Re: [CDNi] Kathleen Moriarty's No Objection on draft-ietf-cdni-metadata-18: (with COMMENT)

[Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>]

Hi Kevin,

These threats sound important enough to include now.  Can you add a
paragraph about these threats?

Thanks,
Kathleen

On Tue, Jul 5, 2016 at 4:39 PM, Kevin Ma J <kevin.j.ma@ericsson.com> wrote:
> Hi Kathleen,
>
>   I think that if an attacker could remove any of the ACL metadata, you could enable service in different regions, at different times, and to different end points, possibly in violation of the content owner's distribution rights (and possibly causing the content owner to incur excess delivery charges); but I would expect a premium content provider to have a DRM system outside the CDN delivery that enforces licensing restrictions and otherwise prevents hijacking the service as part of a criminal enterprise.  We will look at updating the threats in the next revision.
>
> thanx!
>
> --  Kevin J. Ma
>
>> -----Original Message-----
>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
>> Sent: Tuesday, July 05, 2016 4:17 PM
>> To: Kevin Ma J
>> Cc: The IESG; draft-ietf-cdni-metadata@ietf.org; cdni-chairs@ietf.org;
>> flefauch@cisco.com; cdni@ietf.org
>> Subject: Re: Kathleen Moriarty's No Objection on draft-ietf-cdni-metadata-
>> 18: (with COMMENT)
>>
>> On Tue, Jul 5, 2016 at 4:06 PM, Kevin Ma J <kevin.j.ma@ericsson.com>
>> wrote:
>> > Hi Kathleen,
>> >
>> >   Thanks for the review.  Could you expand on your thoughts wrt
>> billing/theft?  I think the idea for billing was that it would be based on
>> the logging data, not metadata.  DoS against metadata could prevent the
>> content delivery and therefore prevent content owners and CDNs from
>> recognizing revenue, but I'm not sure if that's the theft angle to which
>> you refer?
>>
>> I was wondering if there were attacks possible other than DoS.  I was
>> surprised I didn't see any related to theft of service if there was a
>> way to do that with metadata.  I didn't realize logging information
>> was used for billing and had assumed metadata would wind up being
>> logged and could cause an issue.  If that's not possible, that's fine
>> and that's why I just included this question as a comment.
>>
>> Thanks,
>> Kathleen
>>
>>
>> >
>> > thanx!
>> >
>> > --  Kevin J. Ma
>> >
>> >> -----Original Message-----
>> >> From: Kathleen Moriarty [mailto:Kathleen.Moriarty.ietf@gmail.com]
>> >> Sent: Tuesday, July 05, 2016 4:01 PM
>> >> To: The IESG
>> >> Cc: draft-ietf-cdni-metadata@ietf.org; cdni-chairs@ietf.org;
>> >> flefauch@cisco.com; cdni@ietf.org
>> >> Subject: Kathleen Moriarty's No Objection on draft-ietf-cdni-metadata-
>> 18:
>> >> (with COMMENT)
>> >>
>> >> Kathleen Moriarty has entered the following ballot position for
>> >> draft-ietf-cdni-metadata-18: No Objection
>> >>
>> >> When responding, please keep the subject line intact and reply to all
>> >> email addresses included in the To and CC lines. (Feel free to cut this
>> >> introductory paragraph, however.)
>> >>
>> >>
>> >> Please refer to https://www.ietf.org/iesg/statement/discuss-
>> criteria.html
>> >> for more information about IESG DISCUSS and COMMENT positions.
>> >>
>> >>
>> >> The document, along with other ballot positions, can be found here:
>> >> https://datatracker.ietf.org/doc/draft-ietf-cdni-metadata/
>> >>
>> >>
>> >>
>> >> ----------------------------------------------------------------------
>> >> COMMENT:
>> >> ----------------------------------------------------------------------
>> >>
>> >> I can see why unauthorized access to content isn't a concern since this
>> >> draft is just about the metadata, but wouldn't billing/theft be a
>> >> possible avenue of attack to be listed as a consideration through
>> >> alterations of the metadata?
>> >>
>> >
>>
>>
>>
>> --
>>
>> Best regards,
>> Kathleen



-- 

Best regards,
Kathleen