Last Call Review of draft-ietf-perc-dtls-tunnel-08
review-ietf-perc-dtls-tunnel-08-secdir-lc-emery-2021-06-06-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
Document editors and WG chairs should treat these comments just like any other
last call comments.

This draft specifies a DTLS tunneling protocol for Privacy-Enhanced RTP
Conferencing (PERC).  This entails a key exchange between the conference
end-points and the key distributor through a delegate, media distributor.

The security considerations section does exist and describes that the media
distributor does not introduce any additional security issues given that it is
just on-path with the key exchange between the endpoint and the key
distributor.  Secondly, the key material between the media distributor and key
distributor is protected through the mutually authenticated connection between
the two entities.  Thirdly, the meta data exchanged between the media
distributor and key distributor is not sensitive information, but is still
protected through the TLS connection.  I agree with the above assertions. 
Besides the concerns described in the genart review about the impact of key
material disclosure, the authors should consider the various other forms of
security issues against the protocol, such as downgrade/DoS attacks from
profile negotiation, etc.  The section could list and simply refer to the base
RFCs, 5764, 8871, etc., to provide remediation against these attacks.

General comments:

The example message flow and binary coding was helpful, thank you.

Editorial comments:

s/might might/might/
s/!@RFC4566/RFC4566/g
s/An value/A value/
s/!@RFC8126/RFC8126/
s/material This/material.  This/