[secdir] Review of draft-ietf-bfd-seamless-base-09

Shawn M Emery <shawn.emery@oracle.com> Wed, 04 May 2016 06:17 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 086DF12B042 for <secdir@ietfa.amsl.com>; Tue, 3 May 2016 23:17:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id gvsVckOJUV8i for <secdir@ietfa.amsl.com>; Tue, 3 May 2016 23:16:55 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29BF212B065 for <secdir@ietf.org>; Tue, 3 May 2016 23:16:48 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com []) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u446GjC4003645 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 4 May 2016 06:16:46 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com []) by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u446GjhX011787 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 4 May 2016 06:16:45 GMT
Received: from abhmp0010.oracle.com (abhmp0010.oracle.com []) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u446GiEE017684; Wed, 4 May 2016 06:16:45 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 03 May 2016 23:16:44 -0700
References: <56908353.5050200@oracle.com>
To: secdir@ietf.org
From: Shawn M Emery <shawn.emery@oracle.com>
X-Forwarded-Message-Id: <56908353.5050200@oracle.com>
Message-ID: <5729944D.4040403@oracle.com>
Date: Wed, 04 May 2016 00:18:53 -0600
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <56908353.5050200@oracle.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0022.oracle.com []
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/EzxXKjw_z7UqrwWQE5C5HyssJbs>
Cc: draft-ietf-bfd-seamless-base.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-bfd-seamless-base-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2016 06:17:01 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft specifies a version of Bidirectional Forwarding Detection (BFD) that
allows for better efficiencies in provisioning and path monitoring of network
node infrastructure.

The security considerations section does exist and asserts that the security
considerations that pertains to the base BFD protocol, RFC 5880, also applies
to this protocol.  The section continues with guidance on authenticating data,
replay, and DoS avoidance, specific to this protocol.  I agree with most of the
recommendations outlined and assertions presented in this section.  5880 is
forthcoming with the various vulnerabilities/limitations of the base protocol.
However, the draft does not cover the case where an attacker impersonates the
SBFDInitiator, but does cover the SBFDReflector scenario.

General comments:


Editorial comments:

s/Once above setup/Once the above setup/
s/it can quickly/can quickly/
s/and IS-IS will advertises/and IS-IS advertises/
s/then response S-BFD/then a response S-BFD/
s/allocated a same/allocated the same/
s/Remainder of this/The remainder of this/
s/for above suggestions/for the suggestions above/
s/that discriminator/that the discriminator/
s/for a same/for the same/
s/is to have following/has the following/
... I stopped after this.  Please have someone review the rest of the draft for
grammar.  It will be hard to read w/o these updates.