[secdir] SecDir review of draft-ietf-avt-rtcp-port-for-ssm-03

Donald Eastlake <d3e3e3@gmail.com> Wed, 15 December 2010 03:45 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC3753A6EC6; Tue, 14 Dec 2010 19:45:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.1
X-Spam-Level:
X-Spam-Status: No, score=-103.1 tagged_above=-999 required=5 tests=[AWL=0.499, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jNLAFonSdAPU; Tue, 14 Dec 2010 19:45:24 -0800 (PST)
Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by core3.amsl.com (Postfix) with ESMTP id B18013A6E32; Tue, 14 Dec 2010 19:45:23 -0800 (PST)
Received: by vws9 with SMTP id 9so654750vws.27 for <multiple recipients>; Tue, 14 Dec 2010 19:47:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type:content-transfer-encoding; bh=DS19lhLVXQh58nU2ddx/KlpsezBXyaknnb4GMccWdXs=; b=P3VQLWsCXQjqPcwkIQ0W28LJOAzs4aDaULVIVBYQJ5ANxlc1ihGUwIVTEh/IW0hEMZ U47QjwyfBr72/6Hm3Er+1KtYH4yBvH38ROqj+lY2YB9j8/5nlaPj5FEzT4+Z8k/G30fu Kfmh2s0VAjq82/ChwC0w35Lj4QIntLe9XIz+g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; b=B4bLVSPSBm9B+Dk2lCdmGl+yf3pj+uhN4bCxBJcBQAIA4/OS8vnZKNgjT6NZMc8067 EClVOQhkTRT+EXatr0ZDrcjY8WJjo1dieucHxy+B8OiQbaxhyAO3gkYRtDkOahKZyFri OyZnpxnAktdFuyPBOQqsvz1cLaybRni/EKH6U=
Received: by 10.220.200.131 with SMTP id ew3mr1946760vcb.66.1292384824861; Tue, 14 Dec 2010 19:47:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.91.197 with HTTP; Tue, 14 Dec 2010 19:46:44 -0800 (PST)
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 14 Dec 2010 22:46:44 -0500
Message-ID: <AANLkTikaFHSYb6cBnqtCm8JYYt=YVbXiqxs083XmkU_o@mail.gmail.com>
To: secdir@ietf.org, iesg@ietf.org, abegen@cisco.com, Keith Drage <keith.drage@alcatel-lucent.com>, Roni Even <even.roni@huawei.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [secdir] SecDir review of draft-ietf-avt-rtcp-port-for-ssm-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2010 03:45:24 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This draft specifies the addition of a new SDP attribute. This
attribute does not appear to present any new type of security
vulnerability.

I believe the Security Considerations section needs a small addition
to avoid being too vague. It currently just says "Therefore, as usual
adequate security measures are RECOMMENDED ..." without giving any
hint as to what those measures are or where to find any. Admittedly,
this draft is an update to RFC 5760 and a reasonable non-exclusive
list of such measures occurs in that RFC. Nevertheless, I would be
much more comfortable if the Security Considerations section wording
was augmented so it said "Therefore, adequate security measures, such
as those listed in the Security Considerations section of [RFC5760],
are RECOMMENDED...".

Trivia:

The following sentence:
   "The formal description of the 'multicast-rtcp' attribute is defined
   by the following ABNF [RFC5234] syntax:"
somehow reads as sort of redundantly redundant. Maybe: "The following
ABNF [RFC5234] syntax formally describes the 'multicast-rtcp'
attribute:"

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 d3e3e3@gmail.com