Last Call Review of draft-ietf-pana-preauth-
review-ietf-pana-preauth-secdir-lc-salowey-2010-01-21-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these as
comments just like any other last call comments.  I apologize for the
late review.  

I did not find any major issues with the document.  The security
considerations section does describe the additional DOS threat
associated with the operation of the protocol.  I think the potential
mitigations could be described better.  1) it seems that the stateless
PCI should be moved up in the section since it is related to the last
sentence of the first paragraph. 2) it's not clear that "authorized" is
the best word to use here since authentication has not completed yet.
It might be better to say "It is recommended that messages are only
accepted from PACs originating from well known IP networks for a given
PAA."  It's not really clear how effective or practical this restriction
would be, but I'm not very familiar with PANA deployments.  

Cheers,

Joe