Last Call Review of draft-ietf-mmusic-image-attributes-
review-ietf-mmusic-image-attributes-secdir-lc-farrell-2011-01-18-00

Request Review of draft-ietf-mmusic-image-attributes
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-01-18
Requested 2010-12-28
Authors Kyunghun Jung, Ingemar Johansson
Draft last updated 2011-01-18
Completed reviews Secdir Last Call review of -?? by Stephen Farrell
Assignment Reviewer Stephen Farrell
State Completed
Review review-ietf-mmusic-image-attributes-secdir-lc-farrell-2011-01-18
Review completed: 2011-01-18

Review
review-ietf-mmusic-image-attributes-secdir-lc-farrell-2011-01-18

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This draft defines a way to ask a sender to use different image
attributes using SDP.

The security considerations says that this doesn't change anything,
but I don't quite agree. A requestor could (accidentally or on
purpose) as for some very large image size or for some kind
of transformation that puts a lot of load on a transcoder, and
that could be part of some DoS attack. (I've actually seen this
bug triggered accidentally in a real system that did more or
less this.)

I'd suggest adding a paragraph to the security considerations
saying that implementations should be wary of this and could
include some sanity checking of inputs or could try to detect
cases where lots of resources are being used and then handle that
somehow. I don't know how that'd be best done, nor whether any
of that should use 2119 type language, but I assume the authors
can figure that out.

Stephen.