Last Call Review of draft-ietf-dhc-dhcpv4-vendor-message-
review-ietf-dhc-dhcpv4-vendor-message-secdir-lc-farrell-2010-02-11-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
Document editors and WG chairs should treat these comments just like any
other last call comments.

The document defines a way to include vendor-specific messages
in DHCPv4. I've only one relatively minor comment:

Is this new message type likely to be used for passing sensitive
information like user credentials? (E.g. username/password) If that's
not the intent it might be worth stating that in the security
considerations, just to discourage folks from doing that unless
they provide their own confidentiality service. (I'm assuming
there's no general confidentiality mechanism available.)

Aside from that you may or may not want to capitalise the "should"
in the last paragraph of the security considerations. (I don't care,
but it might be an oversight.)

On a non-security point: I didn't get the real need for this from
reading the text and the references to the "Vendor-Identifying
Vendor Options" I found confusing. So you could improve that a
bit, but I assume that DHCP implementers would find it sufficiently
clear.

Stephen.