Telechat Review of draft-ietf-rtgwg-bgp-routing-large-dc-11
review-ietf-rtgwg-bgp-routing-large-dc-11-secdir-telechat-nir-2016-06-17-00

Request Review of draft-ietf-rtgwg-bgp-routing-large-dc
Requested rev. no specific revision (document currently at 11)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2016-06-14
Requested 2016-06-09
Authors Petr Lapukhov, Ariff Premji, Jon Mitchell
Draft last updated 2016-06-17
Completed reviews Genart Telechat review of -10 by Dan Romascanu (diff)
Genart Telechat review of -11 by Dan Romascanu
Secdir Telechat review of -09 by Yoav Nir (diff)
Secdir Telechat review of -11 by Yoav Nir
Opsdir Telechat review of -09 by Lionel Morand (diff)
Rtgdir Early review of -01 by Danny McPherson (diff)
Rtgdir Early review of -05 by Susan Hares (diff)
Rtgdir Early review of -09 by Acee Lindem (diff)
Assignment Reviewer Yoav Nir
State Completed
Review review-ietf-rtgwg-bgp-routing-large-dc-11-secdir-telechat-nir-2016-06-17
Reviewed rev. 11
Review result Ready
Review completed: 2016-06-17

Review
review-ietf-rtgwg-bgp-routing-large-dc-11-secdir-telechat-nir-2016-06-17

Hi

The new version addresses my concern from the message below. The document is now ready IMO.

Thanks

Yoav

> On 5 May 2016, at 10:24 AM, Yoav Nir <ynir.ietf at gmail.com> wrote:
> 
> Hi.
> 
> I have reviewed this document as part of the security directorate's  ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat  these comments just like any other last call comments.
> 
> Summary: Almost Ready
> 
> This document is an Informational discussion of packet routing within data centers. It describes existing practice with using layer-2 protocols such as STP or TRILL, hybrid setups, and layer-3 routing protocols, mostly IGPs. It finally recommends replacing these with EBGP and a Clos structure. The document is very clear and quite an interesting read.
> 
> The document does not deal with security questions such as what kind of damage a rogue node can do, and that is fine. That is not the subject of this document. 
> 
> My one issue is with the Security Considerations section. Section 9 defers to the BGP RFCs (4271 and 4272) for the security considerations. This is a common pattern and it's usually fine, but in this case it is missing something. RFC 4271 requires the use of TCP-MD5 (RFC 2385) for authenticating the BGP connections between routers. RFC 4271 also mentions (but does not solve) the problem of key management. ISTM that in a large-scale and dynamically scalable data center, the problem of key management should be addressed. It might also be nice to use something less antiquated than TCP-MD5. 
> 
> Now it's possible to decide that all elements within the data center are trusted and under the administrator's control, and that therefore no authentication is necessary as long as BGP is somehow blocked from outside the DC to internal nodes. But if these assumptions exist, I believe they should be stated.
> 
> Yoav