Last Call Review of draft-ietf-rtcweb-stun-consent-freshness-11

Request Review of draft-ietf-rtcweb-stun-consent-freshness
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-06-09
Requested 2015-05-04
Authors Muthu Perumal, Dan Wing, Ram R, Tirumaleswar Reddy.K, Martin Thomson
Draft last updated 2015-06-10
Completed reviews Genart Last Call review of -12 by Meral Shirazipour (diff)
Genart Last Call review of -13 by Meral Shirazipour (diff)
Genart Last Call review of -15 by Meral Shirazipour (diff)
Secdir Last Call review of -11 by Steve Hanna (diff)
Opsdir Last Call review of -11 by David Black (diff)
Assignment Reviewer Steve Hanna
State Completed
Review review-ietf-rtcweb-stun-consent-freshness-11-secdir-lc-hanna-2015-06-10
Reviewed rev. 11 (document currently at 16)
Review result Has Issues
Review completed: 2015-06-10


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.


In my view, this document is Ready with Issues.


The purpose of the document is to reduce flooding attacks by defining a standard method for WebRTC endpoints to obtain “consent to send” before sending traffic to another endpoint and continuously while sending. I have a few questions:




Will misbehaving or malicious endpoints obey this? If not, what’s the point? If only a few polite endpoints go to the trouble of obtaining consent to send, I don’t see how this will solve anything.




Section 5.1 says “An endpoint MUST NOT send data other than the messages used to establish consent unless the receiving endpoint has consented to receive data.” This seems to be a long way from the present reality. How many applications implement this requirement? Or will this feature somehow be built into the OS?




The document says that “Consent expires after 30 seconds.” And “Implementations SHOULD set a default interval of 5 seconds” for retransmitting STUN binding requests (requests for consent). If I understand this correctly, every pair of endpoints with an active connection will now exchange STUN binding request and response pairs in each direction every five seconds. That works out to about one packet per second transit for every connection. That seems like a lot of overhead. Is the benefit adequate?


Other than these issues, the document seems ready.









 S/MIME cryptographic signature