Last Call Review of draft-ietf-l2vpn-vpls-mib-14
review-ietf-l2vpn-vpls-mib-14-secdir-lc-melnikov-2014-02-19-00

Request Review of draft-ietf-l2vpn-vpls-mib
Requested rev. no specific revision (document currently at 15)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-02-14
Requested 2014-02-06
Authors Thomas Nadeau, Kiran Koushik, Rohit Mediratta
Draft last updated 2014-02-19
Completed reviews Genart Last Call review of -14 by Meral Shirazipour (diff)
Genart Telechat review of -14 by Meral Shirazipour (diff)
Secdir Last Call review of -14 by Alexey Melnikov (diff)
Opsdir Last Call review of -14 by Sarah Banks (diff)
Assignment Reviewer Alexey Melnikov
State Completed
Review review-ietf-l2vpn-vpls-mib-14-secdir-lc-melnikov-2014-02-19
Reviewed rev. 14 (document currently at 15)
Review result Has Nits
Review completed: 2014-02-19

Review
review-ietf-l2vpn-vpls-mib-14-secdir-lc-melnikov-2014-02-19

I have reviewed this document as part of the security directorate's 


ongoing effort to review all IETF documents being processed by the IESG. 


These comments were written primarily for the benefit of the security 


area directors.  Document editors and working group chairs should treat 


these comments just like any other last call comments.






This document describes managed objects for configuring and/or 


monitoring Virtual Private LAN services, including LDP and BGP extensions.






The document says that information in 3 defined MIB modules is not 


sensitive and thus not really worth protecting from passive monitoring. 


I doubt a bit this claim, as it seems that observing  information from 


the MIB tables can help an attacker to mount other types of attacks on a 


particular VPLS.


It also looks like gaining write access can enable Denial-of-Service 


attack on the monitoring system itself and/or on the underlying 


infrastructure.






I also agree with Benoit Claise's DISCUSS that the document should 


follow the recommended MIB-security template:



  

http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security



Other than that, I have no security concerns in regards to this document.