User-Defined Errors for RSVP
RFC 5284
Yes
No Objection
Note: This ballot was opened for revision 08 and is now closed.
Lars Eggert No Objection
(Chris Newman; former steering group member) (was No Objection, No Record, Discuss) Yes
For AUTH48: The new text has a number of typos, like "strngs" and "Descriprion".
(David Ward; former steering group member) Yes
(Magnus Westerlund; former steering group member) Yes
(Ron Bonica; former steering group member) Yes
(Cullen Jennings; former steering group member) No Objection
(Jari Arkko; former steering group member) (was Discuss) No Objection
(Jon Peterson; former steering group member) No Objection
(Lisa Dusseault; former steering group member) No Objection
(Pasi Eronen; former steering group member) No Objection
Based on Stephen Hanna's SecDir review: especially since RSVP packets don't usually contain ASCII strings, it might be a good idea to say in security considerations that the received string must be processed carefully (as it could contain e.g. control characters, printf format strings, SQL injection, or whatever). Stephen's suggested text: Like any other data received from a partially trusted party, the recipient MUST carefully check the USER_ERROR_SPEC object and its contents to make sure that it does not contain any malformed or illegal values and will not cause any buffer overruns or other processing errors that could cause reliability or security problems. The Error Description should be examined especially carefully if it is to be logged or displayed since it may eventually be processed by other code with poor error handling. Any control characters (bytes with values 0-31 and 127 decimal) or non-ASCII characters (128-255 decimal) MUST be removed. Other characters may need to be removed from the string, depending on the logging system in use and the range of characters that it can accept. If the logging or display system has escaping or another post-processing step that could give special meaning to the characters in the string, protection against injection attacks SHOULD be included in the RSVP code. Typos: In section 3, "Criticial" should be "Critical". In section 4.2, "display of logging" should be "display or logging".
(Ross Callon; former steering group member) No Objection
(Russ Housley; former steering group member) No Objection
(Tim Polk; former steering group member) No Objection