Last Call Review of draft-ietf-rmt-sec-discussion-08
review-ietf-rmt-sec-discussion-08-secdir-lc-wierenga-2013-06-20-00

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes general security considerations for Reliable
Multicast Transport (RMT) building blocks and protocols. However the discussion
is not limited to RMT per se but is rather a discussion in general about
security issues that may influence the overall security of RMT.

I have one major issue with this draft, I interpret the discussion sort of as a
lengthy security considerations section for RMT. And while I applaud the effort
that has gone into producing this draft I don't understand why you have not
looked at RFC3552 (guidelines for writing security considerations) and take
that as the starting point of your discussion. It appears to me that that would
have been a more rigorous approach (for example, it is unclear to me why you
have a discussion about IPSec, but not about TLS, to name an example). It would
also have meant that you could reuse much of the text there or simply refer to
it. We now end up with 2 documents that write about the same sort of issues but
in different wording and in the case of this draft, far less scrutiny from the
security community. In the current incantation I don't support forwarding the
document, either it will have to be more rigorous (but still with the concern
about doubling the work) or should refer to RFC3552 and just discuss the RMT
specific issues and implementation choices.

Hope this helps,

Klaas