Last Call Review of draft-ietf-radext-dtls-10
review-ietf-radext-dtls-10-secdir-lc-weis-2014-05-02-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This is a re-review; I last reviewed draft-ietf-radext-dtls-06. Reproducing my
summary from that review: This document describes requirements and
implementation details regarding using DTLS as a transport layer for RADIUS
packets. It is a companion to RFC 6614 ("TLS Encryption for RADIUS"), and this
I-D references many of the sections in that RFC rather than re-defining them.
While the security considerations of encapsulating RADIUS in TLS and DTLS are
very similar there are a number of operational issues where a UDP protocol is
more advantageous than a TCP, and vice versa. Both documents are worth
specifying; providing more secure alternatives to the simple RADIUS MD5
integrity checks is critical.

The current draft addresses my earlier comments, and is much improved due to
other changes as well. I believe is ready to publish.

I noticed one nit in the "DTLS Data" definition (Section 5.1): s/variable which
may information about/variable which may contain information about/.

Brian