Draft: draft-ietf-l3vpn-ipsec-2547-05 Reviewer: Harald Tveit Alvestrand [harald@alvestrand.no] Review Date: Monday 2/6/2006 8:49 AM IESG Telechat Date: 1/19/2006 Summary: Incomplete specification The document can be summarized as follows: - If you don't trust everyone who can inject a packet into your MPLS, security is a problem. - Multiprovider BGP-MPLS VPNs require mutually untrusting SPs to exchange MPLS packets - PE-PE links can be created using IPSec transport mode tunnels. This is useful in the above case. - The desire to have such links can be signalled by the egress PE using BGP extended attributes. This isn't exactly controversial stuff, and sounds like a fairly simple thing to document so that one can have interoperable experimentation to identify problems with the approach. But this document is not a good basis for such an experiment. The document has a number of problems: - The document jumps back and forth between considering the security implications of various ways of doing multiprovider VPNs and specifying the mechanisms for this particular proposal. - The document is very incomplete, lacking the specification of the exact BGP attributes to be used to negotiate the connections, and the details of the certificate structures and IPSec parameters that are needed for interoperability - this makes it very hard to participate in the experiment implied by "experimental" status. - The document uses unusual terminology for IPSec operations ("packet removed from IPsec SAs"), which makes the document hard to follow. - The document jumps around between specifying the principles and protocols and discussing implementation details; this makes it very hard to see which is which. - The document's security considerations section is a cop-out. Nevertheless, I find it hard to get terribly excited about an Experimental document - at least if I take its aiming at Experimental seriously, rather than as an excuse to get an RFC number without a standards-track review. My big issue with the document is that it's incomplete - you can't participate in the experiment unless you know more than what's here. And that's, in my opinion, not a Good Thing.