Re: [secdir] SECDIR review of draft-freytag-lager-variant-rules-03

[Chris Lonvick <lonvick.ietf@gmail.com>]

Hi Scott,

Oops. :-) The assignment I got on the 19th was for -02 which was what I 
reviewed. I got a reminder on the 26th which was for -03 so I just put 
that in. And yes, I did mean 7940.

The Security Considerations section is much better in -03. However, if 
it is possible, I would still like to see something more in there. RFC 
7940 has a short section in its Security Considerations section, noted 
below, about how LGRs are only a partial remedy to the problem. The new 
Security Considerations section in -03 seems to indicate that the 
problem space may be constrained by properly utilizing certain optional 
features of 7940. If that is correct, then perhaps the author would 
consider revising the last part of the second paragraph to more clearly 
state that?

Current:

    By including
    certain declarations that are optional under the schema and may not
    alter the results of processing a label, such an LGR supports the
    task of review and verification by more clearly expressing the
    intent.


Proposed:
    Utilizing certain optional declarations under the schema provides a 
clear expression
    of the label. When properly used, the label becomes unalterable and 
observably
    verifiable.

 From there, I would also like to see a quick statement about any other 
areas that implementers should be aware of that are not addressed in 
this document. I'm not familiar enough with this technology to know if 
there is or isn't. If there are no other issues, or they are far outside 
the scope of this document, then don't worry about it.

Regards,
Chris


On 1/30/17 12:48 PM, Hollenbeck, Scott wrote:
> Thanks for the review, Chris. I should note that my document shepherd 
> review of the -02 version of this draft also produced feedback about 
> the need to add Security Considerations text. The author added text 
> and published the -03 version on 23 January. Chris, could you please 
> look at -03 and see how well the text addresses your comments modulo 
> what you’ve shared below? I assume that you meant RFC 7940 
> (Representing Label Generation Rulesets Using XML) when you wrote RFC 
> 7948 (Internet Exchange BGP Route Server Operations).
>
> Scott
>
> *From:*Chris Lonvick [mailto:lonvick.ietf@gmail.com]
> *Sent:* Sunday, January 29, 2017 9:46 PM
> *To:* iesg@ietf.org; secdir@ietf.org; 
> draft-freytag-lager-variant-rules.all@ietf.org
> *Subject:* [EXTERNAL] SECDIR review of 
> draft-freytag-lager-variant-rules-03
>
> Hi,
>
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG. These comments were written primarily for the benefit of the 
> security area directors. Document editors and WG chairs should treat 
> these comments just like any other last call comments.
>
> I consider this draft to be ready with issues.
>
> The document is well written and thorough but has no content in the 
> Security Considerations section. The guidance provided in this 
> INFORMATIONAL document appears to be sound but it should still provide 
> a statement of how this work attempts to address the security concerns 
> of RFC 7948. For perspective, the title of section 12.1 of the 
> Security Considerations section is "LGRs Are Only a Partial Remedy for 
> Problem Space".
>
> My recommendation is that a Security Considerations section for this 
> document incorporate the Security Considerations section of RFC 7948, 
> along with statements of how the document addresses the obtainable 
> remediations, and what implementers should continue to be concerned 
> about.
>
> Thanks,
> Chris
>