Last Call Review of draft-ietf-l2vpn-ipls-14

Request Review of draft-ietf-l2vpn-ipls
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-08-07
Requested 2014-07-24
Authors Himanshu Shah, Eric Rosen, François Le Faucheur, Giles Heron
Draft last updated 2014-08-07
Completed reviews Genart Last Call review of -14 by Suresh Krishnan (diff)
Genart Telechat review of -15 by Suresh Krishnan (diff)
Secdir Last Call review of -14 by Dacheng Zhang (diff)
Opsdir Last Call review of -14 by Warren Kumari (diff)
Assignment Reviewer Dacheng Zhang 
State Completed
Review review-ietf-l2vpn-ipls-14-secdir-lc-zhang-2014-08-07
Reviewed rev. 14 (document currently at 16)
Review result Has Issues
Review completed: 2014-08-07



I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the
 benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document proposes a




 type of VPLS which only support IP. In addition, in this solution the maintenance
 of the MAC forwarding tables is done via a control plane protocol, rather than via the MAC address learning procedures specified in [IEEE 802.1D]

I think this document is almost ready for publication. Two comments are as follows:

1) In security consideration, MD5 should not be recommended. So, "authenticating the LDP messages using MD5 authentication." could be changed to "authenticating the LDP messages by verifying
 keyed digests."

2) In this solution, a PE actively detects the presence of local CEs by snooping IP and ARP frames received over the ACs. As the PE discovers each locally attached CE, a unicast multipoint-
 to-point pseudowire (mp2p PW) associated exclusively with that CE is created by distributing the MAC address and optionally IP address of the CE along with a PW-Label to all the remote PE peers that participate in the same IPLS instance. So, IMHO, DDoS attacks
 by generating large amounts of bogus IP and ARP frames should be considered, and counter measures should be provided. For instance, MAC addresses of CEs should be distributed only in a limited frequency.