Telechat Review of draft-ietf-i2nsf-framework-08
review-ietf-i2nsf-framework-08-secdir-telechat-franke-2017-10-24-00

Request Review of draft-ietf-i2nsf-framework
Requested rev. no specific revision (document currently at 10)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2017-10-24
Requested 2017-10-02
Draft last updated 2017-10-24
Completed reviews Genart Telechat review of -08 by Stewart Bryant (diff)
Opsdir Telechat review of -08 by Carlos Martínez (diff)
Secdir Telechat review of -08 by Daniel Franke (diff)
Assignment Reviewer Daniel Franke
State Completed
Review review-ietf-i2nsf-framework-08-secdir-telechat-franke-2017-10-24
Reviewed rev. 08 (document currently at 10)
Review result Not Ready
Review completed: 2017-10-24

Review
review-ietf-i2nsf-framework-08-secdir-telechat-franke-2017-10-24

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document is too broad and too vague for any reasonable security review to be possible. It expresses a desire to define a framework which satisfies certain requirements and use cases, but does not actually define anything concrete. At its most specific, the document gives parametricity constraints that future definitions must satisfy, such as being agnostic to network topology. This doesn't give me much to go on.

The security considerations section is brief, calling out the need for access control and for protecting the confidentiality and integrity of data. Again, with so few specifics, there's not much more to be said.

I do not think it is useful to anyone to publish this document as an RFC, not even an informational one. It is perfectly fine, when specifying an intricate suite of protocols, to have a separate document that gives a broad architectural overview of them all without delving into the specifics necessary for implementation. RFC 4251, which outlines the SSH protocol, is a good example of this. But, crucially, RFC 4251 was published simultaneously with 4252-4256, which provided all those specifics. This document has nothing similar as a companion; everything it describes is simply aspirational. I do not see any value in publishing an RFC full of unfulfilled aspirations.