Last Call Review of draft-shore-icmp-aup-06
review-shore-icmp-aup-06-secdir-lc-orman-2013-11-14-00
Request | Review of | draft-shore-icmp-aup |
---|---|---|
Requested revision | No specific revision (document currently at 12) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2013-11-18 | |
Requested | 2013-10-24 | |
Authors | Melinda Shore , Carlos Pignataro | |
I-D last updated | 2013-11-14 | |
Completed reviews |
Genart Last Call review of -06
by Vijay K. Gurbani
(diff)
Genart Telechat review of -09 by Vijay K. Gurbani (diff) Secdir Last Call review of -06 by Hilarie Orman (diff) Opsdir Last Call review of -06 by Tim Chown (diff) |
|
Assignment | Reviewer | Hilarie Orman |
State | Completed | |
Request | Last Call review on draft-shore-icmp-aup by Security Area Directorate Assigned | |
Reviewed revision | 06 (document currently at 12) | |
Result | Has issues | |
Completed | 2013-11-14 |
review-shore-icmp-aup-06-secdir-lc-orman-2013-11-14-00
Security review of draft-shore-icmp-aup-06 An Acceptable Use Policy for New ICMP Types and Codes Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document discusses the current uses of ICMP and how it may or may not fit into management or control planes, depending on your view of what those are. The recommendation is to limit uses to reporting downstream forwarding anomalies, discovering on-link routers and hosts and network parameters. "ICMP should not be used as a routing or network management protocol." While there are ostensibly no new security considerations, it is worthwhile noting that ICMP plays a part in the Photuris protocol and was also used in SKIP (though that usage is deprecated). In general, I have some concern about using ICMP to discover network security parameters or to report on network security anomalies in the forwarding plane. I would recommend adding something to the security considerations about avoiding such usage or using special caution if defining new protocols. Hilarie