[secdir] secdir review of draft-ietf-sidr-roa-format

Samuel Weiler <weiler@watson.org> Thu, 12 May 2011 02:43 UTC

Return-Path: <weiler@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C5FDE0681; Wed, 11 May 2011 19:43:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWj1DpT1Az9A; Wed, 11 May 2011 19:43:42 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 9B9CFE0662; Wed, 11 May 2011 19:43:42 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id p4C2hfen073937; Wed, 11 May 2011 22:43:41 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id p4C2heUq073932; Wed, 11 May 2011 22:43:40 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Wed, 11 May 2011 22:43:40 -0400 (EDT)
From: Samuel Weiler <weiler@watson.org>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-sidr-roa-format.all@tools.ietf.org
Message-ID: <alpine.BSF.2.00.1105112216340.68173@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Wed, 11 May 2011 22:43:41 -0400 (EDT)
Subject: [secdir] secdir review of draft-ietf-sidr-roa-format
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 02:43:43 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Disclaimer: I'm active in the SIDR WG and have reviewed this draft 
before.

In the big picture, this draft is fine.  I have three little requests:

-- I would very much like to see an informational reference to the 
roa-validation draft (already approved for publication), which 
explains more about how ROAs should be interpreted.

-- I made a suggestion in WG last call that appears not to have been 
addressed by the editors.  That was: It might be worthwhile to repeat 
in section 3 (validation) [now section 4] the requirement from section 
7.2 [now 7.3] of the architecture draft that "...a relying party must 
fetch new ROAs from the repository system before taking any routing 
action in response to a ROA revocation."

-- The Address Family Identifier appears to come out of nowhere in 
section 3.3.  Another mention of RFC3779 is needed when the AFI is 
introduced.  (Previous versions of this draft (07 and earlier) at 
least told readers which of the allowed values corresponded to IPv4 
and IPv6, but even that has been taken out of this version.)