Skip to main content

Last Call Review of draft-ietf-isis-te-metric-extensions-07
review-ietf-isis-te-metric-extensions-07-secdir-lc-weis-2016-01-07-00

Request Review of draft-ietf-isis-te-metric-extensions
Requested revision No specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-12-30
Requested 2015-12-17
Authors Stefano Previdi , Spencer Giacalone , David Ward , John Drake , Qin Wu
I-D last updated 2016-01-07
Completed reviews Genart Last Call review of -07 by Christer Holmberg (diff)
Genart Telechat review of -09 by Christer Holmberg (diff)
Secdir Last Call review of -07 by Brian Weis (diff)
Secdir Telechat review of -09 by Brian Weis (diff)
Opsdir Last Call review of -07 by Mahalingam Mani (diff)
Assignment Reviewer Brian Weis
State Completed
Request Last Call review on draft-ietf-isis-te-metric-extensions by Security Area Directorate Assigned
Reviewed revision 07 (document currently at 11)
Result Has nits
Completed 2016-01-07
review-ietf-isis-te-metric-extensions-07-secdir-lc-weis-2016-01-07-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

I consider this document Ready with nits.

This document adds some “sub-TLVs” to IS-IS Traffic Engineering Extensions
(RFC5305), where the new sub-TLVs describe characteristics for a link (e.g.,
link delay, available bandwidth). It notes in the Abstract and Introduction
that these will be used in real-time networks where performance data is
critical to ensuring timely delivery of information (e.g., stock market data).

The Security Considerations accurately states that it does not introduce
security issues, insomuch that it does not change the behavior of IS-IS or
IS-IS Extensions for Traffic Engineering (RFC 5305). It points to the security
considerations in RFC 5305, which really just points to security considerations
in IS-IS Cryptographic Authentication  (RFC 5304). This is logical, if not so
helpful. Pointing to RFC 5304 directly would be just as useful, in my opinion,
but acceptable the way it is now.

Given that the stated motivation for this document is to pass performance data
across networks where the performance data is considered critical (and the
delay of which has an financial impact), it would be useful for the Security
Considerations to be more specific about risks to the IS-IS TE extensions being
tampered with on the link. For example, it could say that the effect of sending
these IS-iS Traffic Engineering Sub-TLVs over insecure links could result in a
man-in-the-middle attacker delaying real time data to the site, which could
negatively affect the value of the data for that site.

Security Considerations also points to Traffic Engineering Extensions to OSPF
Version 3  (RFC5329) which does not make a lot of sense to me, since OSPF is an
entirely different protocol. I think a better alternate reference might be
IS-IS Security Analysis (RFC7645).

Brian