[Last-Call] Secdir last call review of draft-ietf-quic-version-negotiation-10

Joey Salazar via Datatracker <noreply@ietf.org> Wed, 05 October 2022 17:26 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: last-call@ietf.org
Delivered-To: last-call@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A76C8C14CE35; Wed, 5 Oct 2022 10:26:52 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Joey Salazar via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-quic-version-negotiation.all@ietf.org, last-call@ietf.org, quic@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 8.17.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <166499081267.34369.266654217493565817@ietfa.amsl.com>
Reply-To: Joey Salazar <joeygsal@gmail.com>
Date: Wed, 05 Oct 2022 10:26:52 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/7PZ0fQDYwpxnUVD3UmcZwUKELNw>
Subject: [Last-Call] Secdir last call review of draft-ietf-quic-version-negotiation-10
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2022 17:26:52 -0000

Reviewer: Joey Salazar
Review result: Has Nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Document: draft-ietf-quic-version-negotiation-10
Reviewer: Joey Salazar
The summary of the review is: Ready with nits

Major Concerns: None

Minor Concerns: None

Nits:

Section 2.1: "it SHALL select a mutually supported version and sends[…]"
s/sends/send/

Section 2.4: This section states "the connection attempt prior to receiving the
Version Negotiation packet is distinct from the connection with the
incompatible version that follows". According to text in Section 2.1 "it SHALL
select a mutually supported version and sends a new first flight with that
version - this version is now the negotiated version", Section 2.4 could say
"from the connection with the negotiated version that follows" instead.

Section 7: s/Since at the time of writing QUIC version 1/Since, at the time of
writing, QUIC version 1/

Section 8: For clarity of reading, this section could be placed after Section
4. Version Downgrade Prevention

Section 9: The security of the mechanism relying on the security of the weakest
common version seems clear, yet a bit more description on "but more analysis is
still needed here" would be good, perhaps pointing to what other
vulnerabilities could be expected/analyzed, or whether cross-protocol attacks
could still take place.