[secdir] Review of draft-ietf-opsec-lla-only-07

Chris Inacio <inacio@cert.org> Tue, 01 April 2014 13:58 UTC

Return-Path: <inacio@cert.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5703C1A06BE for <secdir@ietfa.amsl.com>; Tue, 1 Apr 2014 06:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id W5Iyuc0zoDYO for <secdir@ietfa.amsl.com>; Tue, 1 Apr 2014 06:58:21 -0700 (PDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu []) by ietfa.amsl.com (Postfix) with ESMTP id 97E411A06D7 for <secdir@ietf.org>; Tue, 1 Apr 2014 06:58:20 -0700 (PDT)
Received: from timber.sei.cmu.edu (timber.sei.cmu.edu []) by plainfield.sei.cmu.edu (8.14.4/8.14.4/1408) with ESMTP id s31DwGmX010195; Tue, 1 Apr 2014 09:58:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1396360696; bh=jI9MdPxyPeibz9LTqzWs5Y9+WGD6SpAyqqd8Q8FtHYE=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:Content-ID: Content-Transfer-Encoding:MIME-Version:Sender:Reply-To:In-Reply-To: References; b=edktW5SVPwv6UMV56ulZaKCzRXm++X4TRb3lCpdgU+yuqBx5REndIv0/OkPxszQe8 wfGPp9OA9xYkLSxxsZFRhr9YfSOXMmJZ8dQRQkYs27u53cf4JDt31kc5MyGOQeQD0P bNlouDXychmparGxdFqnqYu1InS4ll5Et316huWo=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu []) by timber.sei.cmu.edu (8.14.4/8.14.4/1456) with ESMTP id s31DwAAM012466; Tue, 1 Apr 2014 09:58:10 -0400
Received: from MARATHON.ad.sei.cmu.edu ([]) by CASCADE.ad.sei.cmu.edu ([]) with mapi id 14.02.0347.000; Tue, 1 Apr 2014 09:58:10 -0400
From: Chris Inacio <inacio@cert.org>
To: "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Review of draft-ietf-opsec-lla-only-07
Thread-Index: AQHPTbJqVu4ROaamH0mX27NRO+xyPA==
Date: Tue, 01 Apr 2014 13:58:10 +0000
Message-ID: <58AECC65-6DAF-4CA7-AA3D-5750218118F2@cert.org>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <C0DC33FE20D388458EE2DFA7EDD24A50@sei.cmu.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/cLMzmw4OgUyAOnuOEwSfkqq8l10
Cc: "draft-ietf-opsec-lla-only-07@tools.ietf.org" <draft-ietf-opsec-lla-only-07@tools.ietf.org>
Subject: [secdir] Review of draft-ietf-opsec-lla-only-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 13:58:22 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Overall impression is that this is a well written draft, and I didn’t particularly notice any editorial comments, although I wasn’t focused on that.

The entire draft is dedicated to an informational router configuration that encourages using link local addressing on the non-public facing router interfaces.  The draft, as a whole does a good job describing and referencing previous work on configuration and mitigation  strategies to encourage a more secure configuration.

My only feedback is that the Security Considerations section might also include a sentence referencing all of the other RFC’s and guidance previously mentioned in the document:

	For additional security considerations, as previously stated, see also:  [RFC5837], [I-D.ietf-opsec-bgp-security].

and possible a statement saying that all other previous recommendations for control plane security, etc.

I do understand if this recommendation is not acted upon, it is difficult to summarize an entire document which is about configuration for security into a single concise paragraph at the end of the document.

Chris Inacio