Last Call Review of draft-ietf-alto-multi-cost-07
review-ietf-alto-multi-cost-07-secdir-lc-nystrom-2017-03-30-00

Request Review of draft-ietf-alto-multi-cost
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-03-27
Requested 2017-03-13
Authors Sabine Randriamasy, Wendy Roome, Nico Schwan
Draft last updated 2017-03-30
Completed reviews Secdir Last Call review of -07 by Magnus Nystrom (diff)
Genart Last Call review of -08 by Wassim Haddad (diff)
Artart Telechat review of -08 by Martin Thomson (diff)
Assignment Reviewer Magnus Nystrom
State Completed
Review review-ietf-alto-multi-cost-07-secdir-lc-nystrom-2017-03-30
Reviewed rev. 07 (document currently at 10)
Review result Has Nits
Review completed: 2017-03-30

Review
review-ietf-alto-multi-cost-07-secdir-lc-nystrom-2017-03-30

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes extensions to the ALTO (Application Layer
Traffic Optimization) protocol that allows for more efficient
information exchanges between an ALTO client and an ALTO server.
Specifically, it allows a client to query for multiple metrics in one
request.

The security considerations section correctly refers to the basic ALTO
protocol I only have one additional consideration (and I don't even
know if it applies ...): With the existing ALTO protocol, a server
could defend against dDOS by not throttling requests. However, each
accepted request is simple in that it only deals with one metric. With
this document, a malicious client could send a highly complicated
query to the server, which may cause significant resources to be used
on the server end and without an ability to throttle. Is that a risk?

Other than that, the document may benefit from a language/grammar
review. Example:
"Hence a legacy may send a request with a constraint test on any of
the cost types listed in "cost-type-name" - should likely be "legacy
client". There are more such examples.

Thanks,
-- Magnus