[sfc] Secdir last call review of draft-ietf-sfc-nsh-integrity-04
Steve Hanna via Datatracker <noreply@ietf.org> Sun, 14 March 2021 20:22 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: sfc@ietf.org
Delivered-To: sfc@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 27D333A1488; Sun, 14 Mar 2021 13:22:21 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Steve Hanna via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-sfc-nsh-integrity.all@ietf.org, last-call@ietf.org, sfc@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <161575334102.7815.17455725704291920094@ietfa.amsl.com>
Reply-To: Steve Hanna <steve@hannas.com>
Date: Sun, 14 Mar 2021 13:22:21 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/5N3MIx9Hy6eb0qidnlrLBc770kY>
Subject: [sfc] Secdir last call review of draft-ietf-sfc-nsh-integrity-04
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Mar 2021 20:22:21 -0000
Reviewer: Steve Hanna Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document adds integrity and optional encryption of sensitive metadata directly to the Network Service Header (NSH) protocol defined in RFC 8300, thus reducing or eliminating several attack vectors against Service Function Chaining (SFC). The document is well written and seems adequate for the goals articulated here and elsewhere in the SFC document suite. All of the issues, questions, and nits that I raised in my earlier secdir review (https://datatracker.ietf.org/doc/review-ietf-sfc-nsh-integrity-01-secdir-early-hanna-2020-12-24) have been well addressed in draft-ietf-sfc-nsh-integrity-04. From my perspective (as a security expert who has not previously worked with SFC), this latest version of that document seems to address all relevant security issues in an appropriate manner. I have no remaining concerns regarding this document and support its approval.
- [sfc] Secdir last call review of draft-ietf-sfc-n… Steve Hanna via Datatracker
- Re: [sfc] [Last-Call] Secdir last call review of … Joel M. Halpern