Last Call Review of draft-ietf-rmcat-wireless-tests-08
review-ietf-rmcat-wireless-tests-08-secdir-lc-orman-2020-01-23-00

Request Review of draft-ietf-rmcat-wireless-tests
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-01-21
Requested 2020-01-07
Authors Zaheduzzaman Sarker, Xiaoqing Zhu, Jian Fu
Draft last updated 2020-01-23
Completed reviews Secdir Last Call review of -08 by Hilarie Orman (diff)
Genart Last Call review of -08 by Gyan Mishra (diff)
Opsdir Last Call review of -08 by Fred Baker (diff)
Assignment Reviewer Hilarie Orman 
State Completed
Review review-ietf-rmcat-wireless-tests-08-secdir-lc-orman-2020-01-23
Posted at https://mailarchive.ietf.org/arch/msg/secdir/-x7K00OlaQGT66AgPi-hXm1I-sk
Reviewed rev. 08 (document currently at 11)
Review result Has Issues
Review completed: 2020-01-20

Review
review-ietf-rmcat-wireless-tests-08-secdir-lc-orman-2020-01-23

     Security review of Evaluation Test Cases for Interactive
     Real-Time Media over Wireless Networks
	 draft-ietf-rmcat-wireless-tests-08

Do not be alarmed.  I generated this review of this document as part
of the security directorate's ongoing effort to review all IETF
documents being processed by the IESG.  These comments were written
with the intent of improving security requirements and considerations
in IETF drafts.  Comments not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

The focus of this document is the definition of test cases that can be
used evaluate congestion control algorithms for cellular and Wi-Fi
networks.  If the testing is done on isolated testbed networks, there
are are few, if any, security considerations.

The Security Considerations section mentions safeguards to avoid
"congestion collapse of the Internet" and "leaking non-responsive
traffic from unproven congestion avoidance techniques onto the open
Internet".  The former seems overly general (shouldn't all IETF
protocols strive to avoid breaking the Internet?), and I am not at all
sure what the latter means.

I would recommend that test setups use passwords and keys that are
specific to the test environment, but that is a generic recommendation
for all test environments.  It is probably not needed in this
document.

Hilarie