Document: draft-ietf-detnet-controller-plane-framework Title: Deterministic Networking (DetNet) Controller Plane Framework Reviewer: Dave Thaler Review result: Has Issues I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. There are numerous editorial nits which I won't call out here but a marked up copy with my comments inline is at: https://1drv.ms/b/c/dc2b364f3f06fea8/EV3K2Un0TlVFrspsJvc_kOQB2FOkEj5UvFwc66fW3c_fYQ?e=KyM9xq The one more substantial comment is that section 2 claims to compile the controller plane requirements from various other documents. However, from a secdir perspective, the compiled requirements are notably missing any security requirements from RFC 9055, which isn't even cited in this section (the security considerations section cites an earlier I-D version of it, but mentions nothing as a requirement only considerations). I did a quick scan of RFC 9055 section 7 (Security Threat Mitigation) and it does appear to contain some things that should, I think, really be treated as requirements. For example, RFC 9055 section 7.3 says: > Authentication verifies the identity of DetNet nodes > (including DetNet Controller Plane nodes), and this enables > mitigation of Spoofing attacks. which implies a requirement that the controller plane authenticate the identity of controller plane nodes. Hence I would recommend this document also incorporate any protocol requirements resulting from RFC 9055 section 7. Dave -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
