IETF Last Call Review of draft-ietf-opsawg-pcaplinktype-13
review-ietf-opsawg-pcaplinktype-13-secdir-lc-reddyk-2025-10-23-00

Hi,

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving security requirements
and considerations in IETF drafts.  Comments not addressed in the last call
may be included in AD reviews during the IESG review.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

Reviewer: Tirumaleswar Reddy
Review result:  Ready with Nits

Summary:  It describes a set of LinkType values used in PCAP capture file
formats and to create an IANA registry for those values.

Nits and comment below:

1.  While the text already covers buffer overreads due to truncated
captures, I suggest broadening that to mention unbounded copies, where
unverified length fields or captured lengths are used directly in memory
allocations. Implementations will have to bound allocation sizes based on
the actual buffer length and defined protocol limits.

2. Implementations will have to handle unknown/not-registered LinkType
values.

3. LinkType metadata can reveal deployment details.  For example, the
presence of LINKTYPE_IEEE802_11 indicates wireless capture, while
vendor-specific LinkTypes (e.g., LINKTYPE_JUNIPER_ATM1) disclose equipment
type.   When capture files are shared outside the organization, network
administrators will have to review and, if necessary, anonymize LinkType
values and related metadata to avoid leaking information about network
topology and network vendor details.

Best Regards,
-Tiru