Last Call Review of draft-ietf-dots-signal-call-home-11
review-ietf-dots-signal-call-home-11-secdir-lc-perlman-2020-11-05-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.



I didn't find anything objectionable from a security point-of-view in this
I-D.



DOTS is a protocol for reporting denial of service attacks to someone
closer to the source than you are in hopes they can block such attacks
before they have wasted more network bandwidth. The agent reporting the DoS
is the DOTS client and the agent receiving the report is the DOTS server.
The DOTS protocol is described in other documents.



There is a special case where a DOTS server is running in a "home" network
where it is capable of initiating connections but not receiving incoming
ones because of NAT or firewall. This document defines a variation of the
DOTS protocol for such scenarios where the DOTS server initiates the
connection to the DOTS client in order to receive notifications of DoS
traffic originating inside the firewalled network. Since authentication
uses client and server certificates with TLS or DTLS, little needs to be
changed to support this role reversal.



Found one typo:



Section 5.3.2: depictes -> depicts