[RTG-DIR] RtgDir review: draft-ietf-intarea-provisioning-domains-09
<7riw77@gmail.com> Tue, 17 December 2019 01:43 UTC
Return-Path: <7riw77@gmail.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1413212096E; Mon, 16 Dec 2019 17:43:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.747
X-Spam-Level:
X-Spam-Status: No, score=-1.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ef675AnG6-PX; Mon, 16 Dec 2019 17:43:22 -0800 (PST)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37A1F12009C; Mon, 16 Dec 2019 17:43:19 -0800 (PST)
Received: by mail-yb1-xb34.google.com with SMTP id i3so3807802ybe.12; Mon, 16 Dec 2019 17:43:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version:content-language :thread-index; bh=K3Ee3Lvc63SuF23nMkGrUOHm39bin+ZGY8WTZemKUh4=; b=qCVnEwm9g+yQ17qU05c9YjdRuCVFlX/N9CmIIv5kgM9P6/zuCzwlw/p5vB+VIwLVtm 7GyPnjfDEFwM1cKTpz88Qj+hrwHyBgCBRG3PzfVQDhSWVMID+PEDAjrL6vrTtgzlc5ug 3h0LHkg2kIPX9uz/xNLr6aJ+JUj9jYx9k6K9j/yfgsA6L24lmKYj6kkmcxTQgQsY1FaP dWqpxwTjLSUtCAevfay7HFC8114Mp5uzTtxnXf93689u7nSjlXx/A+JqF9/a+pTItncQ /Ivetpy7z5Oq4ZcD+tUuH6rupJIspUv//iCx+X2fe6AqVr7aMUF+ZAmbRiOMUmJQ+igG ro4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-language:thread-index; bh=K3Ee3Lvc63SuF23nMkGrUOHm39bin+ZGY8WTZemKUh4=; b=sq/cg5Gz/ll+ivyqkQfrTw+O0qEefG+FhZ4RRNfQdq4GvgA2XxJ7VPF3t09Dz2DGgp JY95yy8mjNxzIQRmmBHSD5aBhUCOfOjRJnzZmP98jwJOdYQQwmaFwBIuee2Wkycr7aY7 rWjuEaiO0KgTWFSn69/NPSVqSfMkFn2rpyb2jSDJK/xc5RU6kq2vYi6r/MjwjUQpeMK7 WcFctQo/SeRwXlBl56yrdTLGMmxThAlYZqg53A+JemyWRiglep1kOEFFa051VQqjZJPd coMsciDIwcgBBHASAn0dDPGsQoaMa1IGV+pRf4Pi7lXR08hDcKosA1K9JmYp5GYLdQ2s zwuw==
X-Gm-Message-State: APjAAAVPKw3PXbKqdQ6Wp3TEjDCdzzStXUoznpjq891tEE7lsqtNB/AH i6iqZ9RuqDkPNKK0XsMShgJUHCuw7Y4=
X-Google-Smtp-Source: APXvYqzIKtvSKZ1HYemjGTzMEo8eu7SfUqiDlSqom9zRSD7fZPTRLmHLK1qiFws2wapC5vE0TGrJXg==
X-Received: by 2002:a25:9d0a:: with SMTP id i10mr22560015ybp.381.1576546997841; Mon, 16 Dec 2019 17:43:17 -0800 (PST)
Received: from RussPC (162-229-180-77.lightspeed.rlghnc.sbcglobal.net. [162.229.180.77]) by smtp.gmail.com with ESMTPSA id z12sm9390842ywl.27.2019.12.16.17.43.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Dec 2019 17:43:17 -0800 (PST)
From: 7riw77@gmail.com
To: rtg-ads@ietf.org
Cc: rtg-dir@ietf.org, draft-ietf-intarea-provisioning-domains.all@ietf.org, int-area@ietf.org
Date: Mon, 16 Dec 2019 20:43:17 -0500
Message-ID: <03cb01d5b47b$5b63c560$122b5020$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_03CC_01D5B451.728E59A0"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AdW0e0bmyQgzlqIwTdWg589l5OfCnQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/LzazCGEGaNqbAXLdcnIjwQqLFyc>
Subject: [RTG-DIR] RtgDir review: draft-ietf-intarea-provisioning-domains-09
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Dec 2019 01:43:24 -0000
Hello, I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft. Document: draft-ietf-intarea-provisioning-domains-09 Reviewer: Russ White Review Date: 16 December 2019 Intended Status: Standards Track Summary: I have some minor concerns about this document that I think should be resolved before publication. Comments: The draft is very readable, explaining the problems being addressed, the various options, and the solution in clear and precise language. Major Issues: No major issues found. Minor Issues: This is really more of a possible addition rather strictly being an issue. Section 3.4.4 notes the importance of not allowing DNS queries for PvD information to leak into recursive DNS servers. There are security issues here that are not mentioned, but might be worth mentioning. Specifically, if a DNS query for PvD information is somehow leaked into the recursive DNS system, it could reveal information about the querying hosts which could present a security breach. This would just be another reason to be added to this section as justification, and potentially added to the security considerations section. A second area to consider here is that it might be good to mention having a filter or mechanism on the implementing router that allows the user to configure filtering PvD information so it is only ever transmitted to attached hosts. It may be that some outside attacker could use this information to find attack surfaces or do network discovery to prepare for an attack, so it might be best to allow the user to keep this information "private" to only the intended recipients in some way or another. The network operator shouldn't really be using this information to query PvD information, but rather should be using some management interface, so this should not impair it's use in any way. This may be covered in section 7, but it might need to be a bit more explicit (?). /r