Analysis of the Security of BGP/MPLS IP Virtual Private Networks (VPNs)
RFC 4381

Note: This ballot was opened for revision 10 and is now closed.

(Alex Zinin) Yes

(Harald Alvestrand) No Objection

Comment (2004-09-16 for -)
No email
send info
Reviewed by Joel Halpern, Gen-ART

His review:



This draft is ready for publication as a Informational RFC

Minor:
This is using 2026 references rather than the newer RFCs.

Presumably, this will not be published until 2547bis is published?
(This is listed as an "Informative Reference", but in fact this
document is not clear and stable without a stable reference for
2547bis.)

(Scott Hollenbeck) No Objection

(David Kessens) No Objection

Comment (2004-09-15 for -)
No email
send info
Comment by Pekka Savola from ops directorate:

There are no showstoppers, but something the RFC-editor should take
into account;
                                                                                         
[I didn't read this in detail, just a brief look and a couple of
comments]
                                                                                         
 - there are a number of refs which should definitely be normative,
such as [10]; some refs have also been renamed when accepted as WG
items.
                                                                                         
 - 2457bis also seems to include provisions for BGP VPNs which are not
carried over MPLS infrastructures (but instead, for example, IP-GRE).
These bring their own security problems which may or may be worth
discussing, or at least ruling out explicitly -- see
draft-ietf-mpls-in-ip-or-gre, the comments in the I-D tracker, and the
discussion on the mpls WG list around apr-may 2004 (my concerns about
packet injection to the VPNs weren't, IMHO, sufficiently addressed).

(Steven Bellovin) Abstain

(Russ Housley) Abstain

Comment (2004-09-16 for -)
No email
send info
  There is no discussion of confidentiality in this document.  While it
  points to IPsec when encryption is needed, the point of a VPN is to
  segregate traffic.  The point of the segregation is confidentiality.