Re: [secdir] sec-dir review of draft-ietf-bliss-call-completion-18

<Martin.Huelsemann@telekom.de> Wed, 19 December 2012 09:44 UTC

Return-Path: <Martin.Huelsemann@telekom.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14A6321F893E; Wed, 19 Dec 2012 01:44:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.249
X-Spam-Level:
X-Spam-Status: No, score=-3.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NSggN7yyDrIa; Wed, 19 Dec 2012 01:44:34 -0800 (PST)
Received: from tcmail43.telekom.de (tcmail43.telekom.de [80.149.113.173]) by ietfa.amsl.com (Postfix) with ESMTP id A724021F8939; Wed, 19 Dec 2012 01:44:33 -0800 (PST)
Received: from he101250.emea1.cds.t-internal.com ([10.125.92.153]) by tcmail41.telekom.de with ESMTP/TLS/AES128-SHA; 19 Dec 2012 10:43:35 +0100
Received: from HE111543.emea1.cds.t-internal.com ([10.125.90.96]) by HE101250.emea1.cds.t-internal.com ([fe80::e439:4046:12e2:e37%14]) with mapi; Wed, 19 Dec 2012 10:43:34 +0100
From: Martin.Huelsemann@telekom.de
To: derek@ihtfp.com, iesg@ietf.org, secdir@ietf.org
Date: Wed, 19 Dec 2012 10:43:33 +0100
Thread-Topic: sec-dir review of draft-ietf-bliss-call-completion-18
Thread-Index: Ac3cbuD0owUaajulTFqTTNJce6lX1ABW2MnA
Message-ID: <9762ACF04FA26B4388476841256BDE02011696144E34@HE111543.emea1.cds.t-internal.com>
References: <sjmvcc0r7w1.fsf@mocana.ihtfp.org>
In-Reply-To: <sjmvcc0r7w1.fsf@mocana.ihtfp.org>
Accept-Language: de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 19 Dec 2012 08:00:58 -0800
Cc: worley@ariadne.com, R.Jesske@telekom.de, bliss-chairs@tools.ietf.org, alexeitsev@teleflash.com
Subject: Re: [secdir] sec-dir review of draft-ietf-bliss-call-completion-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2012 09:44:35 -0000

Hi Derek,

thanks for the review.

'SPIT' is an acronym for 'Spam over Internet Telephony', which Wikipedia defines as 'bulk unsolicited, automatically dialled, pre-recorded phone calls using the Voice over Internet Protocol (VoIP)'. (http://en.wikipedia.org/wiki/VoIP_spam)

We will add a proper definition for SPIT.


For the DoD attack: 'DoD' actually does mean 'Department of Defence', the authors of the draft have received information that the Department of Defence plans to attack something, but because of secrecy reasons we cannot give more information at this time.

;-)

Joking apart, yes, this is a typo of 'DoS' (Denial of Service), a proper definition will be added.


Thanks for your support.


Regards, Martin





> -----Ursprüngliche Nachricht-----
> Von: Derek Atkins [mailto:derek@ihtfp.com]
> Gesendet: Montag, 17. Dezember 2012 16:55
> An: iesg@ietf.org; secdir@ietf.org
> Cc: bliss-chairs@tools.ietf.org; worley@ariadne.com;
> Hülsemann, Martin; Jesske, Roland; alexeitsev@teleflash.com
> Betreff: sec-dir review of draft-ietf-bliss-call-completion-18
>
> Hi,
>
> I have reviewed this document as part of the security
> directorate's ongoing effort to review all IETF documents
> being processed by the IESG.  These comments were written
> primarily for the benefit of the security area directors.
> Document editors and WG chairs should treat these comments
> just like any other last call comments.
>
>    The call completion feature defined in this specification
> allows the
>    caller of a failed call to be notified when the callee becomes
>    available to receive a call.
>
> The Security Considerations section mentions 'SPIT' but
> nowhere does the document define the term.  What does it mean?
>
> The SC section also mentions a "DoD" attack -- is the US
> Department of Defence actually going to attack something?  Or
> does DoD mean something else?  It's never defined.  Was this
> perhaps a typo of "DoS", Denial of Service?  If so, I
> recommend you fix the typo but also expand the acronym for
> those not necessarily familiar with the term "DoS".
>
> -derek
>
> --
>        Derek Atkins                 617-623-3745
>        derek@ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant
>