Skip to main content

Last Call Review of draft-ietf-alto-cdni-request-routing-alto-17

Request Review of draft-ietf-alto-cdni-request-routing-alto
Requested revision No specific revision (document currently at 22)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2021-08-30
Requested 2021-08-16
Authors Jan Seedorf , Y. Richard Yang , Kevin J. Ma , Jon Peterson , Jingxuan Zhang
I-D last updated 2021-11-24
Completed reviews Artart Last Call review of -16 by Thomas Fossati (diff)
Genart Last Call review of -16 by Russ Housley (diff)
Secdir Last Call review of -17 by Klaas Wierenga (diff)
Intdir Telechat review of -17 by Donald E. Eastlake 3rd (diff)
Assignment Reviewer Klaas Wierenga
State Completed
Request Last Call review on draft-ietf-alto-cdni-request-routing-alto by Security Area Directorate Assigned
Posted at
Reviewed revision 17 (document currently at 22)
Result Has issues
Completed 2021-11-24

I found 1 nit and one more substantial issue

- the abstract says:

RFC 8008 defines precisely the semantics of FCI and provides guidelines on the
FCI protocol, but the exact protocol is specified.

I think it should read

RFC 8008 defines precisely the semantics of FCI and provides guidelines on the
FCI protocol, but the exact protocol is not specified.

- A bigger problem I have is with the Security Considerations

You state "In the context of CDNI Advertisement, additional security
   considerations should be included as follows:", you then list a set of
   concerns, and then write: "Although protection strategies as described in
   Section 15 of [RFC7285] should be applied to address aforementioned security
   and privacy considerations, one additional information leakage risk
   introduced by this document could not be addressed by these strategies. "

So are they ADDITIONAL or were they ALREADY ADRESSED in RFC7285? Do you want to
call the ones you list out as specifically relevant for this use-case? Please
be clear why you list them here. And if they are NOT sufficiently addressed
yet, you need to address them here.

For the additional risk of leaking info from one uCDN to another uCDN it is
unclear to me whether the intended mitigation is meant as normative (SHOULD
instead of should) and I am curious why you don't make it a MUST.