Last Call Review of draft-ietf-lsr-rfc8919bis-01
review-ietf-lsr-rfc8919bis-01-secdir-lc-ladd-2023-05-04-00

Dear all,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of my review is Has Issues. While this document is a pretty
concise and well written description of a problem and solution, the securities
consideration section is pretty perfunctory.

In particular this document seems to assert that the new extensions can only
be enabled when all routers support them, and not in a link-by-link manner. If
that's the case, then an attacker can enable the new advertisements on a router
and cause problems, while the securities consideration section seems to say this is
only per application.

IS-IS is normally within an adminstrative domain, which does minimize many of the impacts,
but the impact of an attacker having access aren't completely solved by authentication,
particularly if messages can have effect at large distances.

I think the security considerations section needs some revision in light of this,
either clarifying that IS-IS must be used within a domain, or more attention paid
to thinking about what could go wrong.

Sincerely,
Watson Ladd