On 9/17/2017 12:50 AM, Randy Bush wrote: >> 1) Encrypt the data in transit, using IPSEC or similar; > like this is gonna happen. this is the secdir pacifier. Well Randy, I am writing the Sec Dir review... > >> That's not a bad posture, but I wish that you were explicit about the >> threats. I am somewhat concerned that the "administrative domain" >> approach leads to complacency, as in "my domain is secure, I am only >> concerned with external leakage". > there is common talk about pushing some services in a chain to the > cloud, aka other people's computers. This is why I think security reviews should mention the threats as well as the solutions. That's a feedback I am giving on draft-ietf-sfc-nsh-21. For me, the threats are clear: some of your links will be tapped, even if you think they will not. Some of your devices will be hacked, it will take you some time to discover that, and you would much prefer the failures to be gradual rather than catastrophic. Some of the third party services that provide you with an attractive function are also in the business of collecting metadata for corporate surveillance, even if you like the price they charge. If the threats are not acknowledged, the security recommendations become a mere incantation. "Do these magic things or the protocol police will send you a nasty letter in triplicate." Once the threats are acknowledged, good engineers understand the problems and fix them. And the point of standards is that the fixes are done in a compatible ways on various components of various providers. -- Christian Huitema