Reviewer: Dave Thaler Review result: Ready with Issues In my view the following issues should be addressed before publication. Section 3.1, page 7: > Domain names are more specific than IP > addresses (as multiple domain names may be associated with a single > IP address) But the converse is also true... multiple IP addresses may be associated with a single domain name, so the conclusion that domain names are more specific than IP addresses is not true in general. Indeed, the pyramid (figure 1) shows IP addresses as more precise than domain names, which to me is synonymous with more specific, just as hashes are more specific than IP addresses. This seems a contradiction in the text quoted above. Section 3.2: > To be of use to defenders, IoCs must first be discovered, assessed, > shared, and deployed. I don't understand what it means for IoCs to be "deployed". Section 3.1 gave examples of IoCs such as "IPv4 and IPv6 addresses in network traffic", but I don't know what it means to say "IPv4 and IPv6 addresses in network traffic must be deployed". I suspect this is using some other definition of IoC than what the text prior to here presented. You deploy some detector or some other type of defense. The draft does not define IoC as a detector or any other type of defense, it's defined as the thing you look at. So you have to _deploy_ something that looks at an IoC, not an IoC itself. Either fix the text here or redefine IoC earlier in the document. Section 4.1.4 > There is significant benefit to be had from the sharing of IoCs and > they can be easily shared for two main reasons: firstly, indicators > are easy to distribute Should "indicators" instead be "IoCs"? (But see previous comment which applies here too.) > indicators are easy to distribute as they are textual This statement seems imprecise. For example, an IP address is not textual. It has a textual representation, but an IPv4 address itself is a 32-bit binary value and an IPv6 address is a 128-bit binary value. Section 5.1.1: > IPv4 addresses are > becoming increasingly fragile due to addresses growing scarce Explain. The fact that they're growing scarce means they should be more painful for an attacker to change, which means they should be increasingly LESS fragile per the arguments earlier in the document. Separately, you can also argue that IPv4 address are becoming increasingly less _precise_ due to introduction of carrier grade NATs. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call