[secdir] secdir review of draft-ietf-mpls-mna-requirements-13

Dan Harkins <dharkins@lounge.org> Thu, 02 May 2024 16:52 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 98865C14F60E; Thu, 2 May 2024 09:52:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VvUkskD46PJo; Thu, 2 May 2024 09:52:38 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9C21C14F698; Thu, 2 May 2024 09:52:37 -0700 (PDT)
Received: from kitty.bergandi.net (syn-076-176-014-122.res.spectrum.com []) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0SCV0I74BAVPSF@wwwlocal.goatley.com>; Thu, 02 May 2024 12:52:37 -0400 (EDT)
Received: from [] (customer.lsancax1.pop.starlinkisp.net []) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0SCV0066YAVOMH@kitty.bergandi.net>; Thu, 02 May 2024 09:52:37 -0700 (PDT)
Received: from customer.lsancax1.pop.starlinkisp.net ([] EXTERNAL) (EHLO []) with TLS/SSL by kitty.bergandi.net ([]) (PreciseMail V3.3); Thu, 02 May 2024 09:52:37 -0700
Date: Thu, 02 May 2024 09:52:36 -0700
From: Dan Harkins <dharkins@lounge.org>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-mpls-mna-requirements.all@ietf.org
Message-id: <c4fcf267-c222-4a3f-9015-1443d66a2c1a@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="UTF-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla Thunderbird
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=
X-PMAS-External-Auth: customer.lsancax1.pop.starlinkisp.net [] (EHLO [])
X-PMAS-Software: PreciseMail V3.3 [240430a] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/bNA9hm6TFCSZVql8UO5T498a3Mg>
Subject: [secdir] secdir review of draft-ietf-mpls-mna-requirements-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2024 16:52:40 -0000


   I have reviewed draft-ietf-mpls-mna-requirements-13 as part of
the security directorate's ongoing effort to review all IETF documents
being processed by the IESG. These comments were written primarily
for the benefit of the security area directors. Document editors and
WG chairs should treat these comments just like any other last call

   The summary of the review is "Ready with Issues". I wanted to
say Not Ready since my issue seems important to me but others
may not see it that way. ADs, take a look.

   The document specifies requirements solutions to use cases that
specify new operations on MPLS packets. All of the requirements
seem correct (with the possible exception of one which I'll get to)
given my general ignorance of MPLS but my issue is that these
operations are called "Network Actions", which make sense, good
name, but the the actions to be performed are indicated by
"Network Action Indicators (NAIs)". These NAIs are to be encoded
according to RFC 3031, which is the MPLS Architecture document.
RFC 3031 does not specify an encoding of a thing called an NAI.
Unfortunately, RFC 4282 does. It defines a "Network Access
Identifier" which is technically different than a "Network Action
Indicator" but I think the naming in this draft unfortunately needs
to be changed. IESG members who make the decision may disagree
but I find it confusing to see acronyms redefined like this and
unfortunately RFC 4282 was there first.

   The requirement I had a problem with was 38: "NAIs MUST be
allocated through the IANA process specified in the MNA solution
specification." If you're going to define some thing in a draft
(even if you give it a new name) and require IANA to allocate them
then you should have create a registry for these things. Making
the solution documents allocate their own registries for these
things seems wrong, IMHO.

   Also, requirement 28 says, "Pint-to-Point (P2P)"-- cheers!--
should be "Point-to-Point (P2P).



"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius