Last Call Review of draft-ietf-mif-mpvd-arch-09
review-ietf-mif-mpvd-arch-09-secdir-lc-turner-2015-03-02-00

Request Review of draft-ietf-mif-mpvd-arch
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-02-17
Requested 2015-01-29
Other Reviews Genart Last Call review of -09 by Francis Dupont (diff)
Genart Telechat review of -10 by Francis Dupont (diff)
Review State Completed
Reviewer Sean Turner
Review review-ietf-mif-mpvd-arch-09-secdir-lc-turner-2015-03-02
Posted at https://www.ietf.org/mail-archive/web/secdir/current/msg05457.html
Reviewed rev. 09 (document currently at 11)
Review result Has Nits
Draft last updated 2015-03-02
Review completed: 2015-03-02

Review
review-ietf-mif-mpvd-arch-09-secdir-lc-turner-2015-03-02

Fear not as this is just the secdir review!

I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: Ready with nits.

Nits:

0. s1.1: This section can be removed because there’s no 2119-language in the draft, but that can be done by the RFC editor later.

1. s3.5: Somebody once suggested adding an IKEv2 payload for configuration data and got their head handed to them.  I guess it’s fine to leave the paragraph in the draft because this is just a possible solution, but I’d not count on it as a viable option.

2. s4.2: Makes me think of Fernado’s VPN leaks RFC: 

http://datatracker.ietf.org/doc/rfc7359/

.

3. s5.2.1: Makes me hope that the if there’s two connections and one is a VPN that lookups meant for that connection is only done over that connection and not leaked out.  I think this is covered later in the section though.

spt