Last Call Review of draft-ietf-ospf-ospfv3-segment-routing-extensions-16
review-ietf-ospf-ospfv3-segment-routing-extensions-16-secdir-lc-sheffer-2018-11-04-00

Request Review of draft-ietf-ospf-ospfv3-segment-routing-extensions
Requested rev. no specific revision (document currently at 21)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-11-16
Requested 2018-10-23
Other Reviews Genart Telechat review of -19 by Pete Resnick (diff)
Genart Last Call review of -18 by Pete Resnick (diff)
Rtgdir Last Call review of -17 by Tomonori Takeda (diff)
Opsdir Last Call review of -16 by Joe Clarke (diff)
Review State Completed
Reviewer Yaron Sheffer
Review review-ietf-ospf-ospfv3-segment-routing-extensions-16-secdir-lc-sheffer-2018-11-04
Posted at https://mailarchive.ietf.org/arch/msg/secdir/9zjLanQMGTijEEz7ja3LncnbTqk
Reviewed rev. 16 (document currently at 21)
Review result Has Nits
Draft last updated 2018-11-04
Review completed: 2018-11-04

Review
review-ietf-ospf-ospfv3-segment-routing-extensions-16-secdir-lc-sheffer-2018-11-04

Summary: document has non-security related nits.

Details

* The definition of "segment" is different here from the one used in the architecture RFC. The RFC is more abstract, quoting: A node steers a packet through an ordered list of instructions, called "segments". Whereas here a segment is simply a sub-path. This is confusing to a non-expert, and perhaps indicates a change in the group's thinking.

* SID/Label Sub-TLV: is it Mandatory? If so, please point it out.

* "The SR-Algorithm TLV is optional" - I find this sentence confusing. Maybe replace by "The SR-Algorithm TLV is mandatory for routers that implement segment routing"?

* The reference under "IGP Algorithm Type" registry should be to the IANA registry itself, not to the I-D that defines it. (In particular since the IANA registry has already been established, https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml#igp-algorithm-types).

* OSPFv3 Extended Prefix Range TLV Flags octet: add the usual incantation about reserved bits.

* In general I agree with the reasoning in the Security Considerations. I would like to raise the question if, in addition to mis-routing, this adds a threat of massive denial-of-service on MPLS endpoints, e.g. by allowing an attacker who has OSPF access to introduce routing loops. (This may be completely bogus, I am far from expert with either of these protocols).