Skip to main content

Early Review of draft-ietf-pcp-description-option-02
review-ietf-pcp-description-option-02-secdir-early-hallam-baker-2013-11-21-00

Request Review of draft-ietf-pcp-description-option
Requested revision No specific revision (document currently at 05)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2014-02-18
Requested 2013-11-14
Authors Mohamed Boucadair , Reinaldo Penno , Dan Wing
I-D last updated 2013-11-21
Completed reviews Genart Last Call review of -03 by Roni Even (diff)
Genart Telechat review of -04 by Roni Even (diff)
Secdir Early review of -02 by Phillip Hallam-Baker (diff)
Secdir Telechat review of -04 by Phillip Hallam-Baker (diff)
Opsdir Last Call review of -03 by Jouni Korhonen (diff)
Assignment Reviewer Phillip Hallam-Baker
State Completed
Request Early review on draft-ietf-pcp-description-option by Security Area Directorate Assigned
Reviewed revision 02 (document currently at 05)
Result Has issues
Completed 2013-11-21
review-ietf-pcp-description-option-02-secdir-early-hallam-baker-2013-11-21-00
  I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors.  Document editors and WG chairs should treat

these comments just like any other last call comments.

The document adds a 'description' option to the PCP protocol. The description
does not have defined semantics in PCP. As such the Security Considerations
relies on the considerations in the PCP specification.

This seems ill advised to me. Even though the field has no semantics in PCP it
is essentially the equivalent of a TXT RR in the DNS, possibly the most
over-used and abused RR in the DNS protocol.

If the description option is added then people are going to start using it to
define site local semantics unless there is some other mechanism for that
purpose. I suggest that the draft authors either add a description of how to
use the PCP mechanisms for this purpose (if applicable) or describe a mechanism
to support this use and preferably providing some sort of protection against
collisions.

Such a mechanism needs to consider the authenticity of the data provided and
the risk that it might disclose data to another application.

--

Website:

http://hallambaker.com/