Last Call Review of draft-li-pwe3-ms-pw-pon-
review-li-pwe3-ms-pw-pon-secdir-lc-zorn-2011-10-07-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

I have virtually no knowledge of MPLS and no desire to acquire any.  I
do know a little bit about PON, probably enough to be dangerous.  For
these reasons I will not comment upon the technical aspects of the
document, instead limiting my comments to editorial issues and the
Security Considerations section.  I do have one general question,
though: just out of curiosity, why is this not a pwe3 WG document?


EDITORIAL

Abstract

The acronym "MPLS" should be expanded on first use

s/an MPLS Packet Switched Network/a MPLS Packet Switched Network/

It is sometimes lamented that the people writing the IETF standards are
most often not the people implementing said standards.  I think that
this may actually be a blessing in disguise, however: if the people
writing the standards really don't know the difference between a pointer
to an object (e.g, "[RFC3985]") and the object itself (RFC 3985), I
don't want them writing code!


Section 7.1

The references to  G.987 and G.987.3 are formatted differently from
those for the other ITU-T documents.

The references for RFC 3031, RFC 4447 and RFC 5036 are formatted
incorrectly (leading '"' and trailing '".' characters).


SECURITY CONSIDERATIONS

This section seems woefully inadequate to me.  It is a single paragraph,
reproduced in full (with interspersed commentary) below.

   G-PON/XG-PON has its own security mechanism to guarantee each ONU is
   isolated on the G-PON/XG-PON link layer.

Where is the G-PON security mechanism defined?  Presumably in one of the
6 ITU-T standards referenced, but which one?

   Other security issues are
   unchanged from those applying as standard to PWs and MS-PWs.  Please
   refer to the referenced architectures and protocol specifications for
   further details.

One of the referenced architectures, specified in RFC 3895, says

   It is outside the scope of this
   specification to fully analyze and review the risks of PWE3,
   particularly as these risks will depend on the PSN.  An example
   should make the concern clear.  A number of IETF standards employ
   relatively weak security mechanisms when communicating nodes are
   expected to be connected to the same local area network.  The Virtual
   Router Redundancy Protocol [RFC3768] is one instance.  The relatively
   weak security mechanisms represent a greater vulnerability in an
   emulated Ethernet connected via a PW.

This seems to me to specifically assign risk analysis and review of
novel pseudowires (which this would seem to be) to the designers of
such, but this draft does not show any evidence of that analysis.