM" and "ASBR" used without definition or expansion. Wording: I think the wording is off in some places for a reader for whom English is their native language. See attached for suggestions. I probably haven't caught all the wording glitches. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com