Last Call Review of draft-ietf-alto-multi-cost-07
review-ietf-alto-multi-cost-07-secdir-lc-nystrom-2017-03-30-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes extensions to the ALTO (Application Layer
Traffic Optimization) protocol that allows for more efficient
information exchanges between an ALTO client and an ALTO server.
Specifically, it allows a client to query for multiple metrics in one
request.

The security considerations section correctly refers to the basic ALTO
protocol I only have one additional consideration (and I don't even
know if it applies ...): With the existing ALTO protocol, a server
could defend against dDOS by not throttling requests. However, each
accepted request is simple in that it only deals with one metric. With
this document, a malicious client could send a highly complicated
query to the server, which may cause significant resources to be used
on the server end and without an ability to throttle. Is that a risk?

Other than that, the document may benefit from a language/grammar
review. Example:
"Hence a legacy may send a request with a constraint test on any of
the cost types listed in "cost-type-name" - should likely be "legacy
client". There are more such examples.

Thanks,
-- Magnus