This is a follow-up to my secdir review of draft-ietf-pwe3-fc-encap-14.txt,
included below.

I have reviewed the Security Considerations section in the latest version
of this draft: draft-ietf-pwe3-fc-encap-15.txt.

My concerns with the previous version have been resolved and I'm happy
with the new version. It provides good guidance on the security issues
related to the document. The new Security Considerations are still brief
but they now point to several other documents that provide appropriate
guidance. One security issue unique to this document is identified and
mitigation measures are recommended.

From a security perspective, this document is now ready to go! Thanks
to the document authors for addressing the concerns that I had raised
in a prompt and proper manner.

Take care,

Steve

> -----Original Message-----
> From: Stephen Hanna
> Sent: Monday, February 21, 2011 10:04 AM
> To: 'secdir at ietf.org'; iesg at ietf.org
> Cc: 'draft-ietf-pwe3-fc-encap at tools.ietf.org'
> Subject: secdir review of draft-ietf-pwe3-fc-encap-14.txt
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.
> These comments were written primarily for the benefit of the security
> area directors.  Document editors and WG chairs should treat these
> comments just like any other last call comments.
> 
> This document describes how Fibre Channel traffic can be carried
> over MPLS networks using a Fibre Channel pseudowire (FC PW). I am
> not an expert in Fibre Channel, MPLS, or pseudowires so I will not
> venture any judgment on the content of the draft. I will focus
> exclusively on the Security Considerations section.
> 
> The Security Considerations section is rather brief, only five
> sentences long. While I support brevity, this section seems to
> omit key information. For example, the text says "FC PW shares
> susceptibility to a number of pseudowire-layer attacks and
> implementations SHOULD use whatever mechanisms for confidentiality,
> integrity, and authentication are developed for PWs in general.
> These methods are beyond the scope of this document." That's too
> brief. At least, the authors should add a reference to a document
> that describes the attacks to which this protocol is susceptible
> and the countermeasures that can be employed. If no such document
> exists, either it should be written or this document should describe
> the threats and countermeasures or this document should admit that
> the threats and countermeasures are not understood at this time.
> You can't just leave the analysis of threats and countermeasures
> to the reader.
> 
> Thanks,
> 
> Steve Hanna