Security Extension for OSPFv2 When Using Manual Key Management
draft-ietf-ospf-security-extension-manual-keying-11

Note: This ballot was opened for revision 10 and is now closed.

(Alia Atlas) Yes

(Adrian Farrel) Yes

Comment (2014-10-28 for -10)
No email
send info
Thanks for this work. I am happy to ballot Yes, but have a couple of 
minor points I think would benefit the document.

---

It would be good to add a very short note on backward compatiblity.  I
don't find anything in 2328, but I assume that a legacy implementation
receiving an unknown AuType is supposed to fail authentication.  Could
you state this with the appropriate reference?

---

The Abstract needs to be updated as:
s/draft/document/
s/proposes/defines/

---

Section 1 para 1
s/propose/define/

---

Section 1 final para

s/proposes/defines/

---

Section 1.2. The RFC Editor will move this sections to be consistent 
with their editorial guidelines.

---

I think it is a mistake to quote the whole OSPF header in Figure 1.
This opens up questions of editorial mismatches and future changes etc.
It would be better to model this on Appendix D of RFC 2328.

Additionally, it may be better to name the packet-trailing field as
"Extended Authentication Data" to avoid confusion with the field in the
generic packet header shown in RFC 2328 and called "Authentication"

(Jari Arkko) (was Discuss) No Objection

(Richard Barnes) No Objection

(Benoît Claise) No Objection

Alissa Cooper No Objection

Comment (2014-10-28 for -10)
No email
send info
= Section 3 =
s/This section of this/This section/

(Spencer Dawkins) No Objection

(Stephen Farrell) No Objection

(Brian Haberman) No Objection

Comment (2014-10-28 for -10)
No email
send info
I support the publication of this document, but agree with Adrian's suggestion to include some discussion on backwards compatibility.

(Joel Jaeggli) No Objection

Comment (2014-10-30 for -10)
No email
send info
   If the non-volatile storage is ever repaired
   or upgraded such that the contents are lost or the OSPFv2 router is
   replaced, the authentication keys MUST be changed to prevent replay
   attacks.

or if you ever replace the router...

part of the reason manual keying is used is changing the authentication is quite hard particularly in cases where there are multiple neighbors on the same subnet.

Barry Leiba No Objection

Comment (2014-10-28 for -10)
No email
send info
It seems that this document should be marked as "updates 5709", but it isn't.  Why not?

(Ted Lemon) No Objection

(Kathleen Moriarty) No Objection

(Pete Resnick) No Objection

(Martin Stiemerling) No Objection