Telechat Review of draft-ietf-idr-bgp-gr-notification-15
review-ietf-idr-bgp-gr-notification-15-rtgdir-telechat-decraene-2018-04-13-00

Hello,

I have been selected as the Routing Directorate reviewer for this draft. The
Routing Directorate seeks to review all routing or routing-related drafts as
they pass through IETF last call and IESG review, and sometimes on special
request. The purpose of the review is to provide assistance to the Routing ADs.
For more information about the Routing Directorate, please see
​http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir

Although these comments are primarily for the use of the Routing ADs, it would
be helpful if you could consider them along with any other IETF Last Call
comments that you receive, and strive to resolve them through discussion or by
updating the draft.

Document: draft-ietf-idr-bgp-gr-notification-15
Reviewer: Bruno Decraene
Review Date: 2018-04-13
IETF LC End Date: 2018-04-24
Intended Status: Standards Track

=====
Summary: No issues found. This document is ready for publication.

=====
Comments:

The document is very clear. I have particularly appreciated the high level
summary of the document in the introduction section. Thanks to the authors. The
security consideration section adequately consider the security impacts of this
specification. I had already reviewed the document twice (WGLC, AD review)
hence I really needed to push in order to find some comments. In this
nitpicking context, any comment is really up to the authors.

=====
Major Issues: No major issues found.

=====
Minor Issues:

I would not call these "minor issue", but it's beyond editorial so do not
qualify as "Nits". Please find below 2 comments, on the nitpicking far side.

"If the "N" bit has not been exchanged with the peer, then to
        deal with possible consecutive restarts, a route (from the peer)
        previously marked as stale MUST be deleted."
[...]
"To put an upper bound on the amount of time a router retains the
        stale routes, an implementation MUST support a (configurable)
        timer, called the "stale timer", that imposes this upper bound."

In order to fully respect the semantic, in case of consecutive restarts (with
partial route readvertisement), it seems that the stale timer would need to be
on a per route basis. I don't think that this is the intention of the authors
(nor that this is desirable). Altough this is a local consideration, hence not
affecting the peer, the "MUST" make this statement strong. Eventually, a text
could be added saying that the timer only needs to be on a per session basis.
e.g., :s/this upper bound/this upper bound on a per session basis.
----
"This specification doesn't change the basic security model inherent
   in [RFC4724], with the exception that the protection against repeated
   resets is relaxed. To mitigate the consequent risk that an attacker
   could use repeated session resets to prevent stale routes from ever
   being deleted, we make the stale routes timer mandatory (in practice
   it is already ubiquitous)."

FYI, I'm not completely sure to see why this document change (i.e. negatively
impacts) the security in case of repeated NOTIFICATION as I would assume that
if an attacker could sends such NOTIFICATION, it could already advertise the
routes that it wished were never deleted. Also this risk would be covered via
an adequate protection against illegitimate messages (e.g. crypto checksum,
GTSM for EBGP) However I do see an increased risk with regards to Hold Time
expiration which remains an attack vector even with the use of a crypto
checksum protection, by simply filtering some BGP packets. Especially in
deployments when the BGP session crosses a long distance or multiple links and
nodes (e.g. IBGP, layer 2 network within an IXP cf RFC 8327). May be I would
propose to raise this point or slightly rephrase on the Hold Time expiration
side, rater than the NOTIFICATION side.

=====
Nits:

§1.1
RFC 2119 has been updated by RFC 8174.
OLD:
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

NEW:
      The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
      "MAY", and "OPTIONAL" in this document are to be interpreted as
      described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
      appear in all capitals, as shown here.


+ New ref to RFC8174
----
§2
"("N") is defined as the BGP Graceful Notification bit"
[...]
"its Graceful NOTIFICATION bit set (value 1)"

Nitpicking, naming is not consistent.

---
" This also implies support for the format for a BGP NOTIFICATION Cease message
defined in [RFC4486]."

I'm not completely sure to see what this sentence is exactly saying. I feel
that the sentence would benefit from beeing more specific. e.g. NEW:  This also
implies support for the new "Hard Reset" subcode of the BGP NOTIFICATION Cease
message, its new behavior and new encoding of the Data field.
----
§8
"the reference this document and [RFC4724]"

OLD:
       +--------------+------------------+------------+-----------+
       | Bit Position |       Name       | Short Name | Reference |
       +--------------+------------------+------------+-----------+
       |      0       | Forwarding State |     F      | [RFC4724] |
       |     1-7      |    unassigned    |            |           |
       +--------------+------------------+------------+-----------+

NEW:
       +--------------+------------------+------------+---------------+
       | Bit Position |       Name       | Short Name |   Reference   |
       +--------------+------------------+------------+---------------+
       |      0       | Forwarding State |     F      |   [RFC4724]   |
       |     1-7      |    unassigned    |            | This document |
       +--------------+------------------+------------+---------------+