Skip to main content

Telechat Review of draft-ietf-pcp-description-option-04

Request Review of draft-ietf-pcp-description-option
Requested revision No specific revision (document currently at 05)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2014-02-18
Requested 2014-02-06
Authors Mohamed Boucadair , Reinaldo Penno , Dan Wing
I-D last updated 2014-02-20
Completed reviews Genart Last Call review of -03 by Roni Even (diff)
Genart Telechat review of -04 by Roni Even (diff)
Secdir Early review of -02 by Phillip Hallam-Baker (diff)
Secdir Telechat review of -04 by Phillip Hallam-Baker (diff)
Opsdir Last Call review of -03 by Jouni Korhonen (diff)
Assignment Reviewer Phillip Hallam-Baker
State Completed
Request Telechat review on draft-ietf-pcp-description-option by Security Area Directorate Assigned
Reviewed revision 04 (document currently at 05)
Result Has issues
Completed 2014-02-20
This draft simply adds in a description field to the Port Control Protocol.

While this does not raise security concerns in itself, uses of the field may.
In particular, the (ab)use of the DNS TXT field to stuff site local or
non-standard control data into the protocol might become a problem

I suspect it won't be long before someone has the idea that their application
announce itself with a description of "# SELECT * FROM Bobby.tables".

The SC should point out that the data is not authenticated for this purpose and
relying on (or executing) descriptions is a trail of tears.