Skip to main content

User-Defined Errors for RSVP
RFC 5284

Yes

(David Ward)
(Magnus Westerlund)
(Ron Bonica)

No Objection

Lars Eggert
(Cullen Jennings)
(Jari Arkko)
(Jon Peterson)
(Lisa Dusseault)
(Ross Callon)
(Russ Housley)
(Tim Polk)

Note: This ballot was opened for revision 08 and is now closed.

Lars Eggert No Objection

(Chris Newman; former steering group member) (was No Objection, No Record, Discuss) Yes

Yes (2008-06-26)
For AUTH48:

The new text has a number of typos, like "strngs" and "Descriprion".

(David Ward; former steering group member) Yes

Yes ()

                            

(Magnus Westerlund; former steering group member) Yes

Yes ()

                            

(Ron Bonica; former steering group member) Yes

Yes ()

                            

(Cullen Jennings; former steering group member) No Objection

No Objection ()

                            

(Jari Arkko; former steering group member) (was Discuss) No Objection

No Objection ()

                            

(Jon Peterson; former steering group member) No Objection

No Objection ()

                            

(Lisa Dusseault; former steering group member) No Objection

No Objection ()

                            

(Pasi Eronen; former steering group member) No Objection

No Objection (2008-05-05)
Based on Stephen Hanna's SecDir review: especially since RSVP packets 
don't usually contain ASCII strings, it might be a good idea to say in
security considerations that the received string must be processed
carefully (as it could contain e.g. control characters, printf format
strings, SQL injection, or whatever). Stephen's suggested text:

Like any other data received from a partially trusted party, the
recipient MUST carefully check the USER_ERROR_SPEC object and its
contents to make sure that it does not contain any malformed or
illegal values and will not cause any buffer overruns or other
processing errors that could cause reliability or security problems.
The Error Description should be examined especially carefully if it is
to be logged or displayed since it may eventually be processed by
other code with poor error handling. Any control characters (bytes
with values 0-31 and 127 decimal) or non-ASCII characters (128-255
decimal) MUST be removed. Other characters may need to be removed from
the string, depending on the logging system in use and the range of
characters that it can accept.  If the logging or display system has
escaping or another post-processing step that could give special
meaning to the characters in the string, protection against injection
attacks SHOULD be included in the RSVP code.

Typos:

In section 3, "Criticial" should be "Critical".
In section 4.2, "display of logging" should be "display or logging".

(Ross Callon; former steering group member) No Objection

No Objection ()

                            

(Russ Housley; former steering group member) No Objection

No Objection ()

                            

(Tim Polk; former steering group member) No Objection

No Objection ()