Last Call Review of draft-ietf-dime-rfc4005bis-
review-ietf-dime-rfc4005bis-secdir-lc-moriarty-2012-09-28-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary:
This document describes the extension of Diameter for the NAS application.

As such, should the abstract be updated to ensure the reader is aware of the
scope limitation in the first sentence?

In reading through the draft, I agree with the summary in the Security
considerations section.  This document is limited in scope, it extends the
definition and doesn't go into the details of the protocol and the associated
security considerations. The base protocol is defined in RFC3588bis along with
the security requirements.

I think a reference to the authentication security requirements/considerations
defined in ietf-dime-rfc3588bis would be very helpful so that the reader knows
the extent of possible security issues and solutions since they go beyond what
is described in this document.  Having the reference either in Sections 4.3.1
and 4.5.6 or the Security Considerations section would ensure the reader is
aware this is addressed elsewhere.  Some issues are addressed in these
sections, but they do not go as far as the base protocol and there could be
issues as this document just relies on session encryption to protect plaintext
passwords, etc.  The base protocol describes other mechanisms and risks.

Editorial nit:
Section 1.1, first sentence of last paragraph
Change from:
"There are many other many miscellaneous"
To:
"There are many other miscellaneous"