Last Call Review of draft-ietf-tram-stun-origin-05

Request Review of draft-ietf-tram-stun-origin
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-03-17
Requested 2015-03-05
Authors Alan Johnston, Justin Uberti, John Yoakum, Kundan Singh
Draft last updated 2015-03-12
Completed reviews Genart Last Call review of -05 by David Black (diff)
Secdir Last Call review of -05 by Tero Kivinen (diff)
Opsdir Last Call review of -05 by Tim Chown (diff)
Assignment Reviewer Tero Kivinen
State Completed
Review review-ietf-tram-stun-origin-05-secdir-lc-kivinen-2015-03-12
Reviewed rev. 05 (document currently at 06)
Review result Ready
Review completed: 2015-03-12


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This documents adds Origin attribute to the STUN that can be used in
similar ways as the HTTP header field of the same name. The specified
use cases include logging, analytincs and to provide additional
information to the server in addition to the authentication
mechanisms used.

The draft notices that it can be set by attacker to any way, and can
be modified in transit, and that it can also have privacy
implications, so it should be protected using TLS or DTLS when needed.

I think this draft is Ready.
kivinen at