[secdir] SECDIR review of draft-hui-6man-rpl-routing-header
Chris Lonvick <clonvick@cisco.com> Wed, 02 November 2011 23:16 UTC
Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0C21F0C6A; Wed, 2 Nov 2011 16:16:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2g9G2OvwbsJL; Wed, 2 Nov 2011 16:16:12 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 99EB91F0C36; Wed, 2 Nov 2011 16:16:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=clonvick@cisco.com; l=1614; q=dns/txt; s=iport; t=1320275772; x=1321485372; h=date:from:to:subject:message-id:mime-version; bh=ckByEDOLEu30wGw8MswMzNE8bG+ZOPQmEJoVUWZLsBE=; b=Rpnk/Ts1o2mHw2CI1lvqmBMynJhe/trjAL/lic21u9yrWKfXkJa5Dafn FTvLSvlzOC7g2Tjvht16x5v8R8k1GJdr3k72+t+F2mM1dPsHm3EPMDJLW McQB6g9EqqMYPpey35xPQtCY+QcgJdXSAj/Eu5r0bZxpSqg/JTLd9r/je c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AsAFAB7PsU6rRDoI/2dsb2JhbABEmjsBjzuBBYILASUCgX40nh8BnnyJEASIB54S
X-IronPort-AV: E=Sophos;i="4.69,446,1315180800"; d="scan'208";a="12015600"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-2.cisco.com with ESMTP; 02 Nov 2011 23:16:12 +0000
Received: from sjc-cde-021.cisco.com (sjc-cde-021.cisco.com [171.69.20.56]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id pA2NGCJm006997; Wed, 2 Nov 2011 23:16:12 GMT
Date: Wed, 02 Nov 2011 16:16:12 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: iesg@ietf.org, secdir@ietf.org, draft-hui-6man-rpl-routing-header.all@tools.ietf.org
Message-ID: <Pine.GSO.4.63.1111021538130.13427@sjc-cde-021.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: [secdir] SECDIR review of draft-hui-6man-rpl-routing-header
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 23:16:13 -0000
Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I havn't seen source routing in a long time so I had to wrap my head around that again. I tried working through some examples on how this would work for verious network conditions, but gave up before my head started hurting. :) Overall, it looks like the security concerns are addressed in the document. I do have some minor nits that the authors may wish to discuss. 1. I don't think that the following sentence in Section 6.1 is needed: "Furthermore, it is RECOMMENDED that non-RPL routers and firewalls drop packets with a SRH by default." That is already discussed in RFC 5095. Having it here is therefore redundant. 2. I'm not sure that I am correctly following all of your pseudocode in Section 4.2. In most places it looks like separate instructions within curly braces are separated by blank lines. From that, I'm not sure of what is meant by a semicolon in the following: else { decrement Segments Left by 1; compute i, the index of the next address to be visited in the address vector, by subtracting Segments Left from n if Address[i] or the IPv6 Destination Address is multicast { discard the packet } Hope this helps, Chris
- [secdir] SECDIR review of draft-hui-6man-rpl-rout… Chris Lonvick
- Re: [secdir] SECDIR review of draft-hui-6man-rpl-… David Culler