Last Call Review of draft-moriarty-post-inch-rid-transport-
review-moriarty-post-inch-rid-transport-secdir-lc-leiba-2010-04-19-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document is going for Informational status, not Standards Track,
and yet defines a protocol layered over HTTP, using normative
language.  I have some concern about that -- we know how much
attention is often NOT paid to the distinction between Informational
and Standards Track.  Further, HTTP seems particularly ill-suited to
transporting this protocol... this seems another in the long line of
"use HTTP for everything" cases, which BCP 56 has tried
(unsuccessfully) to stave off.  The "callbacks", in particular, are
worrisome -- the payload has to contain all the state information, the
system doing the callback has to have the correct addresses of the
system that originally contacted it, and the whole thing is vulnerable
to asymmetry problems (firewalls, NAT, multi-homing, and so on; see


http://tools.ietf.org/id/draft-iab-ip-model-evolution-01.txt

 and Dave
Thaler's technical plenary presentation from IETF 73,


http://www.ietf.org/proceedings/73/plenaryw.html

 ).

At least it's not doing it over port 80.  :-)

-- 
Barry Leiba