Last Call Review of draft-ietf-pce-stateful-pce-vendor-08
review-ietf-pce-stateful-pce-vendor-08-secdir-lc-dunbar-2024-10-14-00
review-ietf-pce-stateful-pce-vendor-08-secdir-lc-dunbar-2024-10-14-00
I have reviewed this document as part of the SEC area directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security area directors. Document editors and WG chairs should treat these comments just like any other last-call comments Summary: this document extends the vendor-specific information in the Stateless PCE communication protocol for the Stateful PECP message. The document is very clear and easy to read. Just a minor NITS with the Security Consideration: The method described in the Security Consideration to mitigate the security issue of "covert channel" relies on operators noticing that vendor-specific information is being used and then reaching out to the vendor for decoding mechanisms. This is a reactive approach rather than a proactive one. By the time the operator detects the use of vendor-specific information and obtains the necessary decoding tools, malicious or harmful actions could have already occurred. It would be useful to add more description on how can operator be proactive to prevent the issue. Best Regards, Linda Dunbar