Telechat Review of draft-ietf-pcp-description-option-04
review-ietf-pcp-description-option-04-secdir-telechat-hallam-baker-2014-02-20-00
| Request | Review of | draft-ietf-pcp-description-option |
|---|---|---|
| Requested revision | No specific revision (document currently at 05) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2014-02-18 | |
| Requested | 2014-02-06 | |
| Authors | Mohamed Boucadair , Reinaldo Penno , Dan Wing | |
| Draft last updated | 2014-02-20 | |
| Completed reviews |
Genart Last Call review of -03 by
Roni Even
(diff)
Genart Telechat review of -04 by Roni Even (diff) Secdir Early review of -02 by Phillip Hallam-Baker (diff) Secdir Telechat review of -04 by Phillip Hallam-Baker (diff) Opsdir Last Call review of -03 by Jouni Korhonen (diff) |
|
| Assignment | Reviewer | Phillip Hallam-Baker |
| State | Completed | |
| Review |
review-ietf-pcp-description-option-04-secdir-telechat-hallam-baker-2014-02-20
|
|
| Reviewed revision | 04 (document currently at 05) | |
| Result | Has Issues | |
| Completed | 2014-02-20 |
review-ietf-pcp-description-option-04-secdir-telechat-hallam-baker-2014-02-20-00
This draft simply adds in a description field to the Port Control Protocol. While this does not raise security concerns in itself, uses of the field may. In particular, the (ab)use of the DNS TXT field to stuff site local or non-standard control data into the protocol might become a problem I suspect it won't be long before someone has the idea that their application announce itself with a description of "# SELECT * FROM Bobby.tables". The SC should point out that the data is not authenticated for this purpose and relying on (or executing) descriptions is a trail of tears. -- Website: http://hallambaker.com/