Last Call Review of draft-ietf-codec-guidelines-
review-ietf-codec-guidelines-secdir-lc-yu-2011-10-28-00

Request Review of draft-ietf-codec-guidelines
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-10-19
Requested 2011-10-07
Authors Jean-Marc Valin, Slava Borilin, Koen Vos, Christopher Montgomery, Juin-Hwey Chen
Draft last updated 2011-10-28
Completed reviews Genart Telechat review of -?? by Martin Thomson
Genart Telechat review of -?? by Martin Thomson
Secdir Last Call review of -?? by Taylor Yu
Secdir Telechat review of -?? by Taylor Yu
Assignment Reviewer Taylor Yu
State Completed
Review review-ietf-codec-guidelines-secdir-lc-yu-2011-10-28
Review completed: 2011-10-28

Review
review-ietf-codec-guidelines-secdir-lc-yu-2011-10-28

This document gives procedural guidance on the development of codecs
within the IETF.  In its Security Considerations section, it says:

   The procedural guidelines for codec development do not have
   security considerations.  However, the resulting codec needs to
   take appropriate security considerations into account, for example
   as outlined in [DOS] and [SECGUIDE].

I think that additionally, authors of codec specifications should
consider what implementation vulnerabilities are likely to arise, and
document them in the specification.  As I recall, audio, video, and
image codecs have a long history of implementation vulnerabilities
shared among multiple implementations.

These shared vulnerabilities could be due to the encodings being
mostly binary in nature, sometimes with explicit length counts for
arrays, inviting buffer overflows when implemented in languages such
as C.  (I have not extensively studied these vulnerabilities, but I'm
sure other people have done so in much more detail.)

Editorial:

It's not clear what kinds of codecs are being considered.  Text in the
document implies that the focus is audio codecs rather than video or
other codecs, but perhaps the document should clarify what kinds of
codecs are in scope.

I misinterpreted "RF license" as "radio-frequency license" initially,
but a few clauses earlier, I found that "RF" is used to represent
"royalty-free".  As there are no other occurrences of "RF" with this
meaning, consider writing it in expanded form in both places (possibly
leaving the "RF" parenthetical for the first occurrence).