[secdir] Secdir last call review of draft-ietf-rmcat-video-traffic-model-06

Yoav Nir <ynir.ietf@gmail.com> Thu, 24 January 2019 19:23 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id DF12613120F; Thu, 24 Jan 2019 11:23:41 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yoav Nir <ynir.ietf@gmail.com>
To: secdir@ietf.org
Cc: rmcat@ietf.org, draft-ietf-rmcat-video-traffic-model.all@ietf.org, ietf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.90.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <154835782178.29376.11315332570255821000@ietfa.amsl.com>
Date: Thu, 24 Jan 2019 11:23:41 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/xiNHnafMVYRdME3P_h3ro9YhNyw>
Subject: [secdir] Secdir last call review of draft-ietf-rmcat-video-traffic-model-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 19:23:42 -0000

Reviewer: Yoav Nir
Review result: Has Nits

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  Document
editors and WG chairs should treat these comments just like any other last call

To quote from the abstract, the document "describes two reference video traffic
models for evaluating RTP congestion control algorithms". Indeed it does not
describe any protocol or algorithm that is going to get deployed on the
Internet, but rather a model for evaluating congestion control algorithm before
they are standardized or deployed. As such, I would not expect it to have much
to say on security, either good or bad.

It is conceivable that a congestion control algorithm would be exploitable by
an attacker. For example, some pattern of traffic might trigger such an
algorithm to block or slow down traffic for a victim. It may be a good idea to
evaluate whether such algorithms are conducive to such attacks. But speculation
such as this are not related to the draft. This draft is about evaluating
congestion control algorithms for their effect on video quality and frame rates.

So what is my nit with this?  Why does the Security Considerations section
contains what it does?

   It is important to evaluate RTP-based congestion control schemes
   using realistic traffic patterns, so as to ensure stable operations
   of the network.  Therefore, it is RECOMMENDED that candidate RTP-
   based congestion control algorithms be tested using the video traffic
   models presented in this draft before wide deployment over the

This is interesting, but I don't think it has much to do with security. IMO it
would be enough to say that this document introduces models for evaluation and
doesn't have any security implications.  The existing text should go somewhere