Last Call Review of draft-ietf-pce-questions-06
review-ietf-pce-questions-06-secdir-lc-laurie-2014-07-03-00
Request | Review of | draft-ietf-pce-questions |
---|---|---|
Requested revision | No specific revision (document currently at 08) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2014-07-01 | |
Requested | 2014-06-19 | |
Authors | Adrian Farrel , Daniel King | |
I-D last updated | 2014-07-03 | |
Completed reviews |
Genart Last Call review of -06
by Alexey Melnikov
(diff)
Secdir Last Call review of -06 by Ben Laurie (diff) Opsdir Last Call review of -06 by Mehmet Ersue (diff) |
|
Assignment | Reviewer | Ben Laurie |
State | Completed | |
Request | Last Call review on draft-ietf-pce-questions by Security Area Directorate Assigned | |
Reviewed revision | 06 (document currently at 08) | |
Result | Has issues | |
Completed | 2014-07-03 |
review-ietf-pce-questions-06-secdir-lc-laurie-2014-07-03-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Status: ready with issues. The security considerations section makes this claim: "This informational document does not define any new protocol elements or mechanism. As such, it does not introduce any new security issues." I agree with the premise, but not the conclusion: just because an RFC does not introduce new security issues, that does not mean that there are no security considerations. Indeed, this RFC discusses many things that have quite serious security considerations, without mentioning any of them. For example, section 4 "How Do I Find My PCE?" (the very first question) advocates a number of potentially completely insecure mechanisms with no mention of their security properties (or otherwise). This is obviously pervasive, given the stance taken in the security considerations. The document does mention that RFC 6952 gives a security analysis for PCEP, and perhaps this is sufficient but it seems to me that a document intended to give useful background information to noobs should include security directly in that information rather than defer to another giant document (which mixes PCEP info with other protocols).