Skip to main content

Last Call Review of draft-ietf-isis-sbfd-discriminator-02

Request Review of draft-ietf-isis-sbfd-discriminator
Requested revision No specific revision (document currently at 02)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-11-16
Requested 2015-11-05
Authors Les Ginsberg , Nobo Akiya , Mach Chen
Draft last updated 2015-11-19
Completed reviews Secdir Last Call review of -02 by Taylor Yu
Opsdir Last Call review of -02 by Menachem Dodge
Opsdir Last Call review of -02 by Nevil Brownlee
Assignment Reviewer Taylor Yu
State Completed
Review review-ietf-isis-sbfd-discriminator-02-secdir-lc-yu-2015-11-19
Reviewed revision 02
Result Has Nits
Completed 2015-11-19
I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

Summary: ready with nits

I agree with the first paragraph of the Security Considerations, in that
I think it's unlikely that this document introduces security risks for
IS-IS, which as I understand it, effectively transports the proposed
S-BFD discriminators as an uninterpreted opaque payload.

The second paragraph

   Advertisement of the S-BFD discriminators does make it possible for
   attackers to initiate S-BFD sessions using the advertised
   information.  The vulnerabilities this poses and how to mitigate them
   are discussed in the Security Considerations section of [S-BFD].

refers to the Security Considerations of the [S-BFD] base document.  The
[S-BFD] Security Considerations describe some strengthening practices,
but doesn't seem to describe the vulnerabilities in significant detail.
[S-BFD] Security Considerations seems to describe an attack where
someone impersonates the responder, but not one where someone
impersonates an initiator.

Other sections of [S-BFD] might imply the existence of this sort of
vulnerability, but the Security considerations seems not to mention it
explicitly.  I'm not sure whether it's best to leave things alone,
revise this document, or revise [S-BFD].