Last Call Review of draft-ietf-dime-e2e-sec-req-04
review-ietf-dime-e2e-sec-req-04-opsdir-lc-wu-2016-05-16-00

I have reviewed this document as part of the Operational directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving the operational
 aspects of the IETF drafts. Comments that are not addressed in last call may
 be included in AD reviews during the IESG review.  Document editors and WG
 chairs should treat these comments just like any other last call comments.



This document discusses requirements for providing end to end security to
protect Attribute-Value Pairs between non-neighboring Diameter nodes and I
think it is almost ready for publication.
 But I have a few editorial comments as follows:

1.



Section 3, 1

st

 paragraph:

AAA broker is usually referred to intermediate node that support AAA
functionality, I am not sure one network can be labeled as AAA broker. Change
AAA broker into AAA broker network?

2.



Section 3, 1

st

 bullet on eavesdropping

In 1

st

 bullet, it mentions AAA broker network. It will be nice to give a definition
 of AAA broker and AAA broker network in the terminology section.

3.



Section 3, 2

nd

 bullet on Injection and Manipulation

s/and inject/manipulate/to inject or manipulate

4.



Section 4, the 2

nd

 ,3

rd

, 4

th

 scenarios

How do you prevent man in middle attack by introducing Diameter proxy? How
Diameter Proxy establish trust relationship with either Diameter client or
Diameter Server? Is there security requirements for this?

5.



Section 4, last paragraph

It looks these paragraph discusses security consideration and should be moved
to section 6.

6.



Section 5, requirement 4

Is there any authorization approval before delegate security functionality to
another entity?





-Qin Wu