[secdir] Review of draft-ietf-karp-ospf-analysis-05

Shawn Emery <shawn.emery@oracle.com> Sun, 18 November 2012 21:26 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A7F9621F8534; Sun, 18 Nov 2012 13:26:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.599
X-Spam-Status: No, score=-5.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id EDwjqrqtEABI; Sun, 18 Nov 2012 13:26:59 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2F4AB21F84CC; Sun, 18 Nov 2012 13:26:59 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com []) by aserp1040.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id qAILQwCO009191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 18 Nov 2012 21:26:58 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com []) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id qAILQu1C008225 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 18 Nov 2012 21:26:56 GMT
Received: from abhmt113.oracle.com (abhmt113.oracle.com []) by acsmt357.oracle.com ( with ESMTP id qAILQtEE003692; Sun, 18 Nov 2012 15:26:55 -0600
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 18 Nov 2012 13:26:55 -0800
Message-ID: <50A9523F.9070607@oracle.com>
Date: Sun, 18 Nov 2012 14:25:19 -0700
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:10.0.7) Gecko/20121011 Thunderbird/10.0.7
MIME-Version: 1.0
To: secdir@ietf.org
References: <503C71A4.30709@oracle.com>
In-Reply-To: <503C71A4.30709@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet22.oracle.com []
Cc: iesg@ietf.org, draft-ietf-karp-ospf-analysis.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-karp-ospf-analysis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Nov 2012 21:26:59 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This informational draft describes security issues associated with 
manual keying in OSPF.  The draft then provides guidance to counter 
these security threats.

The security considerations section does exist and reiterates what is 
discussed in the main document, given that this is essentially a 
security draft.  The security points discussed deal with replay, 
protecting routing data, and DoS attacks.  For the former two the draft 
suggests the use of digital signatures as described in RFC2154.  In 
regards to the latter, the draft proposes a solution utilizing RFC5082 
.  I believe the guidance given does not yield any security concerns and 
would be an improvement over the existing OSPF protocol.

General comments:


Editorial comments:

s/RFC 2154 [RFC2154] provides/[RFC 2154] provides/