[secdir] Review of draft-ietf-sidr-roa-validation-10

Shawn Emery <shawn.emery@oracle.com> Mon, 25 April 2011 06:00 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost []) by ietfc.amsl.com (Postfix) with ESMTP id E8758E06B0; Sun, 24 Apr 2011 23:00:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.56
X-Spam-Status: No, score=-6.56 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfc.amsl.com []) (amavisd-new, port 10024) with ESMTP id VXQKTqXeCqsZ; Sun, 24 Apr 2011 23:00:08 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com []) by ietfc.amsl.com (Postfix) with ESMTP id 54901E06A3; Sun, 24 Apr 2011 23:00:07 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com []) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id p3P605EL021849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 25 Apr 2011 06:00:06 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com []) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p3P604An026334 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 25 Apr 2011 06:00:04 GMT
Received: from abhmt016.oracle.com (abhmt016.oracle.com []) by acsmt356.oracle.com ( with ESMTP id p3P5xwAi009875; Mon, 25 Apr 2011 00:59:58 -0500
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 24 Apr 2011 22:59:58 -0700
Message-ID: <4DB50DDC.4010207@oracle.com>
Date: Sun, 24 Apr 2011 23:59:56 -0600
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv: Gecko/20110329 Lightning/1.0b2 Thunderbird/3.1.9
MIME-Version: 1.0
To: secdir@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet21.oracle.com []
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090206.4DB50DE7.0053:SCFMA922111,ss=1,fgs=0
Cc: draft-ietf-sidr-roa-validation.all@tools.ietf.org, iesg@ietf.org
Subject: [secdir] Review of draft-ietf-sidr-roa-validation-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2011 06:00:09 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This informational draft describes how a Route Origin Authorization 
(ROA) is interpreted in respect to a consumer of the Resource Public Key 
Infrastructure (RPKI).  This interpretation is used in turn to validate 
the origination of routes advertised by the Border Gateway Protocol.

The security considerations section does exist and gives guidance on 
various validation implications in regards to prefix lengths, issuance 
sequence, and aggregation.  After reading draft-ietf-sidr-arch, 
draft-ietf-sidr-pfx-validate, et. al., I didn't find any additional 

General comments:


Editorial comments: