Last Call Review of draft-ietf-grow-bmp-adj-rib-out-06
review-ietf-grow-bmp-adj-rib-out-06-secdir-lc-meadows-2019-08-02-00

Request Review of draft-ietf-grow-bmp-adj-rib-out
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-06-25
Requested 2019-06-11
Draft last updated 2019-08-02
Completed reviews Rtgdir Last Call review of -05 by Acee Lindem (diff)
Genart Last Call review of -05 by Linda Dunbar (diff)
Secdir Last Call review of -06 by Catherine Meadows (diff)
Assignment Reviewer Catherine Meadows
State Completed
Review review-ietf-grow-bmp-adj-rib-out-06-secdir-lc-meadows-2019-08-02
Posted at https://mailarchive.ietf.org/arch/msg/secdir/EfDiEUc_IH2xTc2-rZX02DKuTU0
Reviewed rev. 06 (document currently at 07)
Review result Not Ready
Review completed: 2019-08-02

Review
review-ietf-grow-bmp-adj-rib-out-06-secdir-lc-meadows-2019-08-02

This draft describes describes a modification of BGP Monitoring Protocol to allow it access to the Adj-RIB-Out Routing Information Bases.  It already has access to the  Adj-RIB-In.  According to  RFC4271  these are defined as follows: ”The Adj-RIBs-In contains unprocessed routing information that has been advertised to the local BGP speaker by its peers"   and "The Adj-RIBs-Out contains the routes for advertisement to specific peers by means of the local speaker’s UPDATE messages.”   The procedure by which BMP sends  Adj-RIBS-Out is similar to  that which by which it sends Adj-RIBS-In.

The Security Considerations Section consists of the following statement:

It is not believed that this document adds any additional security considerations.

This is not enough.  First, you need to say additional security considerations beyond what.  This can best be done by referencing one or more RFCs.  In this case it would be RFC 7854, and perhaps RFC 4271.  e.g.

This document does not add any  additional security considerations beyond those already covered RFC 7854.

Secondly, you need to say why it doesn’t introduce any new security considerations.  In both Adj-RIBS-In and Out cases the information sent is routing information.  Would there be any new security considerations involved in sharing routing information sent in UPDATE messages vs. advertisements?  If not, why not?