Early Review of draft-ietf-roll-applicability-ami-07

Request Review of draft-ietf-roll-applicability-ami
Requested rev. no specific revision (document currently at 15)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2016-05-03
Requested 2013-11-28
Authors Nancy Cam-Winget, Jonathan Hui, Daniel Popa
Draft last updated 2013-12-19
Completed reviews Genart Last Call review of -12 by Christer Holmberg (diff)
Secdir Early review of -07 by Chris Lonvick (diff)
Secdir Last Call review of -12 by Chris Lonvick (diff)
Opsdir Last Call review of -12 by Susan Hares (diff)
Assignment Reviewer Chris Lonvick 
State Completed
Review review-ietf-roll-applicability-ami-07-secdir-early-lonvick-2013-12-19
Reviewed rev. 07 (document currently at 15)
Review result Has Issues
Review completed: 2013-12-19



I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The document is incomplete but it appears that the authors know where they 

want to go with it.

I would recommend that the Security Considerations section point to the 

Security Considerations section of RFC 6550 (RPL) and say that the 

roll-applicability-ami document is a description of the applicability of 

6550 to the ami, therefore the considerations of 6550 apply.

The authors note that other security mechanisms may be used, which would 

mean that the security functions of RPL would not be needed.  I would 

recommend that a section of the Security Considerations be added for each 

instance where the RPL security mechanism are not to be used.  Each of 

those sections should show how the replacement mechanisms will meet the 

requirements of the RPL security services that are described in 6550.

I also see that the authors are also trying to address the initial 

deployment and incremental deployments, which is laudable.  The authors 

may wish to look at restructuring the Security Considerations section to 

address these things through the FCAPS model or something similar.