[secdir] Secdir review of draft-ietf-mpls-oam-ipv6-rao-02

Vincent Roca <vincent.roca@inria.fr> Thu, 29 January 2015 19:36 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A845D1A6FEF; Thu, 29 Jan 2015 11:36:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.56
X-Spam-Level:
X-Spam-Status: No, score=-8.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-zxg7CXsn9t; Thu, 29 Jan 2015 11:36:00 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 728A21A6F33; Thu, 29 Jan 2015 11:35:59 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.09,487,1418079600"; d="scan'208";a="119406641"
Received: from anice-152-1-52-170.w86-193.abo.wanadoo.fr (HELO mbp-de-vincent.lan) ([86.193.91.170]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 29 Jan 2015 20:35:55 +0100
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Date: Thu, 29 Jan 2015 20:35:52 +0100
Message-Id: <53F9995B-6F70-49D2-ABA1-AD293C185121@inria.fr>
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-mpls-oam-ipv6-rao@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/QE1vve5bXGqIN05izQXw4pZAKpw>
Subject: [secdir] Secdir review of draft-ietf-mpls-oam-ipv6-rao-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 19:36:01 -0000

Hello,

I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

Summary: ready

This document specifies a new Router Alert Option Value for IPv6, to be used
by MPLS OAM tools in IPv6 environments.
It does not introduce any new mechanism that is likely to create security
threats. Additionally, RFC 6398 discusses the security aspects of IP Router
Alert in detail. The Security Considerations section of the present document
refers to this (and related RFCs) for security aspects which I think is appropriate.


Non-Security comments:

** The Introduction uses several terms that appear to me synonymous, namely:
       generic Option Value
       generic IPV6 Router Alert code point
       Value field in the Router Alert Option
       IPv6 Router Alert Option Value
And later in Section 3:
       option value            (i.e., without any upper case letter)
Or in Section 6:
       defines a new code point (value TBD1)
It's worth to harmonize them.

** Section 5: there's probably a missing word in:
       "...examine the packet the MPLS OAM purpose."