Thanks to the authors for posting the update to this document. Casting an eye over the text, I would like to make some suggestions for making the document more ready for progression to publication.
FWIW, I think the technical content is good and stable, but there is some editorial work needed. Minor edits I'll just send direct to the authors. Things of more substance I'll send to the list. The first (this) is some more substance for the Security Considerations section which I don't think will pass through the IESG in its current state. Cheers, Adrian === OLD 11 Security Considerations The security considerations for SFCs are broadly similar to those concerning the data, control and management planes of any device placed in a network. Details are out of scope for this document. NEW NEW 11 Security Considerations The security of an SFC system as described in this document depend heavily on the security of BGP since attacks on the information distributed by the protocol could result in disruption to or subversion of the service function chain. For example, a chain of security functions could be made to deliver the packets in the flow, but circumnavigate the security functions that were supposed to be applied to the packets. Therefore, the use of the security mechanisms defined for BGP is necessary. BGP runs over TCP and so protection of the TCP messages can provide a high level of protection for the SFC control plane. Security for BGP is discussed in [RFC4271] and [RFC6952]. Traffic flows in an SFC might be considered to be somewhat more vulnerable that in a normal routing system where the service functions are executed in dedicated hardware as "bumps in the wire". In particular, when service functions are provided as generic software for example in a data center, the traffic flows are only as secure as the data center infrastructure and software installations. One might imagine "data replication as a service" being installed without the permission of the network operator or traffic source. However, this class of problem is generic to all SFC systems and not specific to the solution described in this document. It needs to be addressed as part of the SFC infrastructure and does not depend on the security of the protocols used to establish and manage the service function chains themselves. For more details see [sfc-arch]. END ADD Informational Reference [RFC6952] Jethanandani, M., Patel, K., and Zheng, L., "Analysis of BGP, LDP, PCEP, and MSDP Issues According to the Keying and Authentication for Routing Protocols (KARP) Design Guide", RFC 6952, May 2013. END _______________________________________________ BESS mailing list [email protected] https://www.ietf.org/mailman/listinfo/bess
