Early Review of draft-ietf-dime-app-design-guide-19

Request Review of draft-ietf-dime-app-design-guide
Requested rev. no specific revision (document currently at 28)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2014-08-05
Requested 2013-09-12
Authors Lionel Morand, Victor Fajardo, Hannes Tschofenig
Draft last updated 2013-09-19
Completed reviews Genart Early review of -19 by Martin Thomson (diff)
Secdir Early review of -19 by Yoav Nir (diff)
Opsdir Early review of -20 by David Kessens (diff)
Opsdir Telechat review of -26 by BenoƮt Claise (diff)
Assignment Reviewer Yoav Nir 
State Completed
Review review-ietf-dime-app-design-guide-19-secdir-early-nir-2013-09-19
Reviewed rev. 19 (document currently at 28)
Review result Has Nits
Review completed: 2013-09-19


Do not be alarmed.  I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: The document is ready for publication

This informational document provides guidance on extending Diameter applications and on creating new ones. It contains advice such as to re-use existing commands and AVPs, considerations for adding and deleting commands and AVPs, and accounting.

Section 5.11 talks about Diameter security mechanisms: (D)TLS or IPsec. Some might dislike that it still mentions IKEv1. I'm not sure why this section is necessary at all, as these security mechanisms apply to the base protocol rather than any particular extension.

There is a 2-page section dealing with registration considerations, but only a very short paragraph for security considerations. That section pretty much says that extensions may be related to security functionality, but the document does not give guidance on enhancing Diameter with respect to security. I agree that this is OK, and new security functionality should specify its own considerations. I do wonder, though, whether it makes sense to include advice about the content in new data and applications as it relates to security, specifically as it relates to data leakage or data aggregation or user privacy.


Second sentence in the security considerations section:
 Although such an extension may related to security functionality,
 Although such an extension may be related to security functionality,