Last Call Review of draft-ietf-ipfix-exporting-type-
review-ietf-ipfix-exporting-type-secdir-lc-farrell-2009-04-02-00

Request Review of draft-ietf-ipfix-exporting-type
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-03-24
Requested 2009-03-13
Other Reviews
Review State Completed
Reviewer Stephen Farrell
Review review-ietf-ipfix-exporting-type-secdir-lc-farrell-2009-04-02
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg00547.html
Draft last updated 2009-04-02
Review completed: 2009-04-02

Review
review-ietf-ipfix-exporting-type-secdir-lc-farrell-2009-04-02

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

The document defines a way to include typing information in IPFIX
messages.

- The security considerations section is just a one liner saying
that the same issues apply here as are documented in rfc 5101. In
this case that reference is (with the one quibble below:-) sufficient
since 5101's security considerations seem to be very comprehensive.

- Are the length limits defined somewhere for the strings? E.g. in
section 3.3. The concern is buffer overflow etc. so if that's addressed
somewhere else that's fine. It may be worth noting this as an additional
security consideration since, e.g. the introduction states that
collecting processes may use this typing information to store or display
otherwise unknown data types. I guess if I could feed a collector
arbitrarily complex data types and values I'd be in a good position
to try engineer a buffer overrun.


Nits:

- bottom of p3: s/version of/versions of/
- 3.8 the description is a bit unclear to me (as a naive reader) and
  the Enterprise bit seems to be referenced here for the 1st time. I'm
  not at all sure, but it could be that this text is calling for a
  change to some other RFC (I mean the "SHOULD be cleared" phrase)

Regards,
Stephen.