Last Call Review of draft-ietf-isis-sbfd-discriminator-02
review-ietf-isis-sbfd-discriminator-02-secdir-lc-yu-2015-11-19-00

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

Summary: ready with nits

I agree with the first paragraph of the Security Considerations, in that
I think it's unlikely that this document introduces security risks for
IS-IS, which as I understand it, effectively transports the proposed
S-BFD discriminators as an uninterpreted opaque payload.

The second paragraph

   Advertisement of the S-BFD discriminators does make it possible for
   attackers to initiate S-BFD sessions using the advertised
   information.  The vulnerabilities this poses and how to mitigate them
   are discussed in the Security Considerations section of [S-BFD].

refers to the Security Considerations of the [S-BFD] base document.  The
[S-BFD] Security Considerations describe some strengthening practices,
but doesn't seem to describe the vulnerabilities in significant detail.
[S-BFD] Security Considerations seems to describe an attack where
someone impersonates the responder, but not one where someone
impersonates an initiator.

Other sections of [S-BFD] might imply the existence of this sort of
vulnerability, but the Security considerations seems not to mention it
explicitly.  I'm not sure whether it's best to leave things alone,
revise this document, or revise [S-BFD].

-Tom