[secdir] Secdir review of draft-ietf-cdni-media-type-04

Tero Kivinen <kivinen@iki.fi> Thu, 08 October 2015 09:06 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 269D91A8BB6; Thu, 8 Oct 2015 02:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AXr5tN1noNKA; Thu, 8 Oct 2015 02:06:30 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB7721A8BB3; Thu, 8 Oct 2015 02:06:29 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.1/8.14.8) with ESMTPS id t9896OrN009957 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 8 Oct 2015 12:06:24 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.1/8.14.8/Submit) id t9896OXx021973; Thu, 8 Oct 2015 12:06:24 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22038.12816.208794.496704@fireball.acr.fi>
Date: Thu, 08 Oct 2015 12:06:24 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-cdni-media-type.all@tools.ietf.org
X-Edit-Time: 8 min
X-Total-Time: 7 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Ot2xurRyZrhlndOaNkxPu_2guC4>
Subject: [secdir] Secdir review of draft-ietf-cdni-media-type-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 09:06:32 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document allocates new media type for genera purpose content
delivery network interconnection protocol. It is general media type
which can be used to transmit whatever between CDNs. The actual format
of the content depends on the mandatory ptype parameter.

This document does not include separate Security considerations
section, but there is security considerations part of the section 2.1
which describes the media type itself.

As this is general purpose media type which can be used to transfer
anything, the security considerations section is quite vague, just
pointing out that the individual CDNI interface specifications need to
specify the security considerations for the ptypes used. Perhaps the
security considerations section could mention that as this is generic
media type, it can easily used to transfer data out from the CDN
network without anybody noticing as firewalls will most likely just
see application/cdni, and do not look at the ptype itself.

Nits:

The ptype parameter defines ptype-char as follows:

        ptype-char = %x21 / %23-3A / %x3C / %x3E-7E

I think there is 'x' missing from the "%23-3A", i.e. it should be
"%x23-3A".

I think this document is ready with nits. 
-- 
kivinen@iki.fi