Last Call Review of draft-ietf-ospf-multi-instance-
review-ietf-ospf-multi-instance-secdir-lc-nystrom-2011-12-12-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes a method for allowing multiple instances on
the same domain in OSPFv2.

Since the Autype field in OSPFv2 will be halved by this document then
one concern would have been if there were existing implementations
using Autype values large enough to set bits in the higher octet.
According to the authors this is not the case and so the risk of
re-use of existing Autype values does apparently not exist.
Conversely, when a router which does not understand this new use of
the Autype field is presented with a packet from a router that is
instance-aware (and uses a non-zero instance-id value) it will not
accept it since it would represent an unknown authentication type. I
would therefore tend to agree with the authors that the introduction
of an InstanceID as part of the previous Autype field should not be a
cause of concern.

Editorial:
- Section 2: Unclear sentence: "In support of this capability, this
document introduces a modified packet header format with the
Authentication Type field is split into an Instance ID and AuType."
(Probably the "is" should be removed/replaced)

- Section 5: Refers to Appendix D but there is no Appendix D.
Presumably the link should be to Appendix D of OSPFv2.

-- Magnus