Telechat Review of draft-ietf-spring-srv6-network-programming-19
review-ietf-spring-srv6-network-programming-19-secdir-telechat-weis-2020-09-22-00

Request Review of draft-ietf-spring-srv6-network-programming
Requested rev. no specific revision (document currently at 26)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2020-09-22
Requested 2020-09-08
Authors Clarence Filsfils, Pablo Camarillo, John Leddy, Daniel Voyer, Satoru Matsushima, Zhenbin Li
Draft last updated 2020-09-22
Completed reviews Opsdir Last Call review of -17 by Dan Romascanu (diff)
Tsvart Last Call review of -17 by Mirja K├╝hlewind (diff)
Secdir Last Call review of -17 by Brian Weis (diff)
Secdir Telechat review of -19 by Brian Weis (diff)
Intdir Telechat review of -18 by Brian Haberman (diff)
Secdir Telechat review of -20 by Brian Weis (diff)
Assignment Reviewer Brian Weis 
State Completed
Review review-ietf-spring-srv6-network-programming-19-secdir-telechat-weis-2020-09-22
Posted at https://mailarchive.ietf.org/arch/msg/secdir/zh9zTVkXXtDFkwpcx8dSr2Sg8YE
Reviewed rev. 19 (document currently at 26)
Review result Ready
Review completed: 2020-09-22

Review
review-ietf-spring-srv6-network-programming-19-secdir-telechat-weis-2020-09-22

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This is a re-review; thanks to the authors for addressing suggestions made in the first review. The new  security considerations text is good, and logically correct so I've marked this document as "Ready". But let me explain one way I think that it could be improved. 

The last email exchange was about suggesting that the HMAC TLV be used even when an SRH is not included in the packet. The newest text "regardless of the  number of segments in the segment list" implies this case, but there is still a concern is that implementors won't get this hint about the possible need to protect just one segment where the SRH is omitted because it's not needed. It would be nice if this sentence could be more explicit about the need for an HMAC TLV in this case. For example, something like:
    <old> "regardless of the	 number of segments in the segment list." </old>
    <new> "regardless of whether the segments are defined in an SRH header or a single segment is passed in the Destination Address." </new>

Thanks.