[secdir] secdir review of draft-ietf-sidr-roa-format
Samuel Weiler <weiler@watson.org> Thu, 12 May 2011 02:43 UTC
Return-Path: <weiler@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C5FDE0681; Wed, 11 May 2011 19:43:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWj1DpT1Az9A; Wed, 11 May 2011 19:43:42 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 9B9CFE0662; Wed, 11 May 2011 19:43:42 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id p4C2hfen073937; Wed, 11 May 2011 22:43:41 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id p4C2heUq073932; Wed, 11 May 2011 22:43:40 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Wed, 11 May 2011 22:43:40 -0400
From: Samuel Weiler <weiler@watson.org>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-sidr-roa-format.all@tools.ietf.org
Message-ID: <alpine.BSF.2.00.1105112216340.68173@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Wed, 11 May 2011 22:43:41 -0400 (EDT)
Subject: [secdir] secdir review of draft-ietf-sidr-roa-format
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 02:43:43 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Disclaimer: I'm active in the SIDR WG and have reviewed this draft before. In the big picture, this draft is fine. I have three little requests: -- I would very much like to see an informational reference to the roa-validation draft (already approved for publication), which explains more about how ROAs should be interpreted. -- I made a suggestion in WG last call that appears not to have been addressed by the editors. That was: It might be worthwhile to repeat in section 3 (validation) [now section 4] the requirement from section 7.2 [now 7.3] of the architecture draft that "...a relying party must fetch new ROAs from the repository system before taking any routing action in response to a ROA revocation." -- The Address Family Identifier appears to come out of nowhere in section 3.3. Another mention of RFC3779 is needed when the AFI is introduced. (Previous versions of this draft (07 and earlier) at least told readers which of the allowed values corresponded to IPv4 and IPv6, but even that has been taken out of this version.)
- [secdir] secdir review of draft-ietf-sidr-roa-for… Samuel Weiler