[secdir] Secdir last call review of draft-ietf-isis-segment-routing-msd-16

David Waltermire <david.waltermire@nist.gov> Tue, 25 September 2018 19:13 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8140E128CF3; Tue, 25 Sep 2018 12:13:56 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: David Waltermire <david.waltermire@nist.gov>
To: <secdir@ietf.org>
Cc: lsr@ietf.org, ietf@ietf.org, draft-ietf-isis-segment-routing-msd.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.84.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153790283647.5258.15634056350853857580@ietfa.amsl.com>
Date: Tue, 25 Sep 2018 12:13:56 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/BA_sLUsrVAifEM7HF5iFjsJsDQg>
Subject: [secdir] Secdir last call review of draft-ietf-isis-segment-routing-msd-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2018 19:13:57 -0000

Reviewer: David Waltermire
Review result: Has Issues

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

The summary of the review is Ready with (minor) issues

My apologies for the late review on this draft. Overall I found this document
to be well-written, and concise.

General Comments:

This document uses a mix of case around RFC2119 language (e.g., MAY may). You
should use text from RFC8174 to indicate that lowercase versions of the
keywords are not normative, or adjust the case of the lowercase words to ensure
there is no confusion.

Minor nit: There is some inconsistency in the use of "MSD-Type" (the value) and
"MSD type" (the concept). Suggest cleaning this up.

Specific comments:

Section 1:

Para 1: s/to insure/to ensure/

Section 4:

The last paragraph establishes a requirement on the registration of an MSD Type
to define what the absence of a given MSD Type means. This is an important
requirement that must be addressed during registration of new MSD Types. IMHO,
this requirement should be echoed in the registration information in section 6
to make sure it is not overlooked.

Section 6:

The "Base MPLS Imposition MSD" should reference section 5 of this document.

The registration for "Experimental" should be marked as "Reserved for
Experimental Use" or just "Experimental Use" to align with RFC8126. RFC8126
states that "it is not appropriate for documents to select explicit values from
registries or ranges with this policy". It might be good to add a note
alongside the one on "Designated Experts" indicating that values from this
range are not assignable.

The "Interior Gateway Protocol (IGP) Parameters" registry has the "Standards
Action" policy assigned. The new "IGP MSD Types" sub-registry does not have the
"Standards Action" policy. Was this intentional? If so, this should be
explained. This is also confusing since the guidance for expert reviewers in
RFC7370 implies that registrations are based on the "RFC Required" or
"Standards Action" policies.

Section 7:

The security considerations in RFC7981 ask that security considerations around
the disclosure and modification of this type of information is described in
extensions. This has been done, but RFC7981 also asks that an integrity
mechanism be provided if there is a high risk resulting from modification of
capability information. There is no discussion in the document's security
consideration about the nature of risk in this case and why an integrity
mechanism is not needed. It seems like false information can be used to cause a
denial of service regarding computed paths. This sounds like having this happen
could be bad. I am not an expert on routing protocols, so I am not sure if this
is an issue. How bad and likely is such a risk?