Re: [Idr] Secdir early review of draft-ietf-idr-ext-opt-param-09

John Scudder <jgs@juniper.net> Wed, 06 January 2021 16:14 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 306F53A0FAF; Wed, 6 Jan 2021 08:14:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.347
X-Spam-Level:
X-Spam-Status: No, score=-2.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=hzoxrfp3; dkim=pass (1024-bit key) header.d=juniper.net header.b=PPDqK13l
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_k3Gt7HmVUk; Wed, 6 Jan 2021 08:14:36 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1D543A10B0; Wed, 6 Jan 2021 08:14:27 -0800 (PST)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 106FswY6023699; Wed, 6 Jan 2021 08:14:26 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=7AhwIS0kmJsdyjMYs6/vTTQWYjOTPnOiEfd+ivF5j9g=; b=hzoxrfp3AFIj5n784HPdLgeB4R9O11GEwWIX1f0XPUIV2N4QsHHFtjFY6BiuVmHE6GIy S3Rf8aZhiqASXpysmJTSa9JJzsPZ+CRPTE390/hkRQ1oxGzC7aOqZSUU+ZclgDxUk7NQ NSMq9UNnBRHn1L4Uzz9XtFwuZ7om5z2mtwQqyGeCQXP/Nm62QWb941HrBu2h5otphpUv cp7Kcc7jPoC9bt3B78Q/0DNDFGKurVuzmYf4HkW9RbtIxwlBeKDgy2X5frAbZNB+r9ju v+qF7mYqBP6W/xPjlM9D6WiqHfsD8SndsdekIm6jqBTcz9k4g9gvP7dT6ennDwVJL2/I LQ==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2172.outbound.protection.outlook.com [104.47.57.172]) by mx0a-00273201.pphosted.com with ESMTP id 35vrg12734-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 06 Jan 2021 08:14:26 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hf8cflQg+Zx9I80HlO+Hk5eRkypkw2W5e6ynSu6udzg0LK/YXIbA+AUqz9b3P+75P05/X3vVgiu2m3XAkB9BdNpy+x3Uw/xTjbbkTTv7smKbH4Cl6Dd98Mujc/SOQWx0VY6ol9QjzVocsvK+ZYcMiOY/CU9g1t8Wl8RuT/+UCqk4SDqPkTHMPR15YYr08ZjWo+yPtt8ZdszmVv/cG+iIk6suTHFrEdYTHwKXyYkZiH2zxxZ6QOJRin+AcovcKC319GmgVBR+JRgtXKI8/pXQhonOXQqE7gKlYUwI0XdM+aBH6H9SOjQMaVAObrTor7X+zFeDGtzCdeGXgJg8wZbz8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7AhwIS0kmJsdyjMYs6/vTTQWYjOTPnOiEfd+ivF5j9g=; b=KmyAnp/NBmrakMEM3O0S/c67D88Dmg8DsZ0IMnjlq26PcFNAaSmsUpry9lypWTrC5sFJe7eX6sqhA3yqNiIkgoZDvMbTKzElV9W+I05sk1dybRoJd0m1wRbj9M6144rUydX00hG0Arx7no6RcGhMTOn0RjGlRBUS/af2HfzUSceclEVFrI68R3X5fW7sl6shshII77SoNPROpne990AkE4QTj8nucGitxbz3GgBPFRNb2Th0GkTrwdIZlLFyGwqrs/SIgLBB2MQd8a92phl6UdOyOwYiKUrqEfpuPCz//3EXUQBn6fueF3zFmB1dbo2v0EyV8pwVi8ZF13Eyqu/2DA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7AhwIS0kmJsdyjMYs6/vTTQWYjOTPnOiEfd+ivF5j9g=; b=PPDqK13ln+ip9sCppNAzdR/a76A/UnzdZSSc8DNcO1PT4aEAwZox23mk5l90mxJlbtliLTms0aB+4v4ju/mjaikvrqpZ9T2WD9h4kocAcgjsgsfHAVIHsiItmwWiSwZpCOm3gFic26rw/jAgZV9db8hbS6Qt8Og/BTc8+CuduFA=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by MN2PR05MB6527.namprd05.prod.outlook.com (2603:10b6:208:db::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.2; Wed, 6 Jan 2021 16:14:24 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::f91f:55f3:3130:d318]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::f91f:55f3:3130:d318%5]) with mapi id 15.20.3742.006; Wed, 6 Jan 2021 16:14:24 +0000
From: John Scudder <jgs@juniper.net>
To: Nancy Cam-Winget <ncamwing@cisco.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-idr-ext-opt-param.all@ietf.org" <draft-ietf-idr-ext-opt-param.all@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: Secdir early review of draft-ietf-idr-ext-opt-param-09
Thread-Index: AQHW1NyA2xFUuTL500iSEGlEv8ZZ0qoa5ESA
Date: Wed, 6 Jan 2021 16:14:23 +0000
Message-ID: <4DF0A75A-8A23-40BA-AD43-B1B5BF0E29EB@juniper.net>
References: <160825465125.21464.15874080718333007730@ietfa.amsl.com>
In-Reply-To: <160825465125.21464.15874080718333007730@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [162.225.191.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 7eb9c454-85b5-4a3b-feaf-08d8b25e2231
x-ms-traffictypediagnostic: MN2PR05MB6527:
x-microsoft-antispam-prvs: <MN2PR05MB6527606F92BFC4E7CC58F6ABAAD00@MN2PR05MB6527.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JuvGjXLg0L/nYO97gFiwlxLMzgtWk4kiqeG+EUkH7piQO9OtcRn7EEN5rAfia4oyi6rmW8GSlGrzMilKMYSt4o1AjUxCULXXSGD6Pfhht+LJrhsQzCxcFG49r+GB5PMGAGnrQQNaSLK4PLSe3f1soEzMLVwQT8PTWy/KxyYn6RixunihwSBAZyBHRml+TZI2kgOd7SmnQFR8MDHUGOMFSXq952ry7g3fUd/o0H8C0jhNYoS8KJyovpQamKX4gM3+JDy/u7nPOwtSM1PsMKyyzMppI8vpWwjOy+7evML421sRKWwU4ypYXbVO6sceMEFqKmhhD+zHbCTv4rRoerL6JnSlTj/rfUL0DRpgk0QmlRvzn//EB+V1evctdHMrU2RXYnEDqR07u7ZtNOz+9TNSdu+nrn8Kmpduv5YmlWpvXyjmZr9KFb6LAB1QUmzQ+tLi
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(376002)(366004)(39860400002)(136003)(6486002)(4326008)(76116006)(6512007)(71200400001)(64756008)(8936002)(66476007)(66556008)(186003)(66446008)(91956017)(6916009)(66946007)(478600001)(2616005)(86362001)(8676002)(53546011)(83380400001)(316002)(26005)(36756003)(54906003)(6506007)(5660300002)(2906002)(33656002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?MTRFeW9Rak5kdWtlUU90SkkyWnFEYVNjbkJsRHBXck8rZTBGb2V4Q1pvVXBW?= =?utf-8?B?R1I3aFRoOE8wbUQwLzFwUzEveGNqQlk1SlVWeC9yT29GUEtwYitETXhLUkw0?= =?utf-8?B?YkNtWUVKRHJ2bjVOS1pZN285djh1NU5LcVVWMlAxUlJzNFRjbFI3ekJaQTRu?= =?utf-8?B?TkhHKzgrcXMzckcyV3BHVjZETHF6NS8wWDBOWFI4WXo0N2NZZ3ZxWTgzLzMr?= =?utf-8?B?SVNnMTJRaXJQYkdwZDVHck1zcTNZR0RIUVZkd2RVTEhIRThPRGtIYThmbExG?= =?utf-8?B?UGwrREZNK1VEQzZQWmZTZllrOGhKRW8wTkdxWlE2c0xUeGdRb2JSRHpQQUFD?= =?utf-8?B?aWp3Qnl0TktjQnIxNmZvTW1JUXMxc2VuNUhSM0o2QnNCVkVjVFU0Q2tYbFpi?= =?utf-8?B?STdBYVJaY25LcVo0SEhLY3hia2hQVWd2QVdKT09WL0xSV3graUZzdjZZNkpM?= =?utf-8?B?STJ1OXBqNGtRTEszckhxSDkyeVFtWm96dWk3QmJVVHFhOG1TRmptRnZaUnU1?= =?utf-8?B?ODZRc0t2M1NtbWN2QkVES3hrWW9WRkYxZU5tR0w2RCt6NU9wVHVJZFZLVG92?= =?utf-8?B?RVMwL1JKY0JKYS9LbUIrYWRzVUF1cklXLzVrMVVNWnEwTzhhNE03RHZGOG8r?= =?utf-8?B?S0hjUnNqTjU1M05zQWwvZStVRVoyUjJsSHM4T1VyZURDRU9CRktIMmNFV3VD?= =?utf-8?B?QTBYQ2k1VTJxOUVjTDhQVlVjb3VweVc0M2ZBTGNsSURoUis3ekdYbDJrN2hq?= =?utf-8?B?ZUIxYkhjTHR4d3hvRzV1VXJpQVlyZmtUcDVtU05VZ1hNWXIxVDIxZC9rWC9j?= =?utf-8?B?dFF6UHlBS0tON2diYUV1N1dQVHpId0c2UWxWL0NJMzE5Z0wxYUwvUWF2a3Nm?= =?utf-8?B?ZUE4V1FWWCtVbU50THU0ZkJqTFBMOWdDbHhkTUVnTVl0RzFNM3ZlVWs4K2c1?= =?utf-8?B?WkV5eXlpWStEbUYwaDRFUFJGbkZyN2s2bWZmZnRJN3BhbTB4ME16bU1KalJD?= =?utf-8?B?TG9TM1B0VjcwWGFndDV3WDdNS3ZLK2Fibm5SbnJSRlJndDFnVHYrRHlMTlhY?= =?utf-8?B?MVhNVUxOdTc3STB3Mld4RldtbHJ4VkdGZ3FDWEVqYmVHYnUyR3hIbkZnVTE0?= =?utf-8?B?MHNMdGtKRThJNGpGd3ZjMUIydGRmTUVZWjlwVEh0VncyS28zR0QvYW5SSWNF?= =?utf-8?B?RWUrL0w1NGxiYU1NdStWRVdJc3BJeEpMaWFFKysxVUx2TVVpNGwrUk4zdUk3?= =?utf-8?B?dU11QVRwL0F4OExmK1A4V3c1OGdLSGc5R0ZiVElpN1AyOHpCZk02blQydVor?= =?utf-8?Q?6/pmD0q2NN58EXLM7TkWuVfp0VpveRcpu9?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_4DF0A75A8A2340BAAD43B1B5BF0E29EBjunipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7eb9c454-85b5-4a3b-feaf-08d8b25e2231
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jan 2021 16:14:24.2087 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9BA/klDbrwwmVBrncJBdpKdby/KHe6rpx6OlwrQa+TYnLGaBanFeehgVcsF5aOra
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6527
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2021-01-06_09:2021-01-06, 2021-01-06 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 clxscore=1011 impostorscore=0 lowpriorityscore=0 adultscore=0 phishscore=0 mlxlogscore=999 spamscore=0 malwarescore=0 mlxscore=0 bulkscore=0 suspectscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101060098
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/5mAm7w0gtQ1VNskm7-StDkoq6Yw>
Subject: Re: [Idr] Secdir early review of draft-ietf-idr-ext-opt-param-09
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 16:14:38 -0000

Hi Nancy,

Thanks for your review. Comments below.

On Dec 17, 2020, at 8:24 PM, Nancy Cam-Winget via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:

[External Email. Be cautious of content]


Reviewer: Nancy Cam-Winget
Review result: Ready

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes the allowance for the extended optional parameters in
BGP to be greater than 255.  As written, the document is straightforward and on
point. I only have an editorial nit and a suggestion.

NIT:
Section 2: 1st sentence of the 7th paragraph "that in the..." Needs to be fixed.
Should it be: "that is in the..."?

This is the paragraph:


   The subsequent one-octet field, that in the non-extended format would
   be the first Optional Parameter Type field, MUST be set to 255 on
   transmission.  On receipt, a value of 255 for this field is the
   indication that the extended format is in use.


I think it is correct as written, but I can see why it doesn’t scan well for everyone. We could rewrite as something like “The subsequent one-octet field (that would be the first Optional Parameter Type field in the non-extended format) MUST be set to 255 on transmission.”

What do you think? Clearer?

Suggestion:
- As new drafts need to include security and privacy considerations, I think it
would be good to just add in the security section (5) that it doesn't change
both underlying security or privacy issues as noted in RFC5272.

I think you must mean RFC 4272. I added “or confidentiality” instead of “or privacy”, since 4272 doesn’t address privacy by name at all. Reasonable?

Regards,

—John