Last Call Review of draft-ietf-cdni-control-triggers-11

Request Review of draft-ietf-cdni-control-triggers
Requested rev. no specific revision (document currently at 15)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-01-05
Requested 2015-12-10
Authors Rob Murray, Ben Niven-Jenkins
Draft last updated 2016-01-07
Completed reviews Genart Last Call review of -11 by Roni Even (diff)
Secdir Last Call review of -11 by Vincent Roca (diff)
Assignment Reviewer Vincent Roca 
State Completed
Review review-ietf-cdni-control-triggers-11-secdir-lc-roca-2016-01-07
Reviewed rev. 11 (document currently at 15)
Review result Has Issues
Review completed: 2016-01-07



I have reviewed this document as part of the security directorate’s ongoing

effort to review all IETF documents being processed by the IESG. These

comments were written primarily for the benefit of the security area

directors.  Document editors and WG chairs should treat these comments just

like any other last call comments.


not totally ready

There are several topics I’d like to discuss:

1- Concerning the use of TLS to carry CI/T traffic, I see it is mandatory to implement, but still optional to use (1st sentence of Section 8.1). Is it still reasonable in current Internet? At a minimum I would expect a « MUST support » / « SHOULD use ».

2- Section 8.1, please check the paragraph « Note that in a « diamond » configuration […] ». This paragraph is rather confusing to me. Confusion comes from:

  - the lack of description of the « diamond configuration ». I understand there is one dCDN on top and multiple uCDN directly connected below, am I right?

  - the notion of « content acquired from a uCDN ». If I understand correctly, it means « content that has been acquired after a uCDN request to do so ». I initially thought there were some mistakes in the use of uCDN / dCDN…

3- With this « diamond configuration », since several uCDN can act upon the same content, what happens if they behave in a non coordinated manner (i.e., in the general case)? For instance let’s imagine one of them asks the dCDN to delete the content or cancel the initial command. What happens if another uCDN then asks the dCDN to invalidate this content, providing the URL of the Trigger Status Resource which (if I understand correctly) is no longer valid? This « diamond configuration » can be a little bit tricky and no clear guideline is provided in the document.

4- Concerning privacy aspects, I would be much more cautious than the authors. For instance, I wouldn't claim "there are no privacy concerns for End Users" because the CI/T protocol does not carry information about individual End Users (section 8.3). The dCDN knows that there are users interested (or at the opposite no user interested) by a certain content in the region served by a uCDN. Therefore, the protocol only provides k-anonymity, where k is the number of End Users in the region. Depending on the content sensitivity and k value, this k-anonymity may still raise privacy issues, even if the individual End User activity logs are not available to the dCDN (I assume TLS is used to prevent eavesdropping…).


** Section 8.3: « ... prevents parties other party..."






 Message signed with OpenPGP using GPGMail