[secdir] Review of draft-ietf-conex-concepts-uses-04

Shawn Emery <shawn.emery@oracle.com> Thu, 12 April 2012 07:45 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id ACADD21F85C5; Thu, 12 Apr 2012 00:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1TdE2rchL9R3; Thu, 12 Apr 2012 00:45:19 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com []) by ietfa.amsl.com (Postfix) with ESMTP id 86C8721F85C4; Thu, 12 Apr 2012 00:45:19 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com []) by rcsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q3C7jHW7017006 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 12 Apr 2012 07:45:17 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com []) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q3C7jFjw002372 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Apr 2012 07:45:16 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com []) by acsmt358.oracle.com ( with ESMTP id q3C7jFaO007184; Thu, 12 Apr 2012 02:45:15 -0500
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 12 Apr 2012 00:45:15 -0700
Message-ID: <4F8687DA.6020402@oracle.com>
Date: Thu, 12 Apr 2012 01:44:26 -0600
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:10.0.2) Gecko/20120223 Thunderbird/10.0.2
MIME-Version: 1.0
To: secdir@ietf.org
References: <4F5321A2.1070504@oracle.com>
In-Reply-To: <4F5321A2.1070504@oracle.com>
X-Forwarded-Message-Id: <4F5321A2.1070504@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet22.oracle.com []
X-CT-RefId: str=0001.0A090201.4F86880E.0002,ss=1,re=0.000,fgs=0
Cc: draft-ietf-conex-concepts-uses.all@tools.ietf.org, iesg@ietf.org
Subject: [secdir] Review of draft-ietf-conex-concepts-uses-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 07:45:20 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This informational draft describes use cases for the Congestion Exposure (ConEx) protocol
to facilitate efficient traffic management.  It also describes the reasoning of using ConEx
markings at the IP layer.
The security consideration section does exist and defers to the ietf-conex-abstract-mech
draft.  The security consideration section of ietf-conex-abstract-mech draft defers to
section 4.4, which is on auditing.  This really should be in its own security consideration
section and should extract specific security threats and how they are mitigated.

General comments:

Not being a ConEx expert, I didn't know what "ConEx markings" really meant when initially
reading the abstract.

Editorial comments: