[alto] Secdir last call review of draft-ietf-alto-cost-calendar-17
Brian Weis via Datatracker <noreply@ietf.org> Tue, 25 February 2020 05:56 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: alto@ietf.org
Delivered-To: alto@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E11E43A0A94; Mon, 24 Feb 2020 21:56:39 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Brian Weis via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: alto@ietf.org, draft-ietf-alto-cost-calendar.all@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.118.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <158261019978.24286.6282703976329096776@ietfa.amsl.com>
Reply-To: Brian Weis <bew.stds@gmail.com>
Date: Mon, 24 Feb 2020 21:56:39 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/j7jlhJZwT1D5eSd3NdY0lnKShy0>
Subject: [alto] Secdir last call review of draft-ietf-alto-cost-calendar-17
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2020 05:56:40 -0000
Reviewer: Brian Weis Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines the ALTO Cost Calendar, an extension to the base Application-Layer Traffic Optimization (ALTO) protocol. Currently, the ALTO cost information service provides applications with guidance about current costs of a desired resource, but not for resources with a cost that changes dramatically over time. The ALTO Cost Calendar allows for specifying costs for varying time periods in the future. The extensions in this document are to the existing network flows, with policy defined in JSON. As such, additional security considerations are few. The well-written Security Considerations document does define a few considerations that come from announcing events that are expected to happen in the future. I have only one suggestion for additional text. The second paragraph on page 27 (draft -17) describes risks of a client using the calendaring information for their own selfish purposes. The suggested mitigation in the next paragraph is to limit the information “being leaked to malicious clients or third parties“ by authenticating clients with TLS. This strategy may thwart “third parties”, but it will not help in the case of “malicious clients” possessing valid credentials to authenticate. The threat here might be legitimate clients that have become subverted by an attacker and are now ‘bots’ being asked to participate in a DDoS attack. The calendar information would be valuable information for when to persecute a DDoS attack, and this should be noted here.
- [alto] Secdir last call review of draft-ietf-alto… Brian Weis via Datatracker
- Re: [alto] Secdir last call review of draft-ietf-… Y. Richard Yang
- Re: [alto] Secdir last call review of draft-ietf-… Brian Weis
- Re: [alto] Secdir last call review of draft-ietf-… Y. Richard Yang
- Re: [alto] Secdir last call review of draft-ietf-… Vijay Gurbani
- Re: [alto] Secdir last call review of draft-ietf-… Y. Richard Yang
- Re: [alto] Secdir last call review of draft-ietf-… Mirja Kuehlewind