Last Call Review of draft-ietf-core-http-mapping-12
review-ietf-core-http-mapping-12-secdir-lc-zhang-2016-10-14-00
Request | Review of | draft-ietf-core-http-mapping |
---|---|---|
Requested revision | No specific revision (document currently at 17) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2016-10-11 | |
Requested | 2016-08-11 | |
Authors | Angelo P. Castellani , Salvatore Loreto , Akbar Rahman , Thomas Fossati , Esko Dijk | |
I-D last updated | 2016-10-14 | |
Completed reviews |
Genart Last Call review of -12
by Francis Dupont
(diff)
Genart Telechat review of -14 by Francis Dupont (diff) Genart Telechat review of -15 by Francis Dupont (diff) Secdir Last Call review of -12 by Dacheng Zhang (diff) Opsdir Last Call review of -12 by Menachem Dodge (diff) Secdir Last Call review of -17 by Dacheng Zhang Opsdir Telechat review of -17 by Susan Hares |
|
Assignment | Reviewer | Dacheng Zhang |
State | Completed | |
Request | Last Call review on draft-ietf-core-http-mapping by Security Area Directorate Assigned | |
Reviewed revision | 12 (document currently at 17) | |
Result | Has issues | |
Completed | 2016-10-14 |
review-ietf-core-http-mapping-12-secdir-lc-zhang-2016-10-14-00
Hello, I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I think this document is nearly ready for publication. This document provides reference information for implementing a cross-protocol network proxy that performs translation from the HTTP protocol to CoAP. The security considerations section is quite extensive. However, some contents in this section have not been well organized yet. The issues caused by lacking protection to multi-cast addresses has been discussed in sections 10.1, 10.2, 10.3, and 10.4. Same recommendation that requests to multicast resources are access controlled with a default-deny policy has been provided in both 10.1 and 10.4. I suggest to put the issues with multi cast into 10.1 and remove the redundant information in other places. In addition, it is a common method to deal with DoS attacks by limit the request rate. So, maybe it is worthwhile to mention this in section 10.2.