Skip to main content

Last Call Review of draft-ietf-clue-rtp-mapping-10

Request Review of draft-ietf-clue-rtp-mapping
Requested revision No specific revision (document currently at 14)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-01-12
Requested 2016-12-22
Authors Roni Even , Jonathan Lennox
I-D last updated 2017-01-12
Completed reviews Genart Last Call review of -10 by Vijay K. Gurbani (diff)
Opsdir Last Call review of -10 by Jürgen Schönwälder (diff)
Secdir Last Call review of -10 by Dan Harkins (diff)
Assignment Reviewer Dan Harkins
State Completed
Request Last Call review on draft-ietf-clue-rtp-mapping by Security Area Directorate Assigned
Reviewed revision 10 (document currently at 14)
Result Has nits
Completed 2017-01-12

   I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

   This draft provides some recommendations and mappings to allow RTP
to be used in the CLUE protocol.

   I believe this draft is Ready with the following nits:

1) it makes normative reference to 3 other I-Ds. I am not familiar
with those drafts or their status or whether any of the normative
behavior this draft relies upon is contentious or not. Somebody
(not me) should make sure that all ducks are in a row before this
draft advances.

2) having RFC 2119 words in the Security Considerations seems OK
for saying things like "CLUE endpoints MUST support RTP/SAVPF and
DTLS-SRTP keying [RFC5764]" because it's just saying you need to
support something else that is providing you security. But I think
MUST language describing how the protocol needs to behave in order
to be secure itself belongs outside the Security Considerations.
I'm referring to: "Inappropriate choice of CNAME values can be a
privacy concern, since long-term persistent CNAME identifiers can be
used to track users across multiple calls.  CLUE endpoint MUST
generate short-term persistent RTCP CNAMES, as specified in RFC7022
[RFC7022], resulting in untraceable CNAME values that alleviate this
risk." I suggest placing that in a different section, possibly making
a new section that describes has all the various recommendations
being made on CLUE in one place.