Last Call Review of draft-ietf-regext-change-poll-10
review-ietf-regext-change-poll-10-secdir-lc-smyslov-2018-10-29-00

Request Review of draft-ietf-regext-change-poll
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-11-05
Requested 2018-10-22
Other Reviews
Review State Completed
Reviewer Valery Smyslov
Review review-ietf-regext-change-poll-10-secdir-lc-smyslov-2018-10-29
Posted at https://mailarchive.ietf.org/arch/msg/secdir/r4itwmqnIkOLvH9X70A17WGaqZM
Reviewed rev. 10 (document currently at 11)
Review result Has Nits
Draft last updated 2018-10-29
Review completed: 2018-10-29

Review
review-ietf-regext-change-poll-10-secdir-lc-smyslov-2018-10-29

Reviewer: Valery Smyslov	
Review result: Ready with Nits

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This draft defines an extension for an Extensible Provisioning Protocol (EPP, RFC 5730)
that allows servers to notify clients about operations which were not 
initiated by clients, but which modify state of client-sponsored objects.

The extension is defined using standard EPP mechanism for adding extensions,
so Security Considerations from RFC 5730 are applied and no new ones are added. 
Keeping long message queues consume server resources and can
potentially be a surface for DoS attack, however as far as I understand
unauthorized entities cannot cause server to perform actions resulted in 
operations on other clients' objects, so it seems that it is not a security issue here.
Nevertheless adding a few words that it is not a security issue would be helpful.

General comment not related to security. It seems to me that the protocol description
is inconsistent. The Introduction Section states, that this extension only extends 
the response to the EPP <poll> command. However, Section 3 of this specification, 
which describes the EPP Command Mapping, extends only the response 
to the EPP <info> command with poll message, and the <poll> command is not mentioned 
there at all. I'm not familiar with the EPP protocol, but I believe that <info> and <poll> 
are different commands, so unless I've missed something, it seems that the protocol 
description is inconsistent (or incomplete). Since it is not related to security, 
I think the document is Ready (from security perspective), but this inconsistency 
must either be fixed or some clarification be provided.