[secdir] Secdir review of draft-ietf-grow-unique-origin-as-00

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 22 April 2011 10:51 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost []) by ietfc.amsl.com (Postfix) with ESMTP id B43F3E06B6; Fri, 22 Apr 2011 03:51:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.556
X-Spam-Status: No, score=-102.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfc.amsl.com []) (amavisd-new, port 10024) with ESMTP id V3yJ4q3tRw2R; Fri, 22 Apr 2011 03:51:38 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com []) by ietfc.amsl.com (Postfix) with ESMTP id A4A6DE068B; Fri, 22 Apr 2011 03:51:38 -0700 (PDT)
Received: from [] ( []) by rufus.isode.com (submission channel) via TCP with ESMTPA id <TbFdXwBK4ySj@rufus.isode.com>; Fri, 22 Apr 2011 11:50:08 +0100
Message-ID: <4DB15D51.7070800@isode.com>
Date: Fri, 22 Apr 2011 11:49:53 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-grow-unique-origin-as.all@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [secdir] Secdir review of draft-ietf-grow-unique-origin-as-00
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2011 10:51:39 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This draft makes recommendations regarding the use of per-node unique
origin ASNs for globally anycasted critical infrastructure services in order
to provide routing system discriminators for a given anycasted prefix.
Network management and monitoring techniques, or other operational
mechanisms can benefit from use of these new discriminators.

Routing security is outside of my field of expertise, but I think the 
made a compelling argument why use of per-node unique origin ASNs
(as opposed to one ASN for all anycast nodes) improves the ability to detect
rogue anycast nodes (assuming all nodes use unique ASNs). The proposed
mechanism also better co-exists with SIDR, which is an extra plus.

So overall I think the document is in a good shape and the Security
Considerations section seems adequate.

Best Regards,

Internet Messaging Team Lead, <http://www.isode.com>
JID: same as my email address
twitter: aamelnikov