[secdir] Secdir last call review of draft-ietf-alto-xdom-disc-04

Liang Xia <frank.xialiang@huawei.com> Thu, 29 November 2018 03:07 UTC

Return-Path: <frank.xialiang@huawei.com>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CC23130DF5; Wed, 28 Nov 2018 19:07:02 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Liang Xia <frank.xialiang@huawei.com>
To: <secdir@ietf.org>
Cc: draft-ietf-alto-xdom-disc.all@ietf.org, ietf@ietf.org, alto@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.89.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <154346082207.13636.11710948370196493817@ietfa.amsl.com>
Date: Wed, 28 Nov 2018 19:07:02 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/MJ3ZRKmelJH1J7VY1Ne3JW3V2x4>
Subject: [secdir] Secdir last call review of draft-ietf-alto-xdom-disc-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 03:07:02 -0000

Reviewer: Liang Xia
Review result: Ready

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document details applicable scenarios, itemizes requirements, and
specifies a procedure for ALTO cross-domain server discovery. Technically, the
procedure specified in this document takes one IP address or prefix and a
U-NAPTR Service Parameter (typically, "ALTO:https") as parameters. It performs
DNS lookups (for NAPTR resource records in the in-addr.arpa. or ip6.arpa. tree)
and returns one or more URI(s) of information resources related to that IP
address or prefix.

In general, this draft is in good shape, including the security considerations

I just have some general comments or confusions for discussion as below:
1. I don't see the content about the authorization policy for alto server
information distribution, is it necessary? 2. If the replied alto server
information message is much larger than the request message, the attack can
trigger the reflection DDoS attack using it. Does it need to be considered?