Last Call Review of draft-ietf-tsvwg-iana-ports-

Request Review of draft-ietf-tsvwg-iana-ports
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-02-15
Requested 2011-01-18
Authors Michelle Cotton, Lars Eggert, Joseph Touch, Magnus Westerlund, Stuart Cheshire
Draft last updated 2011-02-01
Completed reviews Secdir Last Call review of -?? by Sandra Murphy
Tsvdir Last Call review of -?? by Wesley Eddy
Assignment Reviewer Sandra Murphy
State Completed
Review review-ietf-tsvwg-iana-ports-secdir-lc-murphy-2011-02-01
Review completed: 2011-02-01


I have reviewed this
document as part of the security directorate's ongoing effort to review all
IETF documents being processed by the

IESG.  These comments
were written primarily for the benefit of the security area directors. 
Document editors and WG chairs should treat

these comments just like any other last call


The draft draft-ietf-tsvwg-iana-ports-09 consolidates
the procedures scattered over several RFC for the assignment of service names
and ports for transport protocols.  It establishes definitions and
specifications where they were previously missing (like syntax for service
names).  It provides a single reference for assignment procedures going
forward and establishes procedures for port/name de-assignment, reuse,
revocation, etc., and a description of the required and optional fields that
must be provided in any request.


I did NOT review the referenced documents and did
not therefore consider differences between this procedure and previously
employed procedures.


There is a required format for communication of a
request to the IANA, I presume by email.  I did not see any mention of the
email address to which the request should be sent (RFC5226 also doesn’t
seem to mention it).


The procedure requires that the same previous
Assignee (or Contact) make any subsequent request about a port/name assignment,
where the email address is provided in the request.  Security question:
how does the IANA know that it is communicating with the same Assignee/Contact? 
There’s no recommendation for security of that communication.


In the IANA section there is a paragraph:



   IANA is instructed to create a new service name entry in the service

   name and port number registry [PORTREG] for any entry in the

   "Protocol and Service Names" registry [PROTSERVREG] that does not

   already have one assigned.


Are there no guidelines for creating the new service


--Sandy Murphy