Telechat Review of draft-ietf-mpls-psc-updates-05
review-ietf-mpls-psc-updates-05-secdir-telechat-roca-2014-05-15-00

Request Review of draft-ietf-mpls-psc-updates
Requested rev. no specific revision (document currently at 06)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2014-05-13
Requested 2014-05-02
Authors Eric Osborne
Draft last updated 2014-05-15
Completed reviews Genart Telechat review of -05 by Elwyn Davies (diff)
Secdir Telechat review of -05 by Vincent Roca (diff)
Assignment Reviewer Vincent Roca 
State Completed
Review review-ietf-mpls-psc-updates-05-secdir-telechat-roca-2014-05-15
Reviewed rev. 05 (document currently at 06)
Review result Has Issues
Review completed: 2014-05-15

Review
review-ietf-mpls-psc-updates-05-secdir-telechat-roca-2014-05-15

Hello,

I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors. Document editors and WG chairs should treat

these comments just like any other last call comments.

IMHO, the document is 

Almost ready.

The author claims this document "raise[s] no new security concerns".

I think the author is right, however I have two comments:

- it's preferable to mention explicitely that RFC 6378 provides the baseline

  security discussion and that it also applies to the present document.

- Making sure an implementation behaves correctly in front of malformed

  messages is typically something that should be mentioned/discussed in the

  Security Section. This is the case in section 2.3 "Error handling".

  Can an attacker through malformed/unexpected messages (e.g., with fuzzing)

  launch a DoS?

  I don't suggest to move section 2.3 in the Security Discussion section, but

  rather to add a sentence in the Security Section explaining that this document

  in section 2.3 also clarifies how to react in front of malformed/unexpected

  messages (which is essential from a security point of view).

Cheers,

    Vincent