Last Call Review of draft-ietf-regext-change-poll-10
review-ietf-regext-change-poll-10-secdir-lc-smyslov-2018-10-29-00
| Request | Review of | draft-ietf-regext-change-poll |
|---|---|---|
| Requested revision | No specific revision (document currently at 12) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2018-11-05 | |
| Requested | 2018-10-22 | |
| Authors | James Gould , Kal Feher | |
| I-D last updated | 2018-10-29 | |
| Completed reviews |
Secdir Last Call review of -10
by Valery Smyslov
(diff)
|
|
| Assignment | Reviewer | Valery Smyslov |
| State | Completed | |
| Request | Last Call review on draft-ietf-regext-change-poll by Security Area Directorate Assigned | |
| Reviewed revision | 10 (document currently at 12) | |
| Result | Has nits | |
| Completed | 2018-10-29 |
review-ietf-regext-change-poll-10-secdir-lc-smyslov-2018-10-29-00
Reviewer: Valery Smyslov Review result: Ready with Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft defines an extension for an Extensible Provisioning Protocol (EPP, RFC 5730) that allows servers to notify clients about operations which were not initiated by clients, but which modify state of client-sponsored objects. The extension is defined using standard EPP mechanism for adding extensions, so Security Considerations from RFC 5730 are applied and no new ones are added. Keeping long message queues consume server resources and can potentially be a surface for DoS attack, however as far as I understand unauthorized entities cannot cause server to perform actions resulted in operations on other clients' objects, so it seems that it is not a security issue here. Nevertheless adding a few words that it is not a security issue would be helpful. General comment not related to security. It seems to me that the protocol description is inconsistent. The Introduction Section states, that this extension only extends the response to the EPP <poll> command. However, Section 3 of this specification, which describes the EPP Command Mapping, extends only the response to the EPP <info> command with poll message, and the <poll> command is not mentioned there at all. I'm not familiar with the EPP protocol, but I believe that <info> and <poll> are different commands, so unless I've missed something, it seems that the protocol description is inconsistent (or incomplete). Since it is not related to security, I think the document is Ready (from security perspective), but this inconsistency must either be fixed or some clarification be provided.