Last Call Review of draft-ietf-pce-questions-06
review-ietf-pce-questions-06-secdir-lc-laurie-2014-07-03-00

Request Review of draft-ietf-pce-questions
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-07-01
Requested 2014-06-19
Draft last updated 2014-07-03
Completed reviews Genart Last Call review of -06 by Alexey Melnikov (diff)
Secdir Last Call review of -06 by Ben Laurie (diff)
Opsdir Last Call review of -06 by Mehmet Ersue (diff)
Assignment Reviewer Ben Laurie
State Completed
Review review-ietf-pce-questions-06-secdir-lc-laurie-2014-07-03
Reviewed rev. 06 (document currently at 08)
Review result Has Issues
Review completed: 2014-07-03

Review
review-ietf-pce-questions-06-secdir-lc-laurie-2014-07-03

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Status: ready with issues.

The security considerations section makes this claim:

"This informational document does not define any new protocol elements
or mechanism.  As such, it does not introduce any new security
issues."

I agree with the premise, but not the conclusion: just because an RFC
does not introduce new security issues, that does not mean that there
are no security considerations.

Indeed, this RFC discusses many things that have quite serious
security considerations, without mentioning any of them. For example,
section 4 "How Do I Find My PCE?" (the very first question) advocates
a number of potentially completely insecure mechanisms with no mention
of their security properties (or otherwise). This is obviously
pervasive, given the stance taken in the security considerations.

The document does mention that RFC 6952 gives a security analysis for
PCEP, and perhaps this is sufficient but it seems to me that a
document intended to give useful background information to noobs
should include security directly in that information rather than defer
to another giant document (which mixes PCEP info with other
protocols).