Last Call Review of draft-holmberg-dispatch-iotl-03
review-holmberg-dispatch-iotl-03-secdir-lc-hoffman-2015-01-15-00
Request | Review of | draft-holmberg-dispatch-iotl |
---|---|---|
Requested revision | No specific revision (document currently at 06) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2015-01-08 | |
Requested | 2014-12-18 | |
Authors | Christer Holmberg , Jan Holm , Roland Jesske , Martin Dolly | |
I-D last updated | 2015-01-15 | |
Completed reviews |
Genart Last Call review of -03
by Robert Sparks
(diff)
Secdir Last Call review of -03 by Paul E. Hoffman (diff) Opsdir Last Call review of -02 by Nevil Brownlee (diff) |
|
Assignment | Reviewer | Paul E. Hoffman |
State | Completed | |
Request | Last Call review on draft-holmberg-dispatch-iotl by Security Area Directorate Assigned | |
Reviewed revision | 03 (document currently at 06) | |
Result | Ready | |
Completed | 2015-01-15 |
review-holmberg-dispatch-iotl-03-secdir-lc-hoffman-2015-01-15-00
Greetings again. draft-holmberg-dispatch-iotl describes a new SIP URI parameter that indicates "indicate that the entity associated with the address, or an entity responsible for the host part of the address, represents the end of a specific traffic leg (or multiple traffic legs)". The security considerations are short: The information SHOULD only be used for making policy decisions based on the role by nodes within the same trust domain [RFC3325]. In addition, there MUST exist an agreement between the operators for usage of the roaming role information. URIs passed are protected as well as anything in SIP: completely if you're actually using TLS, not at all if you're not. A MITM fiddling with this parameter on SIP-without-TLS can cause problems, but those problems are approximately the same as for all other parts of the unprotected URI. I'm not a fan of having every SIP document say "if you aren't using TLS like we said you should, you're in danger", so I think it is fine that this one doesn't say that. There are no other significant security considerations beyond the one above. --Paul Hoffman