Last Call Review of draft-ietf-rtcweb-fec-08
Please note that this review is for draft-ietf-rtcweb-fec-08, not the PERC draft referenced in the subject.
> On Feb 1, 2019, at 1:42 AM, Hilarie Orman <firstname.lastname@example.org> wrote:
> Security Review of WebRTC Forward Error Correction Requirements
> Do not be alarmed. I have reviewed this document as part of the
> security directorate's ongoing effort to review all IETF documents
> being processed by the IESG. These comments were written primarily
> for the benefit of the security area directors. Document editors and
> WG chairs should treat these comments just like any other last call
> The document describes the appropriate uses of FEC for web content when
> using WebRTC. It also describes how to indicate that FEC is being used.
> The Security Considerations mention the possibility of additional network
> congestion when using FEC. Although this can be a problem, I do not think
> it is a security issue, thus it does not belong in this section.
> There is a security-related issue wrt to FEC and encryption. If the
> error model is that message blocks may be lost but not altered in
> transit, then FEC with encryption is fine. But if FEC is added for
> the purpose of correcting corrupted bits in a message block, then it
> is important that FEC is done after encryption. The draft seems to
> ignore the issue, and it also seems to recommend a processing scheme
> that would result in encryption of the FEC data. If there is a body
> of practice for other IETF FEC protocols that explains these issues,
> an explicit reference to it in the Security Considerations would be
> very helpful.