Last Call Review of draft-ietf-ecrit-trustworthy-location-08

Request Review of draft-ietf-ecrit-trustworthy-location
Requested rev. no specific revision (document currently at 14)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-03-25
Requested 2014-02-20
Authors Hannes Tschofenig, Henning Schulzrinne, Bernard Aboba
Draft last updated 2014-03-25
Completed reviews Genart Last Call review of -08 by Meral Shirazipour (diff)
Genart Telechat review of -09 by Meral Shirazipour (diff)
Secdir Last Call review of -08 by Brian Weis (diff)
Opsdir Last Call review of -08 by Bert Wijnen (diff)
Assignment Reviewer Brian Weis 
State Completed
Review review-ietf-ecrit-trustworthy-location-08-secdir-lc-weis-2014-03-25
Reviewed rev. 08 (document currently at 14)
Review result Has Nits
Review completed: 2014-03-25


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document identifies a number of threats and attacks when location data associated with an IP-based emergency services emergency service call. Three types of adversaries are identified, however only threats from malicious end host adversaries are addressed in this document. That is, adversaries which are themselves malicious, with or without the the awareness of the owner. Two types of threats from malicious hosts are discussed: location spoofing, where an adversary provides false location information in an emergency call; and identity spoofing, where a false network access identity or caller identity is claimed.

The document is useful and generally ready to publish. But I have the following suggestions that would improve reader comprehension.

Section 3 describes three "Solutions", which are perhaps better termed "Techniques to Mitigate Threats". I say this because each "Solution" lists caveats in the use of each technique, and there seems to be extant threats in each case. This is not a criticism of the proposed solutions, but rather a recognition that the document clearly states in each case that there are factors not in control of the LIS and/or Location Recipient that can reduce the trustworthiness of the location and/or identity information. So they are more properly mitigations, not solutions.

With the above comment in mind, the Abstract seems to overclaim a bit when it says "This document describes how to convey location in a manner that is inherently secure and reliable." It might be better to say something like "This document describes techniques that improve the reliability and security of location information conveyed in a IP-based emergency services emergency service call."

Section 5 "Security Considerations" contains a lot of good additional information on the consequences to attacks on emergency services, but for a document limiting itself to threats from hosts attacking the system I'm not sure why it discusses denial of service attacks to the infrastructure and attacks on the mapping architecture. This section could be clearer if this discussion was either removed or its relevance made clearer.

The definition for "Target" in Section 1.1 is a particularly important definition for this document but the definition is not actually present. It would benefit from a brief explanation of the term rather than just a pointer to RFC 3693!