Last Call Review of draft-ietf-avtcore-srtp-vbr-audio-
review-ietf-avtcore-srtp-vbr-audio-secdir-lc-johansson-2011-10-28-00

Request Review of draft-ietf-avtcore-srtp-vbr-audio
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-11-01
Requested 2011-10-14
Authors Colin Perkins, Jean-Marc Valin
Draft last updated 2011-10-28
Completed reviews Genart Telechat review of -?? by Ben Campbell
Genart Last Call review of -?? by Ben Campbell
Secdir Last Call review of -?? by Leif Johansson
Assignment Reviewer Leif Johansson
State Completed
Review review-ietf-avtcore-srtp-vbr-audio-secdir-lc-johansson-2011-10-28
Review completed: 2011-10-28

Review
review-ietf-avtcore-srtp-vbr-audio-secdir-lc-johansson-2011-10-28

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This BCP-track document talks about potential information-leakage
resulting from the use of variable bit rate audio codecs with secure
RTP.

The document is well written and clearly explains the situations
where information-leakage can occur. The most realistic scenario
presented is eavesdropping on an RTP audio stream where one endpoint
is an IVR or other automated voice systems that use pre-recorded
messages.

The only think I missed was a discussion (perhaps in the security
section) about the risk of negotiating parameters (eg VAD) which
could lead to increased risk of information-leakage, however this
is perhaps a minor issue.
	
	Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - 

http://enigmail.mozdev.org/



iEYEARECAAYFAk6cvZcACgkQ8Jx8FtbMZnfdrQCeInYzkao2scRc5I2WWAbb7mvt
dlIAn2iH6v1atyye5ky4xiJGNU4AVq2K
=O/yj
-----END PGP SIGNATURE-----