Last Call Review of draft-ietf-roll-building-routing-reqs-
review-ietf-roll-building-routing-reqs-secdir-lc-atkins-2009-05-24-00

Request Review of draft-ietf-roll-building-routing-reqs
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-03-06
Requested 2009-02-20
Draft last updated 2009-05-24
Completed reviews Secdir Last Call review of -?? by Derek Atkins
Secdir Telechat review of -?? by Derek Atkins
Assignment Reviewer Derek Atkins
State Completed
Review review-ietf-roll-building-routing-reqs-secdir-lc-atkins-2009-05-24
Review completed: 2009-05-24

Review
review-ietf-roll-building-routing-reqs-secdir-lc-atkins-2009-05-24

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

   The Routing Over Low power and Lossy network (ROLL) Working Group has 
   been chartered to work on routing solutions for Low Power and Lossy 
   networks (LLN) in various markets: Industrial, Commercial (Building), 
   Home and Urban. Pursuant to this effort, this document defines the 
   routing requirements for building automation. 

The Security Considerations appear to take into account various
requirements for different systems.  What seems to be lacking is
direction about how or when to apply various requirements and what
it means to the deployment.

For example, what would it mean to a deployment if it has
authentication versus not having authentication?  Also, it's unclear
how these requirements would apply to an implementor.

Variable security policies is a good idea, but it requires more
guidance because the end user will never understand the ramifications
of choosing one policy over another.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant