Last Call Review of draft-ietf-alto-xdom-disc-04
review-ietf-alto-xdom-disc-04-secdir-lc-xia-2018-11-28-00
Request | Review of | draft-ietf-alto-xdom-disc |
---|---|---|
Requested revision | No specific revision (document currently at 06) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2018-11-28 | |
Requested | 2018-11-14 | |
Authors | Sebastian Kiesel , Martin Stiemerling | |
I-D last updated | 2018-11-28 | |
Completed reviews |
Secdir Last Call review of -04
by Liang Xia
(diff)
|
|
Assignment | Reviewer | Liang Xia |
State | Completed | |
Request | Last Call review on draft-ietf-alto-xdom-disc by Security Area Directorate Assigned | |
Reviewed revision | 04 (document currently at 06) | |
Result | Ready | |
Completed | 2018-11-28 |
review-ietf-alto-xdom-disc-04-secdir-lc-xia-2018-11-28-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document details applicable scenarios, itemizes requirements, and specifies a procedure for ALTO cross-domain server discovery. Technically, the procedure specified in this document takes one IP address or prefix and a U-NAPTR Service Parameter (typically, "ALTO:https") as parameters. It performs DNS lookups (for NAPTR resource records in the in-addr.arpa. or ip6.arpa. tree) and returns one or more URI(s) of information resources related to that IP address or prefix. In general, this draft is in good shape, including the security considerations part. I just have some general comments or confusions for discussion as below: 1. I don't see the content about the authorization policy for alto server information distribution, is it necessary? 2. If the replied alto server information message is much larger than the request message, the attack can trigger the reflection DDoS attack using it. Does it need to be considered?