Last Call Review of draft-ietf-avtcore-srtp-vbr-audio-
review-ietf-avtcore-srtp-vbr-audio-secdir-lc-johansson-2011-10-28-00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This BCP-track document talks about potential information-leakage
resulting from the use of variable bit rate audio codecs with secure
RTP.

The document is well written and clearly explains the situations
where information-leakage can occur. The most realistic scenario
presented is eavesdropping on an RTP audio stream where one endpoint
is an IVR or other automated voice systems that use pre-recorded
messages.

The only think I missed was a discussion (perhaps in the security
section) about the risk of negotiating parameters (eg VAD) which
could lead to increased risk of information-leakage, however this
is perhaps a minor issue.
	
	Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - 

http://enigmail.mozdev.org/



iEYEARECAAYFAk6cvZcACgkQ8Jx8FtbMZnfdrQCeInYzkao2scRc5I2WWAbb7mvt
dlIAn2iH6v1atyye5ky4xiJGNU4AVq2K
=O/yj
-----END PGP SIGNATURE-----