Last Call Review of draft-ietf-mmusic-image-attributes-
review-ietf-mmusic-image-attributes-secdir-lc-farrell-2011-01-18-00
Review
review-ietf-mmusic-image-attributes-secdir-lc-farrell-2011-01-18
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. Document editors and WG chairs should treat these comments just
like any other last call comments.
This draft defines a way to ask a sender to use different image
attributes using SDP.
The security considerations says that this doesn't change anything,
but I don't quite agree. A requestor could (accidentally or on
purpose) as for some very large image size or for some kind
of transformation that puts a lot of load on a transcoder, and
that could be part of some DoS attack. (I've actually seen this
bug triggered accidentally in a real system that did more or
less this.)
I'd suggest adding a paragraph to the security considerations
saying that implementations should be wary of this and could
include some sanity checking of inputs or could try to detect
cases where lots of resources are being used and then handle that
somehow. I don't know how that'd be best done, nor whether any
of that should use 2119 type language, but I assume the authors
can figure that out.
Stephen.