Re: [secdir] sec-dir review of draft-ietf-bliss-call-completion-18

Robert Sparks <rjsparks@nostrum.com> Wed, 19 December 2012 16:33 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C00CA21F858C; Wed, 19 Dec 2012 08:33:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.587
X-Spam-Level:
X-Spam-Status: No, score=-102.587 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xCBYYXIiwcn1; Wed, 19 Dec 2012 08:33:55 -0800 (PST)
Received: from shaman.nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by ietfa.amsl.com (Postfix) with ESMTP id 9BDBB21F8436; Wed, 19 Dec 2012 08:33:55 -0800 (PST)
Received: from unnumerable.local (pool-173-71-45-100.dllstx.fios.verizon.net [173.71.45.100]) (authenticated bits=0) by shaman.nostrum.com (8.14.3/8.14.3) with ESMTP id qBJGUH1b070265 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 19 Dec 2012 10:30:18 -0600 (CST) (envelope-from rjsparks@nostrum.com)
Message-ID: <50D1EB99.1020801@nostrum.com>
Date: Wed, 19 Dec 2012 10:30:17 -0600
From: Robert Sparks <rjsparks@nostrum.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Martin.Huelsemann@telekom.de
References: <sjmvcc0r7w1.fsf@mocana.ihtfp.org> <9762ACF04FA26B4388476841256BDE02011696144E34@HE111543.emea1.cds.t-internal.com>
In-Reply-To: <9762ACF04FA26B4388476841256BDE02011696144E34@HE111543.emea1.cds.t-internal.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Received-SPF: pass (nostrum.com: 173.71.45.100 is authenticated by a trusted mechanism)
Cc: secdir@ietf.org, R.Jesske@telekom.de, worley@ariadne.com, iesg@ietf.org, bliss-chairs@tools.ietf.org, alexeitsev@teleflash.com
Subject: Re: [secdir] sec-dir review of draft-ietf-bliss-call-completion-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2012 16:34:02 -0000

On 12/19/12 3:43 AM, Martin.Huelsemann@telekom.de wrote:
> Hi Derek,
>
> thanks for the review.
>
> 'SPIT' is an acronym for 'Spam over Internet Telephony', which Wikipedia defines as 'bulk unsolicited, automatically dialled, pre-recorded phone calls using the Voice over Internet Protocol (VoIP)'. (http://en.wikipedia.org/wiki/VoIP_spam)
>
> We will add a proper definition for SPIT.
Defining the term in place is sufficient. If you decide you need a 
reference, consider RFC5039
("The Session Initiation Protocol (SIP) and Spam").

RjS
>
>
> For the DoD attack: 'DoD' actually does mean 'Department of Defence', the authors of the draft have received information that the Department of Defence plans to attack something, but because of secrecy reasons we cannot give more information at this time.
>
> ;-)
>
> Joking apart, yes, this is a typo of 'DoS' (Denial of Service), a proper definition will be added.
>
>
> Thanks for your support.
>
>
> Regards, Martin
>
>
>
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Derek Atkins [mailto:derek@ihtfp.com]
>> Gesendet: Montag, 17. Dezember 2012 16:55
>> An: iesg@ietf.org; secdir@ietf.org
>> Cc: bliss-chairs@tools.ietf.org; worley@ariadne.com;
>> Hülsemann, Martin; Jesske, Roland; alexeitsev@teleflash.com
>> Betreff: sec-dir review of draft-ietf-bliss-call-completion-18
>>
>> Hi,
>>
>> I have reviewed this document as part of the security
>> directorate's ongoing effort to review all IETF documents
>> being processed by the IESG.  These comments were written
>> primarily for the benefit of the security area directors.
>> Document editors and WG chairs should treat these comments
>> just like any other last call comments.
>>
>>     The call completion feature defined in this specification
>> allows the
>>     caller of a failed call to be notified when the callee becomes
>>     available to receive a call.
>>
>> The Security Considerations section mentions 'SPIT' but
>> nowhere does the document define the term.  What does it mean?
>>
>> The SC section also mentions a "DoD" attack -- is the US
>> Department of Defence actually going to attack something?  Or
>> does DoD mean something else?  It's never defined.  Was this
>> perhaps a typo of "DoS", Denial of Service?  If so, I
>> recommend you fix the typo but also expand the acronym for
>> those not necessarily familiar with the term "DoS".
>>
>> -derek
>>
>> --
>>         Derek Atkins                 617-623-3745
>>         derek@ihtfp.com             www.ihtfp.com
>>         Computer and Internet Security Consultant
>>