Skip to main content

Last Call Review of draft-ietf-tsvwg-rsvp-l3vpn-
review-ietf-tsvwg-rsvp-l3vpn-secdir-lc-santesson-2009-06-25-00

Request Review of draft-ietf-tsvwg-rsvp-l3vpn
Requested revision No specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-06-11
Requested 2009-05-29
Authors Ashok Narayanan , Dr. Bruce S. Davie , François Le Faucheur
I-D last updated 2009-06-25
Completed reviews Secdir Last Call review of -?? by Stefan Santesson
Assignment Reviewer Stefan Santesson
State Completed
Request Last Call review on draft-ietf-tsvwg-rsvp-l3vpn by Security Area Directorate Assigned
Completed 2009-06-25
review-ietf-tsvwg-rsvp-l3vpn-secdir-lc-santesson-2009-06-25-00
Title:

SecDir review of draft-ietf-tsvwg-rsvp-l3vpn-02

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This specification define a set of procedures to overcome challenges with
deployment of Resource Reservation Protocols over BGP/MPLS VPNs.

The BGP/MPLS VPN (RFC 4364) is a VPN technique that doesn't rely encryption to
ensure secrecy or message integrity. The security properties are instead
dependent on the security of the network infrastructure.

It appears that this draft makes a serious effort to describe and analyze
relevant security considerations. With my limited expertise in this particular
area I can't find any thing that is obviously missing.

However, one question that comes to my mind, which might be worth looking at
from a security perspective, is whether the procedures introduced by this
document requires the communication to be unencrypted and if so, whether
deployment of this protocol blocks or prevents legitimate use of e.g. IPsec
based VPN as discussed in RFC 4364 and RFC 4023. If this is the case, should it
be discussed in the security considerations section?

Stefan Santesson

AAA-sec.com