Last Call Review of draft-ietf-sidr-delta-protocol-05
review-ietf-sidr-delta-protocol-05-secdir-lc-mandelberg-2017-02-02-00

Request Review of draft-ietf-sidr-delta-protocol
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-01-31
Requested 2017-01-17
Other Reviews Genart Last Call review of -06 by Orit Levin (diff)
Opsdir Last Call review of -05 by Susan Hares (diff)
Review State Completed
Reviewer David Mandelberg
Review review-ietf-sidr-delta-protocol-05-secdir-lc-mandelberg-2017-02-02
Posted at https://mailarchive.ietf.org/arch/msg/secdir/0k-eBFbrxE6D84dU8l2ri_8QKGY
Reviewed rev. 05 (document currently at 08)
Review result Has Nits
Draft last updated 2017-02-02
Review completed: 2017-02-02

Review
review-ietf-sidr-delta-protocol-05-secdir-lc-mandelberg-2017-02-02

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document provides a new way for RPKI Relying Parties to download
RPKI objects. As mentioned in the Security Considerations, those objects
are already cryptographically signed. The RRDP protocol provides some
additional security to the download process, with no changes to the
security properties of the RPKI objects themselves.

I think this document is Ready with nits.


3.3.2: It seems strange to me that you use MUST when talking about the
timing/performance of the repository server. Is this relevant to
security? Or is there another reason for a MUST?

3.4.2: I think "update its last processed serial number to the serial
number of this snapshot file" should say "delta file" instead.

3.4.5: I'd recommend changing "in case of network issues" to "in case of
network issues, or temporary failures of the repository server(s) or
caching infrastructure".

3.5.1.2: I think the last paragraph might make it harder for the server
to recover from a temporary overload, since it can't tell clients to
wait longer than 1 minute before re-fetching. It seems to me that
letting the clients get a few minutes out of date until the server
operator can provision more capacity is better than accidentally DoSing
the server.

3.5.4: Why is serial not an xsd:positiveInteger? Section 3.3.1 says that
serials start at 1.

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/