Skip to main content

Telechat Review of draft-ietf-core-resource-directory-25
review-ietf-core-resource-directory-25-secdir-telechat-smyslov-2020-08-09-00

Request Review of draft-ietf-core-resource-directory
Requested revision No specific revision (document currently at 28)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2020-08-11
Requested 2020-07-23
Authors Christian Amsüss , Zach Shelby , Michael Koster , Carsten Bormann , Peter Van der Stok
Draft last updated 2020-08-09
Completed reviews Secdir Last Call review of -24 by Adam W. Montville (diff)
Genart Last Call review of -24 by Russ Housley (diff)
Genart Telechat review of -25 by Russ Housley (diff)
Secdir Telechat review of -25 by Valery Smyslov (diff)
Assignment Reviewer Valery Smyslov
State Completed
Review review-ietf-core-resource-directory-25-secdir-telechat-smyslov-2020-08-09
Posted at https://mailarchive.ietf.org/arch/msg/secdir/4A-r2jKKQ9NmLNGXpFlyxWxSJCw
Reviewed revision 25 (document currently at 28)
Result Ready
Completed 2020-08-09
review-ietf-core-resource-directory-25-secdir-telechat-smyslov-2020-08-09-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

The -24 version of this draft was reviewed by Adam Montville. I looked over his
review and I think that the issue he raised about possible  mitigation of DDoS
amplification attacks has been addressed in this version. I personally think
that sentences describing how DNS and NTP are vulnerable to amplification
attacks are redundant in this document, but that's a matter of taste and
doesn't hurt.

It is my impression, that Security Considerations were mostly written having in
mind that (D)TLS is always used, however it is only "SHOULD" in this draft (or
even "MAY" if we look at RFC6690 which Security Considerations this draft
refers to). I think that adding a few words describing which consequences for
security not using (D)TLS would have and in which cases it is allowed will make
the Security Considerations more consistent.