Telechat Review of draft-ietf-pcp-description-option-04
review-ietf-pcp-description-option-04-secdir-telechat-hallam-baker-2014-02-20-00

Request Review of draft-ietf-pcp-description-option
Requested rev. no specific revision (document currently at 05)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2014-02-18
Requested 2014-02-06
Other Reviews Genart Last Call review of -03 by Roni Even (diff)
Genart Telechat review of -04 by Roni Even (diff)
Secdir Early review of -02 by Phillip Hallam-Baker (diff)
Opsdir Last Call review of -03 by Jouni Korhonen (diff)
Review State Completed
Reviewer Phillip Hallam-Baker
Review review-ietf-pcp-description-option-04-secdir-telechat-hallam-baker-2014-02-20
Posted at https://www.ietf.org/mail-archive/web/secdir/current/msg04632.html
Reviewed rev. 04 (document currently at 05)
Review result Has Issues
Draft last updated 2014-02-20
Review completed: 2014-02-20

Review
review-ietf-pcp-description-option-04-secdir-telechat-hallam-baker-2014-02-20

This draft simply adds in a description field to the Port Control Protocol.

While this does not raise security concerns in itself, uses of the field may. In particular, the (ab)use of the DNS TXT field to stuff site local or non-standard control data into the protocol might become a problem 




I suspect it won't be long before someone has the idea that their application announce itself with a description of "# SELECT * FROM Bobby.tables". 

The SC should point out that the data is not authenticated for this purpose and relying on (or executing) descriptions is a trail of tears.




-- 

Website: 

http://hallambaker.com/