[secdir] secdir review of draft-moriarty-post-inch-rid-transport-02
Barry Leiba <barryleiba.mailing.lists@gmail.com> Thu, 15 April 2010 14:09 UTC
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76D3C3A6A37; Thu, 15 Apr 2010 07:09:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.11
X-Spam-Level:
X-Spam-Status: No, score=-1.11 tagged_above=-999 required=5 tests=[BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wt8OrmjKXTMl; Thu, 15 Apr 2010 07:09:46 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 98E7028B797; Thu, 15 Apr 2010 07:09:43 -0700 (PDT)
Received: by wyb35 with SMTP id 35so664226wyb.31 for <multiple recipients>; Thu, 15 Apr 2010 07:09:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:date:received :message-id:subject:from:to:cc:content-type; bh=dYZcE5cf4FvqpUbge5U6zB8GFYbTwhOn3SOnJTpEo6o=; b=jurcMKxsnrZy3qiMMt0DsCvG4NBbQqQxVddElvieocJS8NqjG8U4eGS3equhlWocXi jqBDk2/X1SQ9wYZpiespDyZ94imAIo8Ct+llROYQR13od8af4kTimCpf4IZ1+5K3aKtY 91kW22vIkyRguKA2oQAge2Oqpog/XAU88BdLU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:cc :content-type; b=bSIVE4rN2VELCA7K/jiioVSbonUNjEokPKIKZYahrP4w1irfToLNTC74+stqLxs/Uc 2aqeFrNPf3XxDKzdrsEkNACL+TrzUWvWq+p53SwUYsdc8Yu1FbS8LPi4Tzs/g0uHgMgu SoUW0cEvgjS3h+/mNJUB+jPLsGuryFmaHydC8=
MIME-Version: 1.0
Received: by 10.216.87.148 with HTTP; Thu, 15 Apr 2010 07:09:33 -0700 (PDT)
Date: Thu, 15 Apr 2010 10:09:33 -0400
Received: by 10.216.88.15 with SMTP id z15mr137978wee.92.1271340573938; Thu, 15 Apr 2010 07:09:33 -0700 (PDT)
Message-ID: <h2w6c9fcc2a1004150709v52a0e4f3mf8653b22d448bc6e@mail.gmail.com>
From: Barry Leiba <barryleiba.mailing.lists@gmail.com>
To: draft-moriarty-post-inch-rid-transport.all@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Cc: iesg@ietf.org, secdir@ietf.org
Subject: [secdir] secdir review of draft-moriarty-post-inch-rid-transport-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: barryleiba@computer.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2010 14:09:47 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is going for Informational status, not Standards Track, and yet defines a protocol layered over HTTP, using normative language. I have some concern about that -- we know how much attention is often NOT paid to the distinction between Informational and Standards Track. Further, HTTP seems particularly ill-suited to transporting this protocol... this seems another in the long line of "use HTTP for everything" cases, which BCP 56 has tried (unsuccessfully) to stave off. The "callbacks", in particular, are worrisome -- the payload has to contain all the state information, the system doing the callback has to have the correct addresses of the system that originally contacted it, and the whole thing is vulnerable to asymmetry problems (firewalls, NAT, multi-homing, and so on; see http://tools.ietf.org/id/draft-iab-ip-model-evolution-01.txt and Dave Thaler's technical plenary presentation from IETF 73, http://www.ietf.org/proceedings/73/plenaryw.html ). At least it's not doing it over port 80. :-) -- Barry Leiba
- [secdir] secdir review of draft-moriarty-post-inc… Barry Leiba
- [secdir] Fwd: secdir review of draft-moriarty-pos… Brian Trammell