[secdir] secdir review of draft-ietf-sidr-origin-ops-22
Tom Yu <tlyu@MIT.EDU> Tue, 19 November 2013 03:51 UTC
Return-Path: <tlyu@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F451AEC8D; Mon, 18 Nov 2013 19:51:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.126
X-Spam-Level:
X-Spam-Status: No, score=-3.126 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gX25IXKUJMwk; Mon, 18 Nov 2013 19:51:37 -0800 (PST)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 7A5B61AEC8A; Mon, 18 Nov 2013 19:51:36 -0800 (PST)
X-AuditID: 12074422-b7f9d6d000000bc0-8b-528ae0421928
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 46.8A.03008.240EA825; Mon, 18 Nov 2013 22:51:30 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id rAJ3pTWS013969; Mon, 18 Nov 2013 22:51:30 -0500
Received: from cathode-dark-space.mit.edu (cathode-dark-space.mit.edu [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id rAJ3pR5Q002933 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 18 Nov 2013 22:51:28 -0500
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id rAJ3pQ1Q007674; Mon, 18 Nov 2013 22:51:26 -0500 (EST)
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-sidr-origin-ops.all@tools.ietf.org
From: Tom Yu <tlyu@MIT.EDU>
Date: Mon, 18 Nov 2013 22:51:26 -0500
Message-ID: <ldv7gc53v7l.fsf@cathode-dark-space.mit.edu>
Lines: 22
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrLIsWRmVeSWpSXmKPExsUixG6nruv0oCvI4NFNSYtLc9ktZvyZyGzx YeFDFgdmjyVLfjJ5fLn8mS2AKYrLJiU1J7MstUjfLoErY+3b12wFH9gq/lxextjAeIm1i5GT Q0LARGLH/GfsELaYxIV769m6GLk4hARmM0ncnPKHEcLZyCjx8M9dKOcck8T5aeuYIJwuRom2 tTdZQPpFBKIkLk1ZDjZXWMBc4vq/o0CzODjYBKQlji4uAwmzCKhK7N90kwnE5hWwkHiwZSaY zSPAKdF7eCorRFxQ4uTMJ2AjmQW0JG78e8k0gZFvFpLULCSpBYxMqxhlU3KrdHMTM3OKU5N1 i5MT8/JSi3RN9XIzS/RSU0o3MYJDzUVpB+PPg0qHGAU4GJV4eCe4dwUJsSaWFVfmHmKU5GBS EuWNuwMU4kvKT6nMSCzOiC8qzUktPsQowcGsJMIreQUox5uSWFmVWpQPk5LmYFES573FYR8k JJCeWJKanZpakFoEk5Xh4FCS4DW9D9QoWJSanlqRlplTgpBm4uAEGc4DNPzqPZDhxQWJucWZ 6RD5U4yKUuK8C0ASAiCJjNI8uF5YKnjFKA70ijDvS5AqHmAaget+BTSYCWjw8edtIINLEhFS Ug2MLAnqCTFvbr34PrF4+6bou5XvOjcySPLM0Zt686wF74mlcZ6FL4/OurPkaeW2zndHw98f uPSBvWvxo9Umgh9WaUj7aF6buGFN3D3TJy8ePe5Ty/nmLrN1+s1j99XYp+jO/mGet74tTX3h B5XLzfY7s+d4BjrvDJwi9+ZWetGWIOX7Xz856794ukSJpTgj0VCLuag4EQCeih5H4AIAAA==
Subject: [secdir] secdir review of draft-ietf-sidr-origin-ops-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 03:51:38 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: Ready with nits. The Security Considerations section appears to accurately document the significant limitations of Route Origin Authorizations. There should probably be an example of the sort of privilege escalation attacks that can result from incautious Local-Preference attributes. Editorial: In Section 4, "along with it's traffic engineering characteristic(s)", change "it's" to "its". Section 5 mentions a block 10.0.666.0/24, which is somewhat distracting because that is not a valid IPv4 address block.