IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-lsr-rfc8919bis-01

"Les Ginsberg (ginsberg)" <ginsberg@cisco.com> Fri, 05 May 2023 04:21 UTC

Return-Path: <ginsberg@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD18C151984; Thu, 4 May 2023 21:21:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.899
X-Spam-Level:
X-Spam-Status: No, score=-11.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="dF7BCwDJ"; dkim=pass (1024-bit key) header.d=cisco.com header.b="mbmw93io"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eFUd5g6H6Spf; Thu, 4 May 2023 21:20:56 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C8D8C151548; Thu, 4 May 2023 21:20:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5904; q=dns/txt; s=iport; t=1683260456; x=1684470056; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=lOwL7ehFXdPGaUUfTZY0zFONyfZb/EeNNdWIBLu7WLo=; b=dF7BCwDJYa9L7DVeAUJNoFdb1rTBl8dsvVud9tHss8IrMls7uygPpeGa sNpiMAL3sX3qP6cgw5SQuD2mvSkdBs5+kglbYGVJAgSefFgeGzWwhAOAT JztR4k0tV+JZ+2TyIEntxk+5+XVOj7ay6krgiZExbB+7g7EeJc+L9Dh6r c=;
X-CSE-ConnectionGUID: kMjP9v0VRGqZDwPHO+okLg==
X-CSE-MsgGUID: AAa3RBixQZKGoF5S+D2gQw==
X-IPAS-Result: A0AFAAAfg1Rk/4YNJK1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQCWBFgUBAQEBCwGBW1IHbFo8RoRRg0+ETokYA5EhjD0UgREDVg8BAQENAQFEBAEBhQYCFoUvAiU0CQ4BAgICAQEBAQMCAwEBAQEBAQECAQEFAQEBAgEHBIEKE4VoDYYEAQEBAQIBEhERDAEBMQYBBAcEAgEIEQQBAQMCGQ0CAgIwFQgIAgQBDQUIEweFFiMDAVShQwGBPwKKIHqBMoEBgggBAQYEBZ8jCYEULQGJMogiJxuBSUSBFAFDgmg+gmICgSYRKySDNTmCLolcgkQNC4wygTF0gSeBLoEEAgkCEUMogRAIaIF0QAINYwsLbYFEXUaBbAQCEUIMFV0CcxMIFAEYAwcHAgGBIxA6BwRADRsMBwkdNwNEHUADCzs6PRQhBg4fBQRALYFZBC8/gQ4KAgQBJSSad2oBAzJBAi0BLxktCDcPARgRjR+JM61ICoN+mXyBCoYfF6hlYpgAIKIXAlGEcgIEAgQFAg4BB4EyMTyBWXAVgyJSGQ+OIAwWg1CPeUMyPQIHAQoBAQMJiGyBel8BAQ
IronPort-PHdr: A9a23:okUeJBRI8xqQT/wdF/Kba9n/5tpso3PLVj580XJvo7tKdqLm+IztI wmEo/5sl1TOG47c7qEMh+nXtvX4UHcbqdaasX8EeYBRTRJNl8gMngIhDcLEQU32JfLndWo7S exJVURu+DewNk0GUN3maQjqq2appSUXBg25MAN0IurvHYuHgMWxzOq/4ZL7aARTjz37arR3f 126qAzLvZwOiJB5YuYpnwLUq2FBffhXw24gKVOIyhD74MrxtJI2+CVLsPVn/MlFOZg=
IronPort-Data: A9a23:r/V+havems8RQqg3aI/YLxVflefnVCVfMUV32f8akzHdYApBsoF/q tZmKTyBbKmLYWX8Ld8jb4Sw90wA7ZHXz4NjSQI6pHhmHisTgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0rrav656yEghclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/ouOaTdJ5xYuajhPs//b9Esz1BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 44vG5ngows1Vz90Yj+Uuu6Tnn8iG9Y+DiDS4pZiYJVOtzAZzsAEPgnXA9JHAatfo23hc9mcU 7yhv7ToIesiFvWkdOjwz3C0HgkmVZCq9oMrLlC8lM6rnlOeTUHD2sdCE3kWGs4f+cJ4VDQmG fwwcFjhbziKg+awhbm8UOQp355lJ8jwN4RZsXZlpd3bJa95GtaYHeOTvpkBh2tYasNmRZ4yY +IWaDx0ZhnabDVEO0wcD9Q1m+LAanzXI2YB+APO+/FfD2775SV4i4LHMcrsSP+lQusIpQW0/ G3/4DGsav0dHJnFodafyVqonfXnnC7nVsQVDrLQ3vpjm0HWzWUXDDUXWEe15/6jhSaWV8hWJ VBR+ycyo+0271buVNf2D0zh8XSFpVgVX954EuAm5keK0KW8yx2UDWQFVBZAZcAo8sgsSlQXO kShltftA3lkt6eYDCvHsLyVtji1fyMSKAfueBM5cOfM2PG6yKkbhRPURdElG6mw5uAZ0xmpq 9xWhEDSX4kusPM=
IronPort-HdrOrdr: A9a23:wPK2CKu4ko7QZA/5eYMoIjxl7skCwIMji2hC6mlwRA09TyXGra 6TdaUguiMc1gx8ZJh5o6H9BEDhexnhHZ4c2/h0AV7QZniYhILOFvAu0WKC+UyrJ8SazI9gPM hbAtBD4bHLfDpHZIPBkXSF+rUbsZW6GcKT9JzjJh5WJGkAC9AC0+46MHfgLqQcfnggOXNNLu vk2iMxnUvHRZ14VLXfOpACZYX+juyOsKijTQ8NBhYh5gXLpyiv8qTGHx+R2Qpbey9TwJ85mF K13TDR1+GGibWW2xXc32jc49B9g9360OZOA8SKl4w8NijssAC1f45sMofy/Qzd4dvfqGrCou O84SvIDP4Drk85uVvF5ScF7jOQkwrGLUWSjmNwz0GT5/ARDwhKdfapzbgpAycxrXBQ8+2VFM lwrjqkX109N2KYoA3to9fPTB1kjUyyvD4rlvMSlWVWVc8EZKZWtpF3xjIdLH4sJlOM1GkcKp gZMOjMoPJNNV+KZXHQuWdihNSqQ3QoBx+DBkwPoNac3TRalG1wixJw/r1Vol4QsJYmD5VU7e XNNapl0LlIU88NdKp4QOMMW9G+BGDBSQ/FdGiSPVPkHqcaPG+lke++3JwloOWxPJAYxpo7n5 rMFFteqG4pYkrrTdaD2ZVamyq9NFlVnQ6dv/22y6IJyIEUHoCbQRFrYGpe4Pednw==
X-Talos-CUID: 9a23:dXDnUm86zO4/iTssYBaVv00xGPh0bCXj9ljJEWOnMUZOC7qWbVDFrQ==
X-Talos-MUID: 9a23:jDUukgpuPTeSNZgn/eQezxhLPZxSyaW+MXIuvpIo5vLHGXZ/AijI2Q==
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-3.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 May 2023 04:20:55 +0000
Received: from alln-opgw-3.cisco.com (alln-opgw-3.cisco.com [173.37.147.251]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 3454KtJq018917 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 5 May 2023 04:20:55 GMT
Authentication-Results: alln-opgw-3.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=ginsberg@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="5.99,250,1677542400"; d="scan'";a="1077063"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zqq8WFjBVsFIBVjpO6Mbak8lcv/VkqjR67j/WvpgISmzEnkSe05nXGpgFOfCYeTZ4Sofn49pz3r/up2EKgLZRSgBKU3d8aIWx0QvOc9239+LyJCpn81wfMfmvj2erCJw47kyglkPJIUkUMcy1PVjyz4YLxGRlwK4bfQ2kbIrb2nWhkR+Go5Ev2hYy/YPX3A9Ib6wDrEXpvBBUXRxjEBkF9ssFuyk+wZnSxDhGMYIBiM3vv6mbpjZdx2P0tB9mnABJZXHjhpQktaUClaBm1876WO8dnjZDtJWh3UTA6qxGSSDQdNzrElzuiRqTh6C38PaiYWtNN8Dk0BZ+cPJxuXRzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lOwL7ehFXdPGaUUfTZY0zFONyfZb/EeNNdWIBLu7WLo=; b=EpaQe4Fc1Yg1L46mOUZrilxC2Fb8SYjxb8c9lD925uNaWTKU55pzAQ6+nllwkgReuvmrNEybY70iFCYxzmtzPwRtHZDd9QUIr4uhu/2Nh3B7IDZArf4luA77v9ChGtQAy0ZjHCgeZgyQqHjfYPh1ePSdfvYBUrkoJmi2IDZwgGcxJgAdg8Br/eo2vdR4DK8Ciobm7CQdQk0S3E8Tfl/uC9LzUlc+EXgfl6Yzqbdzy+LpWOh1Frit8ehjPuW9oo1IVrW3r+xP87nHnU0JxVMitMfxqYynwo0ZFCO8iyqBX9BTo+O0Cm6Ut7rk/NbRpDReRhzVy3xLFVlBFDeczp8fCw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lOwL7ehFXdPGaUUfTZY0zFONyfZb/EeNNdWIBLu7WLo=; b=mbmw93ioYXA/VFxP6nvwdF+b30qyesWp4Lq9HobBQIqdHSlappk4Da4We2DEd5nE6mfTxqWhuD4Q54U6Ky6WognAiZ006EcKEQpsc5V1eYSD2CU7kyJb/EqB2Bl9DBVCdgZTFXwuVW0g6zCMcIoxm8olv3Evu7xjXSbuzFrOBbE=
Received: from BY5PR11MB4337.namprd11.prod.outlook.com (2603:10b6:a03:1c1::14) by IA1PR11MB6099.namprd11.prod.outlook.com (2603:10b6:208:3d5::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.22; Fri, 5 May 2023 04:20:52 +0000
Received: from BY5PR11MB4337.namprd11.prod.outlook.com ([fe80::2dfc:f0bf:e0f8:23bb]) by BY5PR11MB4337.namprd11.prod.outlook.com ([fe80::2dfc:f0bf:e0f8:23bb%5]) with mapi id 15.20.6363.022; Fri, 5 May 2023 04:20:51 +0000
From: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
To: Watson Ladd <watsonbladd@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-lsr-rfc8919bis.all@ietf.org" <draft-ietf-lsr-rfc8919bis.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "lsr@ietf.org" <lsr@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-lsr-rfc8919bis-01
Thread-Index: AQHZft7UY+DCr7AvWkui5amJ+jIogK9LDIiQ
Date: Fri, 05 May 2023 04:20:51 +0000
Message-ID: <BY5PR11MB4337C5212E991898CF346DF1C1729@BY5PR11MB4337.namprd11.prod.outlook.com>
References: <168324234425.49931.17818635578625668688@ietfa.amsl.com>
In-Reply-To: <168324234425.49931.17818635578625668688@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4337:EE_|IA1PR11MB6099:EE_
x-ms-office365-filtering-correlation-id: 6dff2886-3fc9-479d-08ca-08db4d201c5c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Rj9dPVAhkYx8/X4VcUzT1wYxt46C0sjvPHThyg4BQQi7qsk2WSm+7TRvQKXxjJXFCDpEs9U0+2rIhVLPhOLUnmY6tx+d8L2w8/iS692CINKw6OJJcRtp4enPsVLyA+lo3fPC7t6WrNc8S0SWRH6XIuIABBXEulnrcfW0nS6SRZSAZZuJy7fuSFON7Oc7Lj/14G4Dx7KA//iPh7uEkafJPi4i0kSznrJ6gGrZ+KefaxftWRTHEd1+/JUtrb9nhCm2fn69qK2eDRkk0VFzwuyqvfxtHyTR6khvUu/E5GkG6kn/SPtYgSvjlikohrb/iR7jzMDUihBO108Fl48do+zYCBO8VGumPtkf/jG+T6A0WOyHA4STX7CxucXJuQEhFhSeYqgikD9LlUzTQ7V2mMMEFh7bdwcCky5BldVDbabQPSFpz8x2ol2hbPwPZsQlUr9wG0JOek3SiGRFMtxn0zUFhjp6daqlkqx5t8sf4FKlmpwGlxxsmDEIu2kC7avCSNLDq1nui3TmdeFENEMw39UhLRF8U7La9rlLRsmo0dqGjkR71/grGeaLu5N6UaCRQaK+M6kS+2Gk0TRRE/KTQyjch01qkNDWZ8SzVQuqQmivC9jryZd9SB6+nyUJ0WbClMX+
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4337.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(39860400002)(396003)(346002)(136003)(376002)(366004)(451199021)(2906002)(66556008)(83380400001)(66574015)(122000001)(38100700002)(9686003)(6506007)(26005)(38070700005)(186003)(53546011)(110136005)(8936002)(33656002)(8676002)(5660300002)(4326008)(54906003)(55016003)(7696005)(316002)(478600001)(64756008)(71200400001)(66476007)(66946007)(66446008)(41300700001)(86362001)(76116006)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dBN8+a2MdIkSagxttemM3YqZd2bNRHeBMc43R5vVaWF3XSeYqH+LhWU5/8voNffVhDi9tLkZXEARIZv3OMkfJcpRmxu9LhTQu0MRHdeWsAq8jLqo95Qb+D1bJNc9jaY9lY955c8ZRjqy+KFdwJqn/nMq2zgzbSGxjnNfiNhjxfDNXCfKt29pn1WxKU8/qY5BX6Zoita+sQ4QE8SjHhIZoBvqsNmTKCs/jxxHYfG2yxrGOkF+FO4mkZHaXOrLoXZRknw42YHPgiLn/L4ujUiTiudXCM7F/UT6zjqYnfNRgEnFPuGpMOJOxIRTg46+gDsnh7DkFpEML13GiD4XB78vk7CDfGquaN0isFrMgGkcSYTPEX4gzx27YO/v2izpnhvAd4txAK26Qd6Ffcx95fmncElQ89ppX9mefXP+JrTy4v7eX/+JhLffPDMKjCP4q+9GuhiTau7W+8iy/hM/LrBso102rHmr5zKikaVp3AFVq2L++74PeDP95QEO4ZsCOQtdM4ivduttFfPptLHJ7fYE8o0tkk4nwK+VMRXyTqtj3AnFWUvoXjcb5+4ohSpS7xCfGRdZp1shIa6REP3rJ3wu4iyx2uQIkg9Qedr7LoBsi8mUe54Rv1F7O6J9RlMKq6RzEC8rTNLu90UUH9vPnNuJHUOjJwtq40lFA8GaxCSvKR/lzZ/t1fMwM14/SXR/CZ2006BdDYPWtL8CawlL+4RPW2NUMIGOQqPatR9dNWroKOZQmMeMQKLzzlxVYqO6RuANOsX967Dh/U9zb0dZwKse6m9GRCYIiclDguLFBHkcnBQ30BT6g6d1lEdC8rFGi/YDeGSdIVAu4AUUftwAMJtGq0PDTPDh+EvSJeoOY9ZhM4ppcab7HTeUMWCDBzhzyONTyusi990n5d5YeSMLieOLqIdReVZLhrhzqxDlOF0R4l3B+HS36VM6bm2Ge92HawJz/WkHEyJGdRoFwftKzMmjyxwh7UpRLDgR/8DgFxgVt4hscDvQmuTkIrFafZ3bWZs+IAUOMGVdtC3OFVeWVRzty2wds7DmtH08nM3rkNMAlgjDByFEta4rQaxc0LRHLCNIVuy2XviE5cGDtbAj5JosJRlA9047jRCjER9KpYWrF2L13FKTS+rgujZQZM36EmpEWAKamNbn18wjIg1uWYwqFyp5aAy3qyHsjzTUuvdYBoKgmKyGgDD0mGDNpXc1oq54NY9RVaARlQVl29Okoa3Xgo4E4LLyA8WSYLT9M8lpZaOouG+HIryMKJQPvKSAVjpo+8rJbq3ckBbr9anu2f9yuALwbF+Ir39j7tqlgiw9R3h95zotAjOFNd4QHvlRps/MOFr03Dsnp4SgRzniTL/Pln/IuQApbVkIGXeMqFKcI2i0viAMhSDir3upVdMhd1xeTi4qHbnMNVRtVE+jX2ev0gz7DVDmBceJDF+PS3tY636Vst5uZm9QGQpBHykh7TVqtm35n46DTxU71G4ggIpIdFsM4szOP2bRv2ilg96Nj71hH7uK6A+vwjTtAWXoAqAvHEVqmzA7GRi8PrG0JwY8oXF4cf2ReASFRUikfSkmKAGZgrhcwixs8OCNp8f0LC9r
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4337.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6dff2886-3fc9-479d-08ca-08db4d201c5c
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2023 04:20:51.3107 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ec4XGwb5R/zRos6hgGG8dzwEsE0IgeFehJdDZwlCqUUu4omgdcwPSGpQA4XXhdRmii+cmaWavkDrW/7iu76JYQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB6099
X-Outbound-SMTP-Client: 173.37.147.251, alln-opgw-3.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gZh6i-IjDnHJTzr77rC8_NROls8>
Subject: Re: [secdir] Secdir last call review of draft-ietf-lsr-rfc8919bis-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2023 04:21:02 -0000

Watson -

Before responding to your comments, I point out that this is a bis of RFC 8919 - and it makes no changes to the protocol extensions defined in RFC 8919 - it only provides some clarifications so that readers/implementors are more likely to have a common understanding.
The Security section is unchanged from RFC 8919. As it passed Security review at that time,  there was no reason for the authors of the bis draft to think that any changes to the Security section would be required.

Still, you are looking at this with a fresh set of eyes - let's see what can be gleaned from your comments.

Inline...

> -----Original Message-----
> From: Watson Ladd via Datatracker <noreply@ietf.org>
> Sent: Thursday, May 4, 2023 4:19 PM
> To: secdir@ietf.org
> Cc: draft-ietf-lsr-rfc8919bis.all@ietf.org; last-call@ietf.org; lsr@ietf.org
> Subject: Secdir last call review of draft-ietf-lsr-rfc8919bis-01
> 
> Reviewer: Watson Ladd
> Review result: Has Issues
> 
> Dear all,
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> The summary of my review is Has Issues. While this document is a pretty
> concise and well written description of a problem and solution, the securities
> consideration section is pretty perfunctory.
> 
> In particular this document seems to assert that the new extensions can only
> be enabled when all routers support them, and not in a link-by-link manner.

[LES:] The extensions define a new way to advertise per link attributes. To guarantee that all nodes who utilize the link attribute information in a constrained SPF associated with a legacy application (RSVP-TE, SR Policy, and/or LFA) use the same set of link attribute information, it is necessary to utilize a form of advertisement that all nodes in the network supporting that application understand. If the new ASLA advertisements are sent in the presence of one or more legacy nodes, those nodes will not process the new ASLA advertisements - thereby introducing inconsistency with non-legacy nodes. That is why Section 6.3.3 specifies that legacy advertisements MUST be sent in the presence of legacy routers.
This isn’t a security related matter - it is identifying a form of misconfiguration to be avoided. 

If an attacker were to introduce ASLA advertisements in the presence of legacy nodes, this would have no impact on legacy nodes as they would not process the ASLA advertisements.
More on this below.

> If
> that's the case, then an attacker can enable the new advertisements on a
> router
> and cause problems, while the securities consideration section seems to say
> this is
> only per application.
> 
[LES:] If an attacker were to advertise new ASLA advertisements, this could affect the operation of nodes which support the protocol extensions. But as the new ASLA advertisements only apply to the application(s) specified in the Application Bit Mask(ABM) associated with those advertisements, the attacker's impact is limited to those applications.
This is what the text in the Securities section is stating.

> IS-IS is normally within an adminstrative domain, which does minimize many
> of the impacts,
> but the impact of an attacker having access aren't completely solved by
> authentication,
> particularly if messages can have effect at large distances.

[LES:] The Securities section in RFC 8570 speaks to the issue - specifically man-in-the-middle attacks - which is why we reference the RFC 8570 securities section.
I do not see that anything needs to be added.

> 
> I think the security considerations section needs some revision in light of this,
> either clarifying that IS-IS must be used within a domain, or more attention
> paid
> to thinking about what could go wrong.

[LES:] At this point I do not know what to add as I believe the Security issues you raise have been addressed by the existing text.
Perhaps you could be more specific as to what you believe is required?

   Les

> 
> Sincerely,
> Watson Ladd
>

v2.46.0 | Report a Bug | By Email | System Status