Dear Linda, Thank you a lot for your comments and questions. Below, please, find my answers. > why ? In the case of software implementation, decoding a compressed stream can be a computationally intensive process that can require extensive data exchange between internal and external memory. So, if decoding should be performed in real time, this process can allocate too many computational resources (such as processor cores and memory that has limited bandwidth ) that are becoming unavailable for other tasks. This situation can lead to denial-of-services issues (such as media blackhole attack that is similar to packet drop attack, https://en.wikipedia.org/wiki/Packet_drop_attack). Thus, forging such streams that require too many computational resources for decoding can be considered a DoS attack. To address this security issue, computational resources should be allocated according to a codec level that in fact defines "the worst case of computational complexity, memory bandwidth, and physical memory size". It should guarantee that any picture can be decoded within a certain maximum time period for given computational resources. -- Best regards, Alexey Filippov -----Original Message----- From: Linda Dunbar via Datatracker [mailto:noreply@xxxxxxxx] Sent: Tuesday, May 28, 2019 8:35 PM To: secdir@xxxxxxxx Cc: draft-ietf-netvc-requirements.all@xxxxxxxx; video-codec@xxxxxxxx; ietf@xxxxxxxx Subject: Secdir last call review of draft-ietf-netvc-requirements-09 Reviewer: Linda Dunbar Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes the overview of internet Video codec applications and the corresponding requirements. However, it doesn't cover any security requirement. Section 5 on Security Consideration description doesn't make sense to me. It stats that not covering worst case of computational complexity/memory bandwidth can be considered as security vulnerability and lead to denial of services (DoS) in the case of attacks. why ? what are "the worst case of computational complexity/memory bandwidth"? why covering them can eliminate the "security vulnerability"? Linda Dunbar
