Last Call Review of draft-ietf-dots-signal-call-home-11
review-ietf-dots-signal-call-home-11-secdir-lc-perlman-2020-11-05-00
Request | Review of | draft-ietf-dots-signal-call-home |
---|---|---|
Requested revision | No specific revision (document currently at 14) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2020-11-12 | |
Requested | 2020-10-29 | |
Authors | Tirumaleswar Reddy.K , Mohamed Boucadair , Jon Shallow | |
I-D last updated | 2020-11-05 | |
Completed reviews |
Secdir Last Call review of -11
by Radia Perlman
(diff)
Yangdoctors Last Call review of -11 by Ebben Aries (diff) Genart Last Call review of -11 by David Schinazi (diff) Artart Telechat review of -14 by Sean Turner |
|
Assignment | Reviewer | Radia Perlman |
State | Completed | |
Request | Last Call review on draft-ietf-dots-signal-call-home by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/GYefaGRDxO5SagGukRu_9jTSNxY | |
Reviewed revision | 11 (document currently at 14) | |
Result | Has nits | |
Completed | 2020-10-31 |
review-ietf-dots-signal-call-home-11-secdir-lc-perlman-2020-11-05-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I didn't find anything objectionable from a security point-of-view in this I-D. DOTS is a protocol for reporting denial of service attacks to someone closer to the source than you are in hopes they can block such attacks before they have wasted more network bandwidth. The agent reporting the DoS is the DOTS client and the agent receiving the report is the DOTS server. The DOTS protocol is described in other documents. There is a special case where a DOTS server is running in a "home" network where it is capable of initiating connections but not receiving incoming ones because of NAT or firewall. This document defines a variation of the DOTS protocol for such scenarios where the DOTS server initiates the connection to the DOTS client in order to receive notifications of DoS traffic originating inside the firewalled network. Since authentication uses client and server certificates with TLS or DTLS, little needs to be changed to support this role reversal. Found one typo: Section 5.3.2: depictes -> depicts