Last Call Review of draft-ietf-pals-seamless-vccv-02
review-ietf-pals-seamless-vccv-02-secdir-lc-hallam-baker-2016-04-28-00

Request Review of draft-ietf-pals-seamless-vccv
Requested rev. no specific revision (document currently at 03)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-05-03
Requested 2016-03-23
Authors Vengada Govindan, Carlos Pignataro
Draft last updated 2016-04-28
Completed reviews Genart Last Call review of -02 by Francis Dupont (diff)
Secdir Last Call review of -02 by Phillip Hallam-Baker (diff)
Assignment Reviewer Phillip Hallam-Baker
State Completed
Review review-ietf-pals-seamless-vccv-02-secdir-lc-hallam-baker-2016-04-28
Reviewed rev. 02 (document currently at 03)
Review result Has Issues
Review completed: 2016-04-28

Review
review-ietf-pals-seamless-vccv-02-secdir-lc-hallam-baker-2016-04-28

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.


This document is an incremental change to a layer 2 virtualization
layer (Software Defined Networking). As such it properly references
RFC5085 for security considerations.

That said, I am a bit surprised at the security considerations in
RFC5085 which points out that denial of service is an issue but not
the introduction of a new set of opportunities for interception. This
is surprising given that BGP interception had already been used in
international hostilities when the RFC was published.

Further the proposed solution is to sprinkle on some magic IPSEC dust
or equivalent. While that might be an appropriate approach in an
experimental protocol, it is hardly adequate for a production protocol
with implications for Internet security as a whole.

Given the critical function of this layer and the date of its
inception, I would expect to see a comprehensive security architecture
developed as part of the overall scheme.