Last Call Review of draft-ietf-rats-tpm-based-network-device-attest-10
review-ietf-rats-tpm-based-network-device-attest-10-secdir-lc-emery-2022-01-16-00

Reviewer: Shawn Emery
Review result: Ready with nits

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This draft specifies a system for secure network device attestation between a
verifier and attester (i.e. network device - hardware and software).  This
protocol utilizes TPMs for signing attestation data and Device IDentity (DevID)
from the device.

A privacy considerations section does exist and describes which information
would be considered sensitive, for example, log records that could disclose
software versions which could be used by an attacker for any known
vulnerability with said version(s).

The security considerations section exists and describes the various possible
ways in attacking the system.  I believe this section comprehensively accounts
for the multitude of attacks and covers the reasonable limitations of defending
against said attacks (e.g. device compromise, swapping in TPMs, etc.).

General comments:

Thank you for the privacy considerations section.

Editorial comments:

s/of an network/of a network/
s/likely be/likely to be/
s/as specified in [RFC8572])/(as specified in [RFC8572])/
s/mechanism couple with/mechanism coupled with/
s/[I-D.ietf-sacm-coswid], [RIM]))/([I-D.ietf-sacm-coswid], [RIM])/