Last Call Review of draft-harkins-ipsecme-spsk-auth-
review-harkins-ipsecme-spsk-auth-secdir-lc-barnes-2011-04-21-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document defines a new mechanism for using pre-shared keys for IPsec
authentication in IKE, in a way that addresses some vulnerabilities of the
current mechanism.

I am not a cryptographer, but the cryptographic protocol described in this
document seems basically sound, and its security properties are explained well
in the Security Considerations.

A question and couple of minor comments follow.
--Richard

Question: I haven't thought deeply about it, but it's not clear to me what the
advantage is over this cryptographic protocol vs. the SRP protocol that has
been used for TLS [RFC5054], besides the fact that SRP requires a user
"identity" in addition to a password.

Minor: There appears to be a typo at the top of Page 7.  It seems that the
equation should be as follows: scalar-op(x,Y) = element-op(Y, scalar-op(x-1),
Y)), for x > 1 Also, for completeness, you might note that scalar-op(0,Y) is
the identity element of the group.

Minor: It might be helpful to mention somewhere that scalars are always
non-negative integers.