Last Call Review of draft-ietf-mpls-sfc-encapsulation-02
review-ietf-mpls-sfc-encapsulation-02-secdir-lc-wouters-2019-02-17-00

Request Review of draft-ietf-mpls-sfc-encapsulation
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-02-26
Requested 2019-02-12
Authors Andrew Malis, Stewart Bryant, Joel Halpern, Wim Henderickx
Draft last updated 2019-02-17
Completed reviews Rtgdir Last Call review of -02 by Christian Hopps (diff)
Opsdir Last Call review of -02 by Carlos Pignataro (diff)
Secdir Last Call review of -02 by Paul Wouters (diff)
Genart Last Call review of -02 by Meral Shirazipour (diff)
Assignment Reviewer Paul Wouters
State Completed
Review review-ietf-mpls-sfc-encapsulation-02-secdir-lc-wouters-2019-02-17
Reviewed rev. 02 (document currently at 04)
Review result Ready
Review completed: 2019-02-17

Review
review-ietf-mpls-sfc-encapsulation-02-secdir-lc-wouters-2019-02-17

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The summary of the review is Ready

While I'm not familiar with the Service Function Chaining (SFC) architecture and the Network Service Header (NSH), the Security Considerations in this document seem to be correct in pointing out that:

  This document simply
   defines one additional transport encapsulation.  The NSH was
   specially constructed to be agnostic to its transport encapsulation.
   As as result, in general this additional encapsulation is no more or
   less secure than carrying the NSH in any other encapsulation.