Last Call Review of draft-ietf-6lo-use-cases-12
review-ietf-6lo-use-cases-12-secdir-lc-sparks-2022-04-05-01
| Request | Review of | draft-ietf-6lo-use-cases |
|---|---|---|
| Requested revision | No specific revision (document currently at 16) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2022-04-06 | |
| Requested | 2022-03-23 | |
| Authors | Yong-Geun Hong , Carles Gomez , Younghwan Choi , Abdur Rashid Sangi , Samita Chakrabarti | |
| I-D last updated | 2022-04-05 | |
| Completed reviews |
Secdir Last Call review of -12
by Robert Sparks
(diff)
Genart Last Call review of -12 by Peter E. Yee (diff) Intdir Telechat review of -14 by Carlos J. Bernardos (diff) Secdir Telechat review of -14 by Robert Sparks (diff) |
|
| Assignment | Reviewer | Robert Sparks |
| State | Completed | |
| Request | Last Call review on draft-ietf-6lo-use-cases by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/BDhtxVilF8J0y2eQg4P5a-xJx0E | |
| Reviewed revision | 12 (document currently at 16) | |
| Result | Has issues | |
| Completed | 2022-04-05 |
review-ietf-6lo-use-cases-12-secdir-lc-sparks-2022-04-05-01
(apologies - there was an edit buffer glitch in the first version of this review that this version corrects) I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document has issues to address before publication as an Informational RFC Issues: From the abstract: "The document targets an audience who would like to understand and evaluate running end-to-end IPv6 over the constrained node networks for local or Internet connectivity." Its security considerations section claims "Security considerations are not directly applicable to this document". Yet the text of the draft has several places that rightly call out thing like "there exist implications for privacy", "privacy also becomes a serious issue", and "the assumption is that L2 security must be present." A summary of these things in the security considerations section seems prudent. At _least_ call out again the assumption about L2 security. The "Security Requirement" row in Table 2 is not well explained. The values in that row are explained at all. (For instance, the word "Partially" appears exactly once in the document - it is unclear what it means). Nits/Comments: Appendix A is neither introduced nor referenced from the body of the document. Why is it here? I'm a little concerned about some of the technology descriptions possibly moving beyond simple facts into interpretation or even marketing. The last paragraph of section 2.5 is a particularly strong example. Look for phrases section 4 that include "targets" or "targeted by" and make sure that's what the organizations ins that define those technologies say (consider references). At 'superior "range"', why is range in quotes? Think about restructuring the sentences that use 'superior' to avoid the connotation of "better than". All this document really needs to acknowledge is "goes further".