Re: [secdir] Secdir review of draft-ietf-aqm-eval-guidelines-11

Kuhn Nicolas <> Tue, 17 May 2016 10:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8F89E12D787; Tue, 17 May 2016 03:53:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.327
X-Spam-Status: No, score=-3.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7MAie3VhAsz9; Tue, 17 May 2016 03:53:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B896212D761; Tue, 17 May 2016 03:53:28 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="5.26,324,1459814400"; d="pdf'?scan'208"; a="3402563"
From: Kuhn Nicolas <>
To: Tero Kivinen <>, "" <>, "" <>, "" <>
Thread-Topic: Secdir review of draft-ietf-aqm-eval-guidelines-11
Thread-Index: AQHRoIyZ3aFSg9THzUGEGUMXQuD6up+860sggAAoC5A=
Date: Tue, 17 May 2016 10:53:25 +0000
Message-ID: <>
References: <>
Accept-Language: en-US
Content-Language: fr-FR
X-MS-Has-Attach: yes
x-tm-as-product-ver: SMEX-
x-tm-as-result: No--42.441600-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/mixed; boundary="_002_F3B0A07CFD358240926B78A680E166FF8DAF35TWMBXP03cnesnetad_"
MIME-Version: 1.0
Archived-At: <>
Cc: "Mirja Kuehlewind (IETF)" <>
Subject: Re: [secdir] Secdir review of draft-ietf-aqm-eval-guidelines-11
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 May 2016 10:53:42 -0000

Hi again, 

FYI, attached to this email is what could be a new ID for the document. 

Kind regards,


-----Message d'origine-----
De : Kuhn Nicolas 
Envoyé : mardi 17 mai 2016 10:31
À : 'Tero Kivinen';;;
Cc : 'Mirja Kuehlewind (IETF)'
Objet : RE: Secdir review of draft-ietf-aqm-eval-guidelines-11

Dear Tero, 

Thanks a lot for your review. If you believe that your proposed changes on the references format should deserve changes in the document and a new ID, please let us know, we would try to integrate them ASAP. 

Kind regards,

The authors.

-----Message d'origine-----
De : Tero Kivinen [] Envoyé : mercredi 27 avril 2016 15:07 À :;;
Objet : Secdir review of draft-ietf-aqm-eval-guidelines-11

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: ready with nits.

This document describes various criteria for doing characterizations of active queue management schemes. As this is not really a protocol document there is not that much of security issues that could raise from here. The security considerations section says

   Some security considerations for AQM are identified in [RFC7567].This
   document, by itself, presents no new privacy nor security issues.

and I agree with that.

As for nits, the document uses very heavily references in a format where it makes document very hard to read. The references are used in such way, that if they are removed or hidden, the whole document comes completely unreadable. I think the references should only provide extra information, and the document should be readable even if you remove everything between [], but in this case the text comes like

   An AQM scheme SHOULD adhere to the recommendations outlined in
   [], and SHOULD NOT provide undue advantage to flows with
   smaller packets [].

Also references style (i.e. whether it is [RFCxxxx] or [1]) should not affect the document readability, but in this case it makes things very hard to read when text is like:

   [1] separately describes the AQM algorithm implemented in a
   router from the scheduling of packets sent by the router.

When you are reading the document and you do not remember what [1] (or
[RFC7567]) actually is it forces you to go and check the reference section to see what this document is.

It would be better if the text would be expanded so that the actual text is readable even if you remove all references, i.e. the first example would come:

   An AQM scheme SHOULD adhere to the recommendations outlined in Byte
   and Packet Congestion Notification document [RFC7141], and SHOULD
   NOT provide undue advantage to flows with smaller packets.

(I have no idea why the second reference was there at all, it might be useful if it provided section talking about that, but as the whole document is "IETF Recommendations Regarding Active Queue Management", I do not think it relates only to the smaller packets.