Last Call Review of draft-ietf-sipcore-6665-clarification-00
review-ietf-sipcore-6665-clarification-00-secdir-lc-orman-2015-06-18-00

Request Review of draft-ietf-sipcore-6665-clarification
Requested rev. no specific revision (document currently at 00)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-06-17
Requested 2015-06-05
Authors Adam Roach
Draft last updated 2015-06-18
Completed reviews Genart Last Call review of -00 by Tom Taylor
Secdir Last Call review of -00 by Hilarie Orman
Opsdir Last Call review of -00 by Tim Wicinski
Assignment Reviewer Hilarie Orman 
State Completed
Review review-ietf-sipcore-6665-clarification-00-secdir-lc-orman-2015-06-18
Reviewed rev. 00
Review result Has Nits
Review completed: 2015-06-18

Review
review-ietf-sipcore-6665-clarification-00-secdir-lc-orman-2015-06-18

Security review of draft-ietf-sipcore-6665-clarification-00 
 A clarification on the use of Globally Routable User Agent URIs (GRUUs)
 in the Session Initiation Protocol (SIP) Event Notification Framework

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

SIP is big, very big, and I've not even come close to reading all the
defining documents.  Thus, I'm on shaky ground here.  I believe that a
GRUU stands for a collection of contact handles for an individual,
and it is thus an identifier for a protocol entity.

The clarification addresses when to use GRUUs, and the answer is
something like "for all dialogs, unless the dialog is forbidden."
The clarification emphasizes that it applies to INVITE dialogs.

According to the text, implementers have not always used a GRUU
as a local target.  Is this deliberate or accidental?  Is there
some perceived advantage to avoiding GRUUs for INVITE?  If so,
can the clarification explain why it is a misconception?

I don't really understand why GRUUs are to be avoided for forbidden
dialogs.  Perhaps it is an optimization that would be obvious to
a skilled SIP implementor.

Beyond that, I am not at all sure about the effect of GRUUs on the
overall security of the protocol.  If they are used for all dialogs,
might that open the door to some sort of amplication attack?  Does
it allow some sort of probing that could widen the attack surface?
I would like to see a sentence or two in the security considerations
explaining why not.

An editorial comment about the text "... to allow you to send ...".
"You" is a confusing informality in a protocol description.  The
formal name of the role ("notifier"?) should be used.

Hilarie