Last Call Review of draft-ietf-bess-virtual-subnet-05
review-ietf-bess-virtual-subnet-05-secdir-lc-eastlake-2015-11-26-00

Request Review of draft-ietf-bess-virtual-subnet
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-11-24
Requested 2015-11-12
Draft last updated 2015-11-26
Completed reviews Secdir Last Call review of -05 by Donald Eastlake (diff)
Opsdir Last Call review of -05 by Jouni Korhonen (diff)
Rtgdir Early review of -02 by Ron Bonica (diff)
Assignment Reviewer Donald Eastlake
State Completed
Review review-ietf-bess-virtual-subnet-05-secdir-lc-eastlake-2015-11-26
Reviewed rev. 05 (document currently at 07)
Review result Has Issues
Review completed: 2015-11-26

Review
review-ietf-bess-virtual-subnet-05-secdir-lc-eastlake-2015-11-26

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This Informational document describes a straightforward method using
existing BGP/MPLS VPN technology along with ARP/ND proxying to
interconnect parts of an IP subnet spread across two or more data
centers including support of VM migration between data centers. (It
also suggest that bridging techniques be used if non-iP traffic has to
be supported.)

Security:

The Security Considerations section in its entirety is as follows:

   This document doesn't introduce additional security risk to BGP/MPLS
   IP VPN, nor does it provide any additional security feature for BGP/
   MPLS IP VPN.

While I don't think the Security Considerations section of this
Informational document needs to be particularly large or heavy, I
believe there is more to be said. Perhaps points such as the security
of the L2 or IP addresses used by the hosts/servers in the data
centers or the PE devices seeming like ideal concentration points to
observe traffic metadata and content so systems along the lines of
those described here should take that into account.

Other:

While I understand that many disagree with me, I believe that, except
in special circumstances, front page authors should list a postal
address and/or telephone number in the Authors Addresses section as
well as an email address. In my opinion, the Authors Addresses section
of this draft is an example of schlock corner cutting.

Trivia:

Section 1, page 3, item b: "challenge on the forwarding" -> "challenge
to the forwarding".
    item c: "growing by multiples" -> "multiplying"

Section 1, page 4: "infrastructures and their corresponding
experiences" -> "infrastructure and experience".

Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting
as an ARP or ND proxy, a PE router"

I'm not sure what the occurrences of "Infrastructure-as-a-Service
(IaaS)" and "IaaS" add other than buzzword compliance think the draft
would be improved by deleting them.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3 at gmail.com