Skip to main content

Last Call Review of draft-ietf-lsr-rfc8919bis-01

Request Review of draft-ietf-lsr-rfc8919bis
Requested revision No specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-05-03
Requested 2023-04-19
Authors Les Ginsberg , Peter Psenak , Stefano Previdi , Wim Henderickx , John Drake
I-D last updated 2023-05-04
Completed reviews Secdir Last Call review of -01 by Watson Ladd (diff)
Artart Last Call review of -01 by Joseph Yee (diff)
Genart Last Call review of -01 by Robert Sparks (diff)
Assignment Reviewer Watson Ladd
State Completed
Request Last Call review on draft-ietf-lsr-rfc8919bis by Security Area Directorate Assigned
Posted at
Reviewed revision 01 (document currently at 04)
Result Has issues
Completed 2023-05-04
Dear all,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of my review is Has Issues. While this document is a pretty
concise and well written description of a problem and solution, the securities
consideration section is pretty perfunctory.

In particular this document seems to assert that the new extensions can only
be enabled when all routers support them, and not in a link-by-link manner. If
that's the case, then an attacker can enable the new advertisements on a router
and cause problems, while the securities consideration section seems to say this is
only per application.

IS-IS is normally within an adminstrative domain, which does minimize many of the impacts,
but the impact of an attacker having access aren't completely solved by authentication,
particularly if messages can have effect at large distances.

I think the security considerations section needs some revision in light of this,
either clarifying that IS-IS must be used within a domain, or more attention paid
to thinking about what could go wrong.

Watson Ladd