Security review of draft-ietf-cuss-sip-uui-isdn-08 Interworking ISDN Call Control User Information with SIP Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a usage (a new package) of the SIP User-to-User header field to enable interworking with ISDN services transporting the ITU-T DSS1 User-user information data element and is limited to the ISDN UUS1 implicit supplementary service. Because the element may contain information related to user privacy, one should consider the impact of transmitting it in this context. The document begins by noting the the User-to-User header field is defined in "A Mechanism for Transporting User to User Call Control Information in SIP" (draft-ietf-cuss-sip-uui-16). That document notes security requirements deriving from an earlier document, RFC6567 SIP UUI Reqs, which states: The next three requirements capture the UUI security requirements. REQ-13: The mechanism will allow integrity protection of the UUI. ... REQ-14: The mechanism will allow end-to-end privacy of the UUI. ... REQ-15: The mechanism will allow both end-to-end and hop-by-hop security models. ... The document under review and draft-ietf-cuss-sip-uui-16 note that because ISDN offers only hop-by-hop security, the SIP UAs must provide any necessary authenticity, integrity and privacy protection for sensitive parts of the UUI. It is not clear to me if the SIP endpoints are aware of intermediary ISDNs, nor if they might be unaware of the ISDN transit and thus misled into thinking that the SIP infrastructure provided adequate security controls for the protection of UUI data. The document gives the guidance that "data that is used to assist in selecting which SIP UA should respond to the call would not be expected to carry any higher level of security than a media feature tag". I'm not sure how to interpret that. When should the "level of security" be expected to be lower than a media feature tag? Or does it mean something else, like: (a) the data should not be more sensitive than that in a media feature tag or (b) the data should be protected (authenticity, integrity, privacy) to at least the level of a media feature tag or (c) the UUI data and the media feature tag data are so similar that they should have the same level of protection? That's my impression from reading over the security considerations. My apologies if I've missed the point. Hilarie