Last Call Review of draft-ietf-cdni-control-triggers-11
I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.
not totally ready
There are several topics I’d like to discuss:
1- Concerning the use of TLS to carry CI/T traffic, I see it is mandatory to implement, but still optional to use (1st sentence of Section 8.1). Is it still reasonable in current Internet? At a minimum I would expect a « MUST support » / « SHOULD use ».
2- Section 8.1, please check the paragraph « Note that in a « diamond » configuration […] ». This paragraph is rather confusing to me. Confusion comes from:
- the lack of description of the « diamond configuration ». I understand there is one dCDN on top and multiple uCDN directly connected below, am I right?
- the notion of « content acquired from a uCDN ». If I understand correctly, it means « content that has been acquired after a uCDN request to do so ». I initially thought there were some mistakes in the use of uCDN / dCDN…
3- With this « diamond configuration », since several uCDN can act upon the same content, what happens if they behave in a non coordinated manner (i.e., in the general case)? For instance let’s imagine one of them asks the dCDN to delete the content or cancel the initial command. What happens if another uCDN then asks the dCDN to invalidate this content, providing the URL of the Trigger Status Resource which (if I understand correctly) is no longer valid? This « diamond configuration » can be a little bit tricky and no clear guideline is provided in the document.
4- Concerning privacy aspects, I would be much more cautious than the authors. For instance, I wouldn't claim "there are no privacy concerns for End Users" because the CI/T protocol does not carry information about individual End Users (section 8.3). The dCDN knows that there are users interested (or at the opposite no user interested) by a certain content in the region served by a uCDN. Therefore, the protocol only provides k-anonymity, where k is the number of End Users in the region. Depending on the content sensitivity and k value, this k-anonymity may still raise privacy issues, even if the individual End User activity logs are not available to the dCDN (I assume TLS is used to prevent eavesdropping…).
** Section 8.3: « ... prevents parties other party..."
Message signed with OpenPGP using GPGMail