Skip to main content

Last Call Review of draft-ietf-ipfix-structured-data-
review-ietf-ipfix-structured-data-secdir-lc-sheffer-2011-04-06-00

Request Review of draft-ietf-ipfix-structured-data
Requested revision No specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-04-12
Requested 2011-03-11
Authors Benoît Claise , Stan Yates , Gowri Dhandapani , Paul Aitken
I-D last updated 2011-04-06
Completed reviews Secdir Last Call review of -?? by Yaron Sheffer
Assignment Reviewer Yaron Sheffer
State Completed
Request Last Call review on draft-ietf-ipfix-structured-data by Security Area Directorate Assigned
Completed 2011-04-06
review-ietf-ipfix-structured-data-secdir-lc-sheffer-2011-04-06-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.



IPFIX is a structured information model and protocol for transmitting 


information about data flows. This document extends the model with 


structured data, basically several types of lists.






I have not reviewed the document in full, rather I have looked at the 


security aspects only. The Security Considerations refer the reader to 


the IPFIX protocol and data model RFCs, and I mostly agree, with one 


exception. I suggest to add text similar to the next paragraph:






The addition of complex data types necessarily complicates the 


implementation of the Collector. This could easily result in new 


security vulnerabilities (e.g., buffer overflows); this creates 


additional risk in cases where either DTLS is not used, or if the 


Observation Point and Collector belong to different trust domains.




Thanks,
	Yaron