Last Call Review of draft-ietf-xrblock-rtcweb-rtcp-xr-metrics-08
review-ietf-xrblock-rtcweb-rtcp-xr-metrics-08-secdir-lc-weis-2018-02-22-00

Request Review of draft-ietf-xrblock-rtcweb-rtcp-xr-metrics
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-02-23
Requested 2018-02-09
Authors Varun Singh, Rachel Huang, Roni Even, Dan Romascanu, Deng Lingli
Draft last updated 2018-02-22
Completed reviews Genart Last Call review of -08 by Robert Sparks (diff)
Secdir Last Call review of -08 by Brian Weis (diff)
Genart Telechat review of -09 by Robert Sparks (diff)
Assignment Reviewer Brian Weis
State Completed
Review review-ietf-xrblock-rtcweb-rtcp-xr-metrics-08-secdir-lc-weis-2018-02-22
Reviewed rev. 08 (document currently at 10)
Review result Has Nits
Review completed: 2018-02-22

Review
review-ietf-xrblock-rtcweb-rtcp-xr-metrics-08-secdir-lc-weis-2018-02-22

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document describes monitoring features related to media streams  in Web real-time communication (WebRTC).  The monitoring features are sent in Sender and Receiver Reports through RTCP along with other metrics related to the transport of multimedia flows. The new monitoring features are comprised of packet counts and other packet-related statistics (e.g., jitter).

The Security Considerations states that there are no additional security considerations beyond those mentioned in related documents, and I believe this is true. There is one reference in this section that needs to be fixed: [RFC3792] is not correct. I assumed it should have been RFC 6792.

Also, it would be helpful to add a reference in Section 5.3 to RFC 7294 to identify the source for "concealment metrics". A security reviewer will naturally want to know what property "concealment" is intended to provide, and it took some hunting down to find it and determine that it wasn't relevant.