Last Call Review of draft-ietf-pals-congcons-01
review-ietf-pals-congcons-01-secdir-lc-orman-2015-12-17-00

Security review of
Pseudowire Congestion Considerations
draft-ietf-pals-congcons-01

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

The question that the draft addresses is whether or not TCP flows that
are bundled in a pseudowire (PW) need to have a special congestion
avoidance algorithm in order to co-exist with normal TCP flows.  The
answer seems to be a sort of analogy to the central limit theorem:
bundled TCP flows behave nearly as gracefully as a similar set of
non-bundled flows.

Whether or not I got that right, I do agree that this seems to
introduce no new security considerations.  I do wonder, though, about
whether or not an attacker needs to control more or fewer resources to
attack a network through a PW than without a PW.  I suspect that it
depends on the details of the network graph.  In any case, the
document in question does a good job of discussing the issue of
delays and capacity.

I think the formula for TCP throughput would be better expressed
by moving the common factor of 2p/3 outside the expression in
the denominator, but if all previous documents have used the
form given in this draft, it would only confuse people.

Hilarie