Early Review of draft-ietf-ippm-ioam-direct-export-07
review-ietf-ippm-ioam-direct-export-07-secdir-early-farrell-2022-05-19-00

Request Review of draft-ietf-ippm-ioam-direct-export
Requested revision No specific revision (document currently at 11)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2021-09-15
Requested 2021-08-30
Requested by Tommy Pauly
Authors Haoyu Song , Barak Gafni , Frank Brockners , Shwetha Bhandari , Tal Mizrahi
I-D last updated 2022-05-19
Completed reviews Secdir Early review of -07 by Stephen Farrell (diff)
Tsvart Early review of -06 by Colin Perkins (diff)
Opsdir Last Call review of -08 by Linda Dunbar (diff)
Genart Last Call review of -08 by Meral Shirazipour (diff)
Intdir Telechat review of -09 by Bernie Volz (diff)
Opsdir Telechat review of -09 by Linda Dunbar (diff)
Comments 
Please review this document, specifically for security considerations around amplification attacks or similar concerns.
Assignment Reviewer Stephen Farrell
State Completed
Request Early review on draft-ietf-ippm-ioam-direct-export by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/2Ye7aR3CiVUZTZXFLxE25cHISfU
Reviewed revision 07 (document currently at 11)
Result Has issues
Completed 2022-05-19
review-ietf-ippm-ioam-direct-export-07-secdir-early-farrell-2022-05-19-00
First, apologies for the dramatically late review. I hope this is still useful.

I think there are two issues worth considering:

1. The DEX scheme seems to create a potential for DoS based on storage whereas
I think prevously only DoS vectors related to traffic were documented in the
IAOM drafts. That's based on a quick scan though so I may have missed it being
considered.

2. I see no mention at all of privacy in this draft nor in
draft-ietf-ippm-ioam-data - I don't understand why that's ok given that privacy
leaks from the kind of metadata collected here can be subtle? Or maybe that's
in some other draft?