Last Call Review of draft-ietf-mif-mpvd-arch-09
review-ietf-mif-mpvd-arch-09-secdir-lc-turner-2015-03-02-00

Fear not as this is just the secdir review!

I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving security requirements and
considerations in IETF drafts. Comments not addressed in last call may be
included in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

Summary: Ready with nits.

Nits:

0. s1.1: This section can be removed because there’s no 2119-language in the
draft, but that can be done by the RFC editor later.

1. s3.5: Somebody once suggested adding an IKEv2 payload for configuration data
and got their head handed to them.  I guess it’s fine to leave the paragraph in
the draft because this is just a possible solution, but I’d not count on it as
a viable option.

2. s4.2: Makes me think of Fernado’s VPN leaks RFC:

http://datatracker.ietf.org/doc/rfc7359/

.

3. s5.2.1: Makes me hope that the if there’s two connections and one is a VPN
that lookups meant for that connection is only done over that connection and
not leaked out.  I think this is covered later in the section though.

spt