Last Call Review of draft-ietf-dhc-relay-server-security-03
review-ietf-dhc-relay-server-security-03-secdir-lc-meadows-2017-03-23-00

Request Review of draft-ietf-dhc-relay-server-security
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-03-13
Requested 2017-02-27
Draft last updated 2017-03-23
Completed reviews Intdir Early review of -02 by Jouni Korhonen (diff)
Secdir Last Call review of -03 by Catherine Meadows (diff)
Genart Last Call review of -03 by Francis Dupont (diff)
Genart Telechat review of -03 by Francis Dupont (diff)
Assignment Reviewer Catherine Meadows
State Completed
Review review-ietf-dhc-relay-server-security-03-secdir-lc-meadows-2017-03-23
Reviewed rev. 03 (document currently at 05)
Review result Ready
Review completed: 2017-03-23

Review
review-ietf-dhc-relay-server-security-03-secdir-lc-meadows-2017-03-23

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.


This brief draft gives requirements for securing relay to really and relay to server communication for DHCPv6 and relay to server communication for DHCPv4.
Previously no  such guidance existed.  The new guidance is that in both cases the draft REQUIRES that communication be IPSec encrypted.

The security considerations section points out the limitations of this document , e.g. it does not address communications between the client and the server or first hop
relay agent.  This section gives some recommendations for security in this case.  It also points out the limitations of some practices that are allowed by the document
but not encouraged, e.g. use of manual keys.  I believe this is a good use of the Security Considerations section for a document of this kind, which recommends a specific
solution to one part of the security problem, but does not attempt to propose a complete security solution. 

I think this document is Ready.

Cathy Meadows


Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil <mailto:catherine.meadows@nrl.navy.mil>