RE: [secdir] SecDir review of draft-ietf-sipping-v6-transition-05

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: [secdir] SecDir review of draft-ietf-sipping-v6-transition-05

Hello,

 

Sam Weiler informed me that this draft will be on telechat this week.

I did not receive any answer from the authors to my review of this document as part of the security directorate review process, three weeks ago.

Please consider my comments as formal COMMENTS in the IESG evaluation.

And at the discretion of the AD: #2 and #4 could/should be seen as a DISCUSS.

 

Best regards, Tobias

 

 

 

From: secdir-bounces@xxxxxxx [mailto:secdir-bounces@xxxxxxx] On Behalf Of Tobias Gondrom
Sent: Thursday, June 28, 2007 3:33 PM
To: secdir@xxxxxxx; iesg@xxxxxxxx
Cc: fluffy@xxxxxxxxx; karim@xxxxxxxxxxx; oscar.novo@xxxxxxxxxxxx; mary.barnes@xxxxxxxxxx; jon.peterson@xxxxxxxxxxx; gonzalo.camarillo@xxxxxxxxxxxx; vkg@xxxxxxxxxxxxxxxxxx
Subject: [secdir] SecDir review of draft-ietf-sipping-v6-transition-05

 

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

 

My review has the following comments to the draft:

1. One spelling error:

s/domain instead of of using the/ domain instead of using the

2. section 4.3: I can not understand why this is a MAY and not at least a SHOULD (or MUST):

Once the answerer has generated an answer following the ICE

procedures, both user agents MAY perform the connectivity checks

specified by ICE.

Would recommend to use at least SHOULD instead of MAY in this statement.

Maybe good would even be a MUST???

3. section 7 security consideration:

This section refers to sec considerations in other documents, stating that those cover threats and countermeasures adequately, namely references [6], [7] and [2]

[2] is ok, but [6] and [7] are still work in progress, so it must be especially taken care of by the WG chairs that both documents really fulfil this promise. With [7] this looks like near to fulfilment, but [6] still is not complete in its Security considerations section and must be improved in before LC to also keep up with the promise made in this document.

4. section 7:

The section correctly informs about the risk that this draft

they may make hosts more amenable to existing threats. 

And it provides an example afterwards. This is good.

But I would expect or at least suggest to also provide information about how this risen risk should be countered.

 

Best regards, Tobias

 

__________________________________________
Tobias Gondrom
Head of Open Text Security Team
Director, Product Security

Open Text Corporation
Technopark 2
Werner-von-Siemens-Ring 20
D-85630 Grasbrunn

Phone: +49 (0) 89 4629-1816
Mobile: +49 (0) 173 5942987
Telefax: +49 (0) 89 4629-33-1816
eMail: mailto:tobias.gondrom@xxxxxxxxxxxx
Internet: http://www.opentext.com/ 

Place of Incorporation / Sitz der Gesellschaft: Open Text GmbH, An der Trift 65, 63303 Dreieich, Germany | Phone: +49 (0) 6103 890 40 | Fax: +49 (0) 6103 89 04 11 | Register Court / Registergericht: Offenbach, Germany | Trade Register Number / HRB: 33340 | VAT ID Number /USt-ID:  DE 114 169 819 | Managing Director / Geschäftsführer: John Shackleton

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]