Last Call Review of draft-ietf-pwe3-dynamic-ms-pw-19

Request Review of draft-ietf-pwe3-dynamic-ms-pw
Requested rev. no specific revision (document currently at 22)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-01-07
Requested 2013-10-31
Authors Luca Martini, Matthew Bocci, Florin Balus
Draft last updated 2014-01-09
Completed reviews Genart Last Call review of -19 by Christer Holmberg (diff)
Genart Telechat review of -20 by Christer Holmberg (diff)
Secdir Last Call review of -19 by Klaas Wierenga (diff)
Assignment Reviewer Klaas Wierenga 
State Completed
Review review-ietf-pwe3-dynamic-ms-pw-19-secdir-lc-wierenga-2014-01-09
Reviewed rev. 19 (document currently at 22)
Review result Has Issues
Review completed: 2014-01-09



I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The draft describes extensions to the pseudowire control protocol to dynamically place the segments of the multi-segment pseudowire among a set of Provider Edge (PE) routers.

The draft is relatively straightforward and clear, but from a security PoV I did take issue with the statement in the security considerations that goes:

"This document specifies only extensions to the protocols already defined in [RFC4447], and [RFC6073]. The extensions defined in this document do not affect the security considerations for those protocols."

When you essentially propose a mechanism to insert dynamically men in the middle you can imo not just state that nothing changes. In the meanwhile I have talked to some people that are much more cognisant about pseudowires than I am, and I have let myself be convinced that this indeed not introducing new attack vectors (as compared to static PW and normal MPLS networks), and that existing threats can be mitigated by doing end to end connection verification, but I believe that others, like me would be helped by a short discussion pertaining to this.

Hope this helps,