Last Call Review of draft-ietf-anima-prefix-management-05
review-ietf-anima-prefix-management-05-secdir-lc-housley-2017-10-05-01

Request Review of draft-ietf-anima-prefix-management
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-10-12
Requested 2017-09-28
Other Reviews Genart Last Call review of -05 by Dan Romascanu (diff)
Rtgdir Last Call review of -05 by Geoff Huston (diff)
Opsdir Last Call review of -06 by Fred Baker
Secdir Telechat review of -06 by Catherine Meadows
Genart Telechat review of -06 by Dan Romascanu
Review State Completed
Reviewer Russ Housley
Review review-ietf-anima-prefix-management-05-secdir-lc-housley-2017-10-05
Posted at https://mailarchive.ietf.org/arch/msg/secdir/JAf56ZEoFZwj963suwqWCo54VYo
Reviewed rev. 05 (document currently at 06)
Review result Has Issues
Draft last updated 2017-10-06
Review completed: 2017-10-06

Review
review-ietf-anima-prefix-management-05-secdir-lc-housley-2017-10-05

I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-anima-prefix-management-05
Reviewer: Russ Housley
Review Date: 2017-10-05
IETF LC End Date: 2017-10-12
IESG Telechat date: Unknown

Summary: Has Issues


No Major Concerns


Minor Concerns

This document uses "DHCPv6-PD" and "DHCPv6 PD".  At first, I was going
to recommend picking one spelling.  However, RFC 3633 does not define
either of these.  So, some explanation is needed in addition to being
consistent.

In Section 3, the document says that roles can be locally defined.  If
I properly understood the rest of the document, this is just a indirect
way to state the prefix size.  If I got that right, it would help to
explain this to the reader as soon as possible.

In Section 3.2.1, please give some examples of device identities.  Are
we talking about a serial number or something else?

In Section 4.1, the document says:

  It should decide the length of the requested prefix and request it by
  the mechanism described in Section 6.

However, Section 6 talks about:

   ...  Thus it would be possible to apply an
   intended policy for every device in a simple way, without traditional
   configuration files.

I do not see how the mechanisms in Section 6 increases the allocation
for a single router.  It seems to increase the allocation to all routers
with a particular role.


Nits

Throughout the document, I find that "administrator(s)" grabs my
attention.  I suggest that "administrators" would be better for the
reader.

In Section 1, please spell out the first use of "ASA".

In Section 3.1: s/with minimum efforts/with minimum effort/