Hi Yaron, thanks for your comments, please see inline: On 04/11/18 16:38 , Yaron Sheffer wrote:
Reviewer: Yaron Sheffer Review result: Has Nits Summary: document has non-security related nits. Details * The definition of "segment" is different here from the one used in the architecture RFC. The RFC is more abstract, quoting: A node steers a packet through an ordered list of instructions, called "segments". Whereas here a segment is simply a sub-path. This is confusing to a non-expert, and perhaps indicates a change in the group's thinking.
the definition in this draft relates to segment as used by IGPs, in which case a segment represents the sub-path. There are other segments outside of IGPs which can represent other things, but they are not covered by this draft.
* SID/Label Sub-TLV: is it Mandatory? If so, please point it out.
SID/Label Sub-TLV is not advertised on its own. It is advertised as a sub-TLV of the:
3.2. SID/Label Range TLV 3.3. SR Local Block TLV Both of these section specify that SID/Label Sub-TLV MUST be included.
* "The SR-Algorithm TLV is optional" - I find this sentence confusing. Maybe replace by "The SR-Algorithm TLV is mandatory for routers that implement segment routing"?
the text says: "If the SR-Algorithm TLV is not advertised by the node, such node is considered as not being segment routing capable." Isn't that sufficient?
* The reference under "IGP Algorithm Type" registry should be to the IANA registry itself, not to the I-D that defines it. (In particular since the IANA registry has already been established, https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml#igp-algorithm-types).
I got another comment from Opsdir last call review to include the I-D that defined it. I Added them both, hopefully that satisfy everybody.
* OSPFv3 Extended Prefix Range TLV Flags octet: add the usual incantation about reserved bits.
Done.
* In general I agree with the reasoning in the Security Considerations. I would like to raise the question if, in addition to mis-routing, this adds a threat of massive denial-of-service on MPLS endpoints, e.g. by allowing an attacker who has OSPF access to introduce routing loops. (This may be completely bogus, I am far from expert with either of these protocols).
above is addressed by usage of the usage of the OSPF authentication as described in the security section.
thanks, Peter
.