[Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Sat, 05 September 2020 10:43 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B793A0A40 for <roll@ietfa.amsl.com>; Sat, 5 Sep 2020 03:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LwyaE4llvmKy for <roll@ietfa.amsl.com>; Sat, 5 Sep 2020 03:43:53 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 713003A0A3B for <roll@ietf.org>; Sat, 5 Sep 2020 03:43:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1599302632; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=NvC4ZKwK/0T5S1BR76CrZrmWullKYnV4gOP3fkKc5NY=; b=YxAx+1qp6raF2sNKNfEz4GY41acF/Zi4Uakalo3mFerc/RPqmmz+0P0nz8YPWQfkm3+ogh cNhv8XoTZd/pZDvteLE1eto03sh66OaWO4ZgvdavpogtnE8KbiitCH0b3VMF3VlI36VTTl jdp7b7X+BG+/TLgiOQltGwv/qzgqSgw=
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2053.outbound.protection.outlook.com [104.47.37.53]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-173-rJSp-UC1PZi3EEcnL1Uufg-1; Sat, 05 Sep 2020 06:43:50 -0400
X-MC-Unique: rJSp-UC1PZi3EEcnL1Uufg-1
Received: from MWHPR16MB1535.namprd16.prod.outlook.com (2603:10b6:320:27::22) by MW2PR16MB2331.namprd16.prod.outlook.com (2603:10b6:907:c::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Sat, 5 Sep 2020 10:43:48 +0000
Received: from MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c6f:d09b:e22a:4a47]) by MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c6f:d09b:e22a:4a47%11]) with mapi id 15.20.3348.017; Sat, 5 Sep 2020 10:43:48 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-roll-turnon-rfc8138.all@ietf.org" <draft-ietf-roll-turnon-rfc8138.all@ietf.org>, "roll@ietf.org" <roll@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
Thread-Index: AdaDbUeaqdHV2jK6QYKG8VqxeX1QTw==
Date: Sat, 5 Sep 2020 10:43:48 +0000
Message-ID: <MWHPR16MB15352A9604389BC647A87A5FEA2A0@MWHPR16MB1535.namprd16.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
x-originating-ip: [49.37.200.126]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e6d523a4-66ac-4c81-df56-08d85188925a
x-ms-traffictypediagnostic: MW2PR16MB2331:
x-microsoft-antispam-prvs: <MW2PR16MB23317AF1401BD566138515DFEA2A0@MW2PR16MB2331.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HE3Qv6ym2jskfJLXNJExUEsW+n4cINFHIxOQSVsKJ7eChZSy27PnuZ2lGZr0L1AQNrJvz9FeSFG4oCB7UGY2DMQHs/j39j1PQhbeB7zWp3tXiLCh7XpLx5pg9pYYq/ZZBCP+1BJisbAbnR++0LWOnICtPIugJhn1zc+9IlIrQyBZW6GwDhSks2e8yI2CNZZf6nUq2bDihcQ2zl6KG7eGg5b3GXan3qENrky7rArfdE+qEJhYLgbH+1OY+FyP0E5hwGe9Y3fyn/MWlP4zGY/E3DLZI2+9pbMWDDQBsYMBZJZzGHDZ5nP8WtYZ8lcZPCDU9ymxu4PpKn9QFEG67TlbA8QJGWRQgZQZcI4pslEwJEl3XZydwhvye3ctr9JzLXIxmd6pKqPn3fVeuNpuRviOdQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR16MB1535.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(346002)(376002)(39860400002)(136003)(32952001)(26005)(33656002)(2906002)(8936002)(186003)(8676002)(316002)(6506007)(55016002)(7696005)(110136005)(9686003)(450100002)(76116006)(478600001)(66446008)(66946007)(64756008)(66476007)(83380400001)(66556008)(66574015)(71200400001)(52536014)(5660300002)(86362001)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: l8kOVj9k0ZGo0NuaJWburuUAueP/X30k1m55PhjpdxfZLsfBIsSofCDoym3dHm/l2joIfMC+gOXE6T6BPhoTTzlWKMXrseSxHEaN4foQjzIjL6UpbY78RPj05IypPsCltmpCiiGGexxZ3Pk+SsXAxHz4fEPMG+aZ3ME6AbyjjDWrV4ccogVk1sFLZfUejeAu/04riPvGSJK9gmVH7VwTkKEYzuO3Kqt4b5DieBHuhmr5PjN1Qd5egRSsUUcE2WJp3J8Hd3wVcml/X5/XPJvI6Z+QdLp/vz5a8WxtcWTz3rjbRgSOaLTFuvtVvibYQAP41DKpUpvEeyNP+f4wKTRY25bWJo9Cgy8uX6ghVohRABUaVXchwgkt3x/BTQbOZZNEEPSaHo608IDCK4VMVXtmU31jhzENXtTdWWTkrsS7tHwQt6R2b5HFzWAc2+VMJCfefsOtl1yp3w8ZxZ7y6mykU0jQpeYHkdmvjjDwpcVmvFmOxxDdQocf+07HauPvWo1S8t5WQxT7U0IAZT/yBAMWmCqvwye7U4rXdbnC3sZTuDGTx1W5hRgWUn1Q2jkNLY9g9afEGkGgzSPHrJp8iGm/kfBlgNT239m3dAZMfgDJC7JuBUPDuoh+Qx1hZtIZKux4SPOhELHU86+fjIxFVs3JpQ==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR16MB1535.namprd16.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e6d523a4-66ac-4c81-df56-08d85188925a
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Sep 2020 10:43:48.4696 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QgL8jCXTOjAihPJ7X07mucdM5LFbz7tnM7nUOnHfbh6w18i/zPTWjSNDks/B6sh1Hatl/LJ5Soy3P0Tf775cOfHgo3Xxwc3VcxRlkrXPggiVYmexEsbOrXIsQT0CLb2S
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR16MB2331
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA40A35 smtp.mailfrom=tirumaleswarreddy_konda@mcafee.com
X-Mimecast-Spam-Score: 0.002
X-Mimecast-Originator: mcafee.com
Content-Type: multipart/alternative; boundary="_000_MWHPR16MB15352A9604389BC647A87A5FEA2A0MWHPR16MB1535namp_"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/2B7vVZDuzdt3dvrlgLSjuJkeMe4>
Subject: [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Sep 2020 10:43:55 -0000

Reviewer: Tirumaleswar Reddy
Review result: Ready with nits

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: Ready with nits

[1] You may want to clarify how the attacker manages to modify a protected configuration including the "T" flag introduced in this spec.
[2] Is it possible to identify the attacker (or compromised router) who set the "T" flag to remediation measures ?
[3] If due to an human error one or more of the on-path routers are not upgraded or if the router sees both settings, I presume an alert could be sent to the network management for troubleshooting. You may want to add text to discuss the same.
[4] What do you mean by "subDAG" (I don't see any definition in this spec and RFC8138) ?

Cheers,
-Tiru