Last Call Review of draft-ietf-lsr-multi-tlv-09
review-ietf-lsr-multi-tlv-09-secdir-lc-mandelberg-2025-02-14-00

Request Review of draft-ietf-lsr-multi-tlv
Requested revision No specific revision (document currently at 18)
Type IETF Last Call Review
Team Security Area Directorate (secdir)
Deadline 2025-02-25
Requested 2025-02-11
Authors Parag Kaneriya , Tony Li , Tony Przygienda , Shraddha Hegde , Les Ginsberg
I-D last updated 2025-04-25 (Latest revision 2025-04-25)
Completed reviews Rtgdir IETF Last Call review of -08 by Mach Chen (diff)
Opsdir IETF Last Call review of -09 by Giuseppe Fioccola (diff)
Genart IETF Last Call review of -10 by Peter E. Yee (diff)
Rtgdir IETF Last Call review of -09 by Adrian Farrel (diff)
Secdir IETF Last Call review of -09 by David Mandelberg (diff)
Assignment Reviewer David Mandelberg
State Completed
Request IETF Last Call review on draft-ietf-lsr-multi-tlv by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/f5a6mbJUyGROxX4CCc0AhYF0vxE
Reviewed revision 09 (document currently at 18)
Result Has nits
Completed 2025-02-14
review-ietf-lsr-multi-tlv-09-secdir-lc-mandelberg-2025-02-14-00
Looks good, I think.

The security considerations section doesn't have much detail, but this doc
seems to be an extension of existing practice to additional TLVs in a way that
wouldn't change the security considerations at all.

The only security-relevant thing I could think of is around memory bounds and
allocation in implementations. When going from limited-size fields to
unlimited-size data across separate TLVs, I could imagine attacks that try to
cause out of memory conditions on a router, or that try to overflow a
fixed-size buffer. But this doc talks about existing TLVs that already work the
same way, so I'm guessing that hasn't been an issue in practice, or has been
mitigated? Do any of the existing docs talk about this? Or is there a size
limit somewhere else (I'm not very familiar with IS-IS) that makes this a
non-issue?