[secdir] Secdir review of draft-ietf-tram-stun-origin-05

Tero Kivinen <kivinen@iki.fi> Thu, 12 March 2015 09:10 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68BA91A1A22; Thu, 12 Mar 2015 02:10:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLnZgAgmrL7Z; Thu, 12 Mar 2015 02:10:06 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12F451A8A04; Thu, 12 Mar 2015 02:10:05 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t2C9A0q1011717 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 12 Mar 2015 11:10:00 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t2C9A0J6029596; Thu, 12 Mar 2015 11:10:00 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21761.22504.139284.373056@fireball.kivinen.iki.fi>
Date: Thu, 12 Mar 2015 11:10:00 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-tram-stun-origin.all@tools.ietf.org
X-Edit-Time: 4 min
X-Total-Time: 4 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/aAiU96U5MOoITzWr4hZ9ilsQLa8>
Subject: [secdir] Secdir review of draft-ietf-tram-stun-origin-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 09:10:08 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This documents adds Origin attribute to the STUN that can be used in
similar ways as the HTTP header field of the same name. The specified
use cases include logging, analytincs and to provide additional
information to the server in addition to the authentication
mechanisms used.

The draft notices that it can be set by attacker to any way, and can
be modified in transit, and that it can also have privacy
implications, so it should be protected using TLS or DTLS when needed.

I think this draft is Ready.
-- 
kivinen@iki.fi