[secdir] Secdir last call review of draft-ietf-lsr-isis-rfc7810bis-03

Roman Danyliw <rdd@cert.org> Tue, 11 December 2018 02:55 UTC

Return-Path: <rdd@cert.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6CA0B12426A; Mon, 10 Dec 2018 18:55:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id skbvo7VLrG9u; Mon, 10 Dec 2018 18:55:24 -0800 (PST)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F878126CC7; Mon, 10 Dec 2018 18:55:24 -0800 (PST)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu []) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id wBB2tN7v008263; Mon, 10 Dec 2018 21:55:23 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu wBB2tN7v008263
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1544496923; bh=l7I4aqLI3C+FZaUZzeMDJ+1wDERV6/M5PWPP7RvN+sU=; h=From:To:Subject:Date:From; b=L9BF03cfcer9s4ePZtrs2xh/mYnJ07Fl0miM27ZFBz+rllRz8OXOI+cFpmA+6eiFU PIMNPmoQvynUazLuZNle+t21iH/A87n6TnTcmFuN2HYfymhWdzMVKTjxTQlCpuSvmL 8K93HSfPf1BLAhBbrRiqsQSgUXd866gE0jwHf/5I=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu []) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id wBB2tIOj002915; Mon, 10 Dec 2018 21:55:18 -0500
Received: from MARATHON.ad.sei.cmu.edu ([]) by CASCADE.ad.sei.cmu.edu ([]) with mapi id 14.03.0415.000; Mon, 10 Dec 2018 21:55:18 -0500
From: Roman Danyliw <rdd@cert.org>
To: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-lsr-isis-rfc7810bis@ietf.org" <draft-ietf-lsr-isis-rfc7810bis@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-lsr-isis-rfc7810bis-03
Thread-Index: AdSQ/Ax3a8nBEVGyRgq+8VLVl1/2TQ==
Date: Tue, 11 Dec 2018 02:55:17 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC0184C5E4B7@marathon>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/loDhkfTqDlCebzj1gsBp7iY0QGs>
Subject: [secdir] Secdir last call review of draft-ietf-lsr-isis-rfc7810bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 02:55:26 -0000

Document: draft-ietf-lsr-isis-rfc7810bis-03
Reviewer: Roman Danyliw
Review result: Has Nits

I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the Security Area Directors.  Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments.

As the shepherd write-up [1]  and Appendix A of this draft indicate, the text in this document is nearly identical to RFC7801 beyond changes made to Section 4.  Nothing new was added to this bis draft beyond addressing errata.

The minor editorial nits from this review are:

(1) This draft doesn't register anything new.   Section 2 opens with "[t]his document registers new IS-IS TE sub-TLVs ...".  Technically, the RFC7801 already registered them.  Perhaps "This document describes IS-IS TE sub-TLVs that can be ..."

(2) Per Section 11, consider s/man-in-the-middle/on-path-attacker/ per [2]

Not being deemed a nit that should be addressed here, but this draft does base some of its security properties on RFC5304/HMAC-MD5.

[1] https://datatracker.ietf.org/doc/draft-ietf-lsr-isis-rfc7810bis/shepherdwriteup/
[2] https://www.ietf.org/mail-archive/web/ietf/current/msg109350.html