[secdir] Secdir last call review of draft-ietf-ospf-ospfv3-segment-routing-extensions-16

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 04 November 2018 15:38 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EBF04130E2E; Sun, 4 Nov 2018 07:38:14 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: <secdir@ietf.org>
Cc: lsr@ietf.org, ietf@ietf.org, draft-ietf-ospf-ospfv3-segment-routing-extensions.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.87.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <154134589488.32046.1179323499664545252@ietfa.amsl.com>
Date: Sun, 04 Nov 2018 07:38:14 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/9zjLanQMGTijEEz7ja3LncnbTqk>
Subject: [secdir] Secdir last call review of draft-ietf-ospf-ospfv3-segment-routing-extensions-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2018 15:38:15 -0000

Reviewer: Yaron Sheffer
Review result: Has Nits

Summary: document has non-security related nits.


* The definition of "segment" is different here from the one used in the
architecture RFC. The RFC is more abstract, quoting: A node steers a packet
through an ordered list of instructions, called "segments". Whereas here a
segment is simply a sub-path. This is confusing to a non-expert, and perhaps
indicates a change in the group's thinking.

* SID/Label Sub-TLV: is it Mandatory? If so, please point it out.

* "The SR-Algorithm TLV is optional" - I find this sentence confusing. Maybe
replace by "The SR-Algorithm TLV is mandatory for routers that implement
segment routing"?

* The reference under "IGP Algorithm Type" registry should be to the IANA
registry itself, not to the I-D that defines it. (In particular since the IANA
registry has already been established,

* OSPFv3 Extended Prefix Range TLV Flags octet: add the usual incantation about
reserved bits.

* In general I agree with the reasoning in the Security Considerations. I would
like to raise the question if, in addition to mis-routing, this adds a threat
of massive denial-of-service on MPLS endpoints, e.g. by allowing an attacker
who has OSPF access to introduce routing loops. (This may be completely bogus,
I am far from expert with either of these protocols).