Skip to main content

Last Call Review of draft-ietf-sfc-nsh-integrity-04
review-ietf-sfc-nsh-integrity-04-secdir-lc-hanna-2021-03-14-00

Request Review of draft-ietf-sfc-nsh-integrity
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2021-03-12
Requested 2021-02-18
Requested by Joel M. Halpern
Authors Mohamed Boucadair , Tirumaleswar Reddy.K , Dan Wing
I-D last updated 2021-03-14
Completed reviews Secdir Early review of -01 by Steve Hanna (diff)
Secdir Last Call review of -04 by Steve Hanna (diff)
Opsdir Last Call review of -05 by Jürgen Schönwälder (diff)
Tsvart Last Call review of -06 by Dr. Joseph D. Touch (diff)
Comments
Given that this is a security document, and has just completed WG last call, it seems appropriate to ask for a revised security review to make sure we have not missed anything while we get a Document Shepherd writeup put together.  Thank you.
Assignment Reviewer Steve Hanna
State Completed
Request Last Call review on draft-ietf-sfc-nsh-integrity by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/4y0kVwWAMv_bZirzCaz1RAGZ2rU
Reviewed revision 04 (document currently at 09)
Result Ready
Completed 2021-03-14
review-ietf-sfc-nsh-integrity-04-secdir-lc-hanna-2021-03-14-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document adds integrity and optional encryption of sensitive metadata
directly to the Network Service Header (NSH) protocol defined in RFC 8300, thus
reducing or eliminating several attack vectors against Service Function
Chaining (SFC). The document is well written and seems adequate for the goals
articulated here and elsewhere in the SFC document suite.

All of the issues, questions, and nits that I raised in my earlier secdir
review
(https://datatracker.ietf.org/doc/review-ietf-sfc-nsh-integrity-01-secdir-early-hanna-2020-12-24)
have been well addressed in draft-ietf-sfc-nsh-integrity-04. From my
perspective (as a security expert who has not previously worked with SFC), this
latest version of that document seems to address all relevant security issues
in an appropriate manner. I have no remaining concerns regarding this document
and support its approval.