Last Call Review of draft-ietf-core-stateless-05
review-ietf-core-stateless-05-secdir-lc-mandelberg-2020-03-20-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is ready with issues.

I think this protocol change increases the amount of data that a CoAP 
server would reflect in a DoS attack using spoofed source IP addresses 
with UDP. I don't see any opportunity for amplification though, just 
reflection of more data sent by a malicious client. I'm very much not a 
DoS expert though, so I have no idea if this is an issue at all.

What happens when a client changes the (implementation-private) format 
of the state it puts in the tokens? E.g., what if a client sends a 
request, applies a software update, then receives the response? (I'm 
guessing that's a more likely situation with UDP, since the software 
update would probably interrupt a TCP session.) If an attacker can 
predict when the software update will happen and how the new version 
will interpret the old version's tokens, can they replay anything 
maliciously? (Assuming the replay window includes some messages from 
just before the software update.)