[secdir] Review of draft-ietf-aqm-recommendation-08

Shawn M Emery <shawn.emery@oracle.com> Mon, 05 January 2015 04:48 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 4B4F51A1A7F for <secdir@ietfa.amsl.com>; Sun, 4 Jan 2015 20:48:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id gD3K6xriSUW7 for <secdir@ietfa.amsl.com>; Sun, 4 Jan 2015 20:48:16 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 864921A1ADF for <secdir@ietf.org>; Sun, 4 Jan 2015 20:48:16 -0800 (PST)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com []) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t054mDs6025020 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 5 Jan 2015 04:48:14 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com []) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t054mCO6021412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Jan 2015 04:48:12 GMT
Received: from abhmp0006.oracle.com (abhmp0006.oracle.com []) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id t054mB85020774; Mon, 5 Jan 2015 04:48:12 GMT
Received: from dhcp-rmdc-twvpn-2-vpnpool-10-159-73-210.vpn.oracle.com (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 04 Jan 2015 20:48:11 -0800
Message-ID: <54AA17B0.40500@oracle.com>
Date: Sun, 04 Jan 2015 21:48:48 -0700
From: Shawn M Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: secdir@ietf.org, draft-ietf-aqm-recommendation.all@tools.ietf.org
References: <544F3820.6040505@oracle.com>
In-Reply-To: <544F3820.6040505@oracle.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: ucsinet21.oracle.com []
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/GHk8PwCqNgHZME2vXtoYajxrnm8
Subject: [secdir] Review of draft-ietf-aqm-recommendation-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 04:48:19 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This proposed BCP draft provides guidance on various ways to improve network performance
over the Internet through Active Queue Management (AQM).  The draft describes various
techniques to avoid network failure due to congestion, congestion itself, and network

The security considerations section does exist and discloses that the draft does not impose
any new security considerations beyond what is currently vulnerable to DoS attacks, in fact
AQM may help in mitigating against some of these attacks.  However, the draft explains
that not all DoS attacks can be avoided and suggests that further investigation is required
to find out how to help prevent said attacks.  I believe that these assertions are correct.

General comments:

A well written and thorough document.  Thank you.

Editorial comments:

s/> class of/class of/
s/connection preventing/connections, preventing/
s/devices deploy/devices that deploy/