[secdir] secdir review of draft-moriarty-post-inch-rid-transport-02

Barry Leiba <barryleiba.mailing.lists@gmail.com> Thu, 15 April 2010 14:09 UTC

Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 76D3C3A6A37; Thu, 15 Apr 2010 07:09:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.11
X-Spam-Status: No, score=-1.11 tagged_above=-999 required=5 tests=[BAYES_05=-1.11]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id wt8OrmjKXTMl; Thu, 15 Apr 2010 07:09:46 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com []) by core3.amsl.com (Postfix) with ESMTP id 98E7028B797; Thu, 15 Apr 2010 07:09:43 -0700 (PDT)
Received: by wyb35 with SMTP id 35so664226wyb.31 for <multiple recipients>; Thu, 15 Apr 2010 07:09:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:date:received :message-id:subject:from:to:cc:content-type; bh=dYZcE5cf4FvqpUbge5U6zB8GFYbTwhOn3SOnJTpEo6o=; b=jurcMKxsnrZy3qiMMt0DsCvG4NBbQqQxVddElvieocJS8NqjG8U4eGS3equhlWocXi jqBDk2/X1SQ9wYZpiespDyZ94imAIo8Ct+llROYQR13od8af4kTimCpf4IZ1+5K3aKtY 91kW22vIkyRguKA2oQAge2Oqpog/XAU88BdLU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:cc :content-type; b=bSIVE4rN2VELCA7K/jiioVSbonUNjEokPKIKZYahrP4w1irfToLNTC74+stqLxs/Uc 2aqeFrNPf3XxDKzdrsEkNACL+TrzUWvWq+p53SwUYsdc8Yu1FbS8LPi4Tzs/g0uHgMgu SoUW0cEvgjS3h+/mNJUB+jPLsGuryFmaHydC8=
MIME-Version: 1.0
Received: by with HTTP; Thu, 15 Apr 2010 07:09:33 -0700 (PDT)
Date: Thu, 15 Apr 2010 10:09:33 -0400
Received: by with SMTP id z15mr137978wee.92.1271340573938; Thu, 15 Apr 2010 07:09:33 -0700 (PDT)
Message-ID: <h2w6c9fcc2a1004150709v52a0e4f3mf8653b22d448bc6e@mail.gmail.com>
From: Barry Leiba <barryleiba.mailing.lists@gmail.com>
To: draft-moriarty-post-inch-rid-transport.all@tools.ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Cc: iesg@ietf.org, secdir@ietf.org
Subject: [secdir] secdir review of draft-moriarty-post-inch-rid-transport-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: barryleiba@computer.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2010 14:09:47 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document is going for Informational status, not Standards Track,
and yet defines a protocol layered over HTTP, using normative
language.  I have some concern about that -- we know how much
attention is often NOT paid to the distinction between Informational
and Standards Track.  Further, HTTP seems particularly ill-suited to
transporting this protocol... this seems another in the long line of
"use HTTP for everything" cases, which BCP 56 has tried
(unsuccessfully) to stave off.  The "callbacks", in particular, are
worrisome -- the payload has to contain all the state information, the
system doing the callback has to have the correct addresses of the
system that originally contacted it, and the whole thing is vulnerable
to asymmetry problems (firewalls, NAT, multi-homing, and so on; see
http://tools.ietf.org/id/draft-iab-ip-model-evolution-01.txt and Dave
Thaler's technical plenary presentation from IETF 73,
http://www.ietf.org/proceedings/73/plenaryw.html ).

At least it's not doing it over port 80.  :-)

Barry Leiba