Skip to main content

Last Call Review of draft-ietf-netext-wifi-epc-eap-attributes-08
review-ietf-netext-wifi-epc-eap-attributes-08-secdir-lc-johansson-2014-07-10-00

Request Review of draft-ietf-netext-wifi-epc-eap-attributes
Requested revision No specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-06-24
Requested 2014-06-12
Authors Ravi Valmikam, Rajeev Koodli
I-D last updated 2014-07-10
Completed reviews Genart Last Call review of -08 by Peter E. Yee (diff)
Genart Telechat review of -09 by Peter E. Yee (diff)
Secdir Last Call review of -08 by Leif Johansson (diff)
Assignment Reviewer Leif Johansson
State Completed
Request Last Call review on draft-ietf-netext-wifi-epc-eap-attributes by Security Area Directorate Assigned
Reviewed revision 08 (document currently at 16)
Result Has nits
Completed 2014-07-10
review-ietf-netext-wifi-epc-eap-attributes-08-secdir-lc-johansson-2014-07-10-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The drafts define a set of EAP attributes for signalling wifi handover
from 3gpp devices. In general the draft is well written.

I believe the draft is more or less ready. I have two comments, one of
which is stylistic and the other may be just me misunderstanding the
EAP-AKA handshake...

1. In a few places the draft sais that the defined attributes SHOULD be
used. I would qualify this to say that "mobile nodes implementing the
spec SHOULD" since EAP is used in a lot of situations where 3gpp _could_
be used but isn't.

2. It seems like AT_CONNECTIVITY_TYPE is signalled before the EAP
challenge is completed. Unless I misunderstood something I think this
warrants a discussion in the Security Considerations section. Currently
the text in that section only talks about when attributes are to be
processed but there is no discussion of possible threats based on when
attributes are transmitted.

	Cheers Leif