Last Call Review of draft-ietf-netext-wifi-epc-eap-attributes-08
review-ietf-netext-wifi-epc-eap-attributes-08-secdir-lc-johansson-2014-07-10-00
Request | Review of | draft-ietf-netext-wifi-epc-eap-attributes |
---|---|---|
Requested revision | No specific revision (document currently at 16) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2014-06-24 | |
Requested | 2014-06-12 | |
Authors | Ravi Valmikam, Rajeev Koodli | |
I-D last updated | 2014-07-10 | |
Completed reviews |
Genart Last Call review of -08
by Peter E. Yee
(diff)
Genart Telechat review of -09 by Peter E. Yee (diff) Secdir Last Call review of -08 by Leif Johansson (diff) |
|
Assignment | Reviewer | Leif Johansson |
State | Completed | |
Request | Last Call review on draft-ietf-netext-wifi-epc-eap-attributes by Security Area Directorate Assigned | |
Reviewed revision | 08 (document currently at 16) | |
Result | Has nits | |
Completed | 2014-07-10 |
review-ietf-netext-wifi-epc-eap-attributes-08-secdir-lc-johansson-2014-07-10-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The drafts define a set of EAP attributes for signalling wifi handover from 3gpp devices. In general the draft is well written. I believe the draft is more or less ready. I have two comments, one of which is stylistic and the other may be just me misunderstanding the EAP-AKA handshake... 1. In a few places the draft sais that the defined attributes SHOULD be used. I would qualify this to say that "mobile nodes implementing the spec SHOULD" since EAP is used in a lot of situations where 3gpp _could_ be used but isn't. 2. It seems like AT_CONNECTIVITY_TYPE is signalled before the EAP challenge is completed. Unless I misunderstood something I think this warrants a discussion in the Security Considerations section. Currently the text in that section only talks about when attributes are to be processed but there is no discussion of possible threats based on when attributes are transmitted. Cheers Leif