Last Call Review of draft-ietf-ipfix-mediators-problem-statement-
review-ietf-ipfix-mediators-problem-statement-secdir-lc-sheffer-2010-03-15-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document presents the need for introducing Mediators (known in other
quarters as "proxies") into the IPFIX architecture.

The document is in general well written, and it does attempt to cover most of
the relevant security issues. But I would have liked to see a bit more
discussion on:

- Privacy concerns, especially where actual data packets are sampled. These
concerns may be amplified when streams from multiple sources are combined. -
Multi-tenancy: large networks, i.e. those that require such solutions, may
process and sometime aggregate data from many different owners. An extreme
example is virtualized processing clouds. Tenants should be protected from one
another, and possibly also from the service provider. - The subsection of the
Security Considerations that discusses confidentiality protection could be
improved to more clearly point out that transport-level security is no longer
sufficient in this architecture, and (at least in some cases) should be
replaced by end-to-end, application-level security. - The trust model should be
clarified, possibly just to say "we all trust the Mediator".

Non-security comments

The document starts out by discussing IPFIX, and then suddenly in 3.2, PSAMP is
introduced. The clueless reader is left confused: how does PSAMP relate to
per-flow information? I'd appreciate a clarifying paragraph at the top of Sec.
3.