[secdir] secdir review of draft-ietf-sipcore-status-unwanted
Adam Montville <adam.w.montville@gmail.com> Fri, 10 March 2017 21:21 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29A8A12946A; Fri, 10 Mar 2017 13:21:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWVRczAssozH; Fri, 10 Mar 2017 13:21:28 -0800 (PST)
Received: from mail-ot0-x22e.google.com (mail-ot0-x22e.google.com [IPv6:2607:f8b0:4003:c0f::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF073129452; Fri, 10 Mar 2017 13:21:27 -0800 (PST)
Received: by mail-ot0-x22e.google.com with SMTP id i1so84570927ota.3; Fri, 10 Mar 2017 13:21:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=upuXRDAnmIXGLm4so76IfywgJ11uvpwvEQI6ecOdSxk=; b=TMX3RtD59TdMr9cbvsa31GKLOzSQZjZrFZmekSLAFVWnQhkzGvXMRr7HPF7SqScioH uVyq6ahAIMeUhTWpdoliPbXEi2lrmWF6tld0gpadcb1ZwBLxh9APq7Ci4Pa8sKJwNixg cFTBU0VYMw7NRyRP/Cd9gtpy1LVkt6K3gLjqc7utVxAIVltsM/GbRxcWZAvoNMgxvaex koyB/vlYwI4fWQ0oU8v/I/0lhBcNqsKJ6miEVGvYQ1Nycji+EDEu1+bs1Gjc2CJXGn1x gUWcuMOdSmuivwwUcoocumWI0g410vMi7UT3rDgOJt9RFg/2Y+0dyBk7BypdovlT57pz iOCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=upuXRDAnmIXGLm4so76IfywgJ11uvpwvEQI6ecOdSxk=; b=C7n1+WwIQRqpg1bYqCWNxaT1OwZG34of/vVwAhC3eqIbpXLrwLFiPoSHL9wDjo2iwM mwNONXR/XXIy2eRpKgjksmhubHLkF+vMaH+glg0OTju4LUhHZndkVZSdC1jDwlzUxcyH 5D409rWiikZY98WE1J5n3rhq22mKdwdGvnen4UqDjNHBt5b/BNSFLsrnbmY1OGa02M5V l/qpVF6xpYPrrGcAqX4NmVr17PgsduxkrLV/mnvis1mHEt0Dzmojo0vg7S0ViRcCVOjq g25f/c2oSbSmj3Jw2NCiQY0geMlZmK1skwKcA0iIuBpW/SZrS6g9XlIxnU8X2kK+iDoA NSRA==
X-Gm-Message-State: AMke39nNF6TLE9dLxXXUFF1JsIu0+hPlcXwGj61I8gx71FDIKAfy8LA4kFVwAXrM0Mfp/MXzeAqhbLaItONnrw==
X-Received: by 10.157.20.102 with SMTP id h93mr10385462oth.73.1489180886939; Fri, 10 Mar 2017 13:21:26 -0800 (PST)
MIME-Version: 1.0
From: Adam Montville <adam.w.montville@gmail.com>
Date: Fri, 10 Mar 2017 21:21:16 +0000
Message-ID: <CACknUNXJok6_pzigJ7K1U0yd-xM_ewAdaryXp9=Q+D6rZ+cvCw@mail.gmail.com>
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-sipcore-status-unwanted.all@ietf.org
Content-Type: multipart/alternative; boundary="001a1135adb0c5bfe8054a66f129"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/BpdUNAClAMhuciGN6oahaHXQNis>
Subject: [secdir] secdir review of draft-ietf-sipcore-status-unwanted
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 21:21:29 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft is ready with (possible) issues. This draft defines a new SIP response code, 666 "Unwanted", which allows called parties to indicate when a call is unwanted. The intent of the Unwanted response code is to provide feedback to global or user-specific filtering algorithms (implemented by carriers) from the context of a SIP-initiated call. >From a security perspective, there's nothing wrong with the draft, and the Security Considerations section addresses what one might expect (denial of service, relying on the code only when authenticated caller identities are in play, etc.) It seems that the biggest risk is false blocks, callers having their feelings hurt, or folks not getting the calls they may expect -- but implementers are made aware of these. A potential issue can be seen by taking these two sentences together: "Implementations will have to make appropriate trade-offs between falsely labeling a caller as unwanted and delivering unwanted calls", "The service provider...MAY report the calling party identity to government authorities". This gives rise to the possibility that a mislabeled caller could be reported to authorities, when there is no real reason for such. Either way, I found the document to be clear and well-written. And while I list the draft as "ready with issues" here, it may be the case that there are no issues from the perspective of the ADs for whom I have performed this review. Kind regards, Adam
- Re: [secdir] secdir review of draft-ietf-sipcore-… Henning Schulzrinne
- Re: [secdir] secdir review of draft-ietf-sipcore-… Adam Montville
- [secdir] secdir review of draft-ietf-sipcore-stat… Adam Montville