[secdir] Secdir review of draft-ietf-sidr-bgpsec-ops-12

"Salz, Rich" <rsalz@akamai.com> Sun, 01 January 2017 19:29 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3231D126B6D; Sun, 1 Jan 2017 11:29:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.8
X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id FNHHxc6xvdg4; Sun, 1 Jan 2017 11:29:24 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com []) by ietfa.amsl.com (Postfix) with ESMTP id 550A012941E; Sun, 1 Jan 2017 11:29:24 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain []) by postfix.imss70 (Postfix) with ESMTP id BB7C7433417; Sun, 1 Jan 2017 19:29:23 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com []) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id A511F433409; Sun, 1 Jan 2017 19:29:23 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1483298963; bh=ihk1LwEYK4SdE/FJ6u/Kl1EKoIGt+n56nhDHuMtpwCQ=; l=7759; h=From:To:Date:From; b=0IHhvXU+Yhf3E4N+3/5yJvXHsp+X1wZP1D6cK5UJor44eql1pkXcQwxeOh/bp6n7E 4Hf+jIFrFmfjAQ4qJE7yZgLns9OPxbWFCLZzwGiS1DYw1o2ZsAj+NrrYekuOiwTaKk KIZat571yQRLLM3LZcWqXNd5R4dMBAu1yDpBE/Io=
Received: from email.msg.corp.akamai.com (usma1ex-cas1.msg.corp.akamai.com []) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id A14321FC86; Sun, 1 Jan 2017 19:29:23 +0000 (GMT)
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ( by usma1ex-dag1mb5.msg.corp.akamai.com ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 1 Jan 2017 14:29:22 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([]) by usma1ex-dag1mb1.msg.corp.akamai.com ([]) with mapi id 15.00.1178.000; Sun, 1 Jan 2017 14:29:23 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "'secdir@ietf.org'" <secdir@ietf.org>, "'iesg@ietf.org'" <iesg@ietf.org>, "draft-ietf-sidr-bgpsec-ops@ietf.org" <draft-ietf-sidr-bgpsec-ops@ietf.org>
Thread-Topic: Secdir review of draft-ietf-sidr-bgpsec-ops-12
Thread-Index: AdJkXqQzDkwZEaaUQ7KgXUE2Xma9NA==
Date: Sun, 01 Jan 2017 19:29:23 +0000
Message-ID: <76b79dc5ec924487aaa3d098126d6ab6@usma1ex-dag1mb1.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_76b79dc5ec924487aaa3d098126d6ab6usma1exdag1mb1msgcorpak_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dfY03FBfLKbMigMgtF1cR2JxiQQ>
Subject: [secdir] Secdir review of draft-ietf-sidr-bgpsec-ops-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jan 2017 19:29:26 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document is Ready.  I have a few purely editorial suggestions below. I also have a question which is perhaps out of scope for the review of this document, which is why I say ready as opposed to with nits or almost ready. The document explains that BGPsec is a new protocol that will be deployed over years.  Is there a plan or intent to update this document as the community gains experience?

The Introduction section is great with pointers to relevant documents. We need to do more of that kind of thing.  My nits follow, and all are optional, in the hopes of increasing clarify.

Section 1:
  BGPsec need be spoken only by an AS's eBGP speaking, AKA border, routers,
I suggest the following (if I got the meaning right); hyphenate and use or not AKA
   BGPsec need be spoken only by an AS's eBGP-speaking, or border,  routers,

Should section 2 be merged into section 1?  ROA should be spelled out when first used.

Section 4, "A large operator ... may accept"  Perhaps deploy, not accept?  I think the "On the other extreme" is redundant and could be removed.

Section 5 change the comma to a colon in the first sentence?  In "The operator should be aware..." change to "An" ?  Similarly in section 6, "Operators might need to ..."  Change to "An operator"?  This is part of having overall consistency about one/the/an operator reference.  A level of nit we don't ordinarily think about :)

Section 7, spell out iBGP at first use?

Section 9, perhaps add a sentence like: "This document outlines some of the operational issues defined there" or some such.

Section 11, are you thinking three parties or two?  If three, put the design group last; if two, put the two names in parens.

Thanks for writing this.