[secdir] Secdir last call review of draft-ietf-alto-cdni-request-routing-alto-17
Klaas Wierenga via Datatracker <noreply@ietf.org> Wed, 24 November 2021 09:23 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5F23A0D1E; Wed, 24 Nov 2021 01:23:40 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Klaas Wierenga via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: alto@ietf.org, draft-ietf-alto-cdni-request-routing-alto.all@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.40.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <163774582007.27269.9699917272767893675@ietfa.amsl.com>
Reply-To: Klaas Wierenga <klaas@wierenga.net>
Date: Wed, 24 Nov 2021 01:23:40 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/iDPuS0ay4yIcu0oo1FLxgU_DvX4>
Subject: [secdir] Secdir last call review of draft-ietf-alto-cdni-request-routing-alto-17
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2021 09:23:48 -0000
Reviewer: Klaas Wierenga Review result: Has Issues Hi, I found 1 nit and one more substantial issue - the abstract says: OLD RFC 8008 defines precisely the semantics of FCI and provides guidelines on the FCI protocol, but the exact protocol is specified. I think it should read NEW RFC 8008 defines precisely the semantics of FCI and provides guidelines on the FCI protocol, but the exact protocol is not specified. - A bigger problem I have is with the Security Considerations You state "In the context of CDNI Advertisement, additional security considerations should be included as follows:", you then list a set of concerns, and then write: "Although protection strategies as described in Section 15 of [RFC7285] should be applied to address aforementioned security and privacy considerations, one additional information leakage risk introduced by this document could not be addressed by these strategies. " So are they ADDITIONAL or were they ALREADY ADRESSED in RFC7285? Do you want to call the ones you list out as specifically relevant for this use-case? Please be clear why you list them here. And if they are NOT sufficiently addressed yet, you need to address them here. For the additional risk of leaking info from one uCDN to another uCDN it is unclear to me whether the intended mitigation is meant as normative (SHOULD instead of should) and I am curious why you don't make it a MUST.
- [secdir] Secdir last call review of draft-ietf-al… Klaas Wierenga via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Qin Wu
- Re: [secdir] Secdir last call review of draft-iet… Klaas Wierenga
- Re: [secdir] [alto] Secdir last call review of dr… Jensen Zhang