Re: [secdir] sec-dir review of draft-ietf-bliss-call-completion-18

Derek Atkins <derek@ihtfp.com> Wed, 19 December 2012 17:25 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FCB121F87AE; Wed, 19 Dec 2012 09:25:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.141
X-Spam-Level:
X-Spam-Status: No, score=-102.141 tagged_above=-999 required=5 tests=[AWL=-0.153, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tlve-pJqc7IM; Wed, 19 Dec 2012 09:25:43 -0800 (PST)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) by ietfa.amsl.com (Postfix) with ESMTP id 823AA21F878F; Wed, 19 Dec 2012 09:25:40 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 3E2BC2602B2; Wed, 19 Dec 2012 12:25:40 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 01247-06; Wed, 19 Dec 2012 12:25:37 -0500 (EST)
Received: from mocana.ihtfp.org (unknown [IPv6:fe80::224:d7ff:fee7:8924]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (not verified)) by mail2.ihtfp.org (Postfix) with ESMTPS id D0B862602A4; Wed, 19 Dec 2012 12:25:37 -0500 (EST)
Received: (from warlord@localhost) by mocana.ihtfp.org (8.14.5/8.14.5/Submit) id qBJHPY1l009167; Wed, 19 Dec 2012 12:25:34 -0500
From: Derek Atkins <derek@ihtfp.com>
To: Martin.Huelsemann@telekom.de
References: <sjmvcc0r7w1.fsf@mocana.ihtfp.org> <9762ACF04FA26B4388476841256BDE02011696144E34@HE111543.emea1.cds.t-internal.com>
Date: Wed, 19 Dec 2012 12:25:32 -0500
In-Reply-To: <9762ACF04FA26B4388476841256BDE02011696144E34@HE111543.emea1.cds.t-internal.com> (Martin Huelsemann's message of "Wed, 19 Dec 2012 10:43:33 +0100")
Message-ID: <sjmfw32osxf.fsf@mocana.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: Maia Mailguard 1.0.2a
Cc: secdir@ietf.org, R.Jesske@telekom.de, worley@ariadne.com, iesg@ietf.org, bliss-chairs@tools.ietf.org, alexeitsev@teleflash.com
Subject: Re: [secdir] sec-dir review of draft-ietf-bliss-call-completion-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2012 17:25:44 -0000

<Martin.Huelsemann@telekom.de> writes:

> Hi Derek,
>
> thanks for the review.
>
> 'SPIT' is an acronym for 'Spam over Internet Telephony', which Wikipedia defines as 'bulk unsolicited, automatically dialled, pre-recorded phone calls using the Voice over Internet Protocol (VoIP)'. (http://en.wikipedia.org/wiki/VoIP_spam)
>
> We will add a proper definition for SPIT.

I don't think you necessarily need a proper definition.  Just expanding
the acronym in-place would be sufficient.  E.g., "Spam over Internet
Telephony (SPIT)"

> For the DoD attack: 'DoD' actually does mean 'Department of Defence', the authors of the draft have received information that the Department of Defence plans to attack something, but because of secrecy reasons we cannot give more information at this time.
>
> ;-)

:-)

> Joking apart, yes, this is a typo of 'DoS' (Denial of Service), a proper definition will be added.

Again, no need to add a definition, just expand in-place:  "Denial of
Service (DoS)"

> Thanks for your support.
>
>
> Regards, Martin

Thanks!


-derek

>
>> -----Ursprüngliche Nachricht-----
>> Von: Derek Atkins [mailto:derek@ihtfp.com]
>> Gesendet: Montag, 17. Dezember 2012 16:55
>> An: iesg@ietf.org; secdir@ietf.org
>> Cc: bliss-chairs@tools.ietf.org; worley@ariadne.com;
>> Hülsemann, Martin; Jesske, Roland; alexeitsev@teleflash.com
>> Betreff: sec-dir review of draft-ietf-bliss-call-completion-18
>>
>> Hi,
>>
>> I have reviewed this document as part of the security
>> directorate's ongoing effort to review all IETF documents
>> being processed by the IESG.  These comments were written
>> primarily for the benefit of the security area directors.
>> Document editors and WG chairs should treat these comments
>> just like any other last call comments.
>>
>>    The call completion feature defined in this specification
>> allows the
>>    caller of a failed call to be notified when the callee becomes
>>    available to receive a call.
>>
>> The Security Considerations section mentions 'SPIT' but
>> nowhere does the document define the term.  What does it mean?
>>
>> The SC section also mentions a "DoD" attack -- is the US
>> Department of Defence actually going to attack something?  Or
>> does DoD mean something else?  It's never defined.  Was this
>> perhaps a typo of "DoS", Denial of Service?  If so, I
>> recommend you fix the typo but also expand the acronym for
>> those not necessarily familiar with the term "DoS".
>>
>> -derek
>>
>> --
>>        Derek Atkins                 617-623-3745
>>        derek@ihtfp.com             www.ihtfp.com
>>        Computer and Internet Security Consultant
>>
>
>

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant