Last Call Review of draft-ietf-dime-rfc4005bis-

Request Review of draft-ietf-dime-rfc4005bis
Requested rev. no specific revision (document currently at 14)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2012-09-18
Requested 2012-09-07
Authors Glen Zorn
Draft last updated 2012-09-28
Completed reviews Genart Last Call review of -11 by David Black (diff)
Genart Telechat review of -14 by David Black
Secdir Last Call review of -?? by Kathleen Moriarty
Opsdir Telechat review of -14 by BenoƮt Claise
Assignment Reviewer Kathleen Moriarty 
State Completed
Review review-ietf-dime-rfc4005bis-secdir-lc-moriarty-2012-09-28
Review result Ready with Nits
Review completed: 2012-09-28


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes the extension of Diameter for the NAS application. 

As such, should the abstract be updated to ensure the reader is aware of the scope limitation in the first sentence?

In reading through the draft, I agree with the summary in the Security considerations section.  This document is limited in scope, it extends the definition and doesn't go into the details of the protocol and the associated security considerations. The base protocol is defined in RFC3588bis along with the security requirements.  

I think a reference to the authentication security requirements/considerations defined in ietf-dime-rfc3588bis would be very helpful so that the reader knows the extent of possible security issues and solutions since they go beyond what is described in this document.  Having the reference either in Sections 4.3.1 and 4.5.6 or the Security Considerations section would ensure the reader is aware this is addressed elsewhere.  Some issues are addressed in these sections, but they do not go as far as the base protocol and there could be issues as this document just relies on session encryption to protect plaintext passwords, etc.  The base protocol describes other mechanisms and risks.

Editorial nit:
Section 1.1, first sentence of last paragraph
Change from:
"There are many other many miscellaneous"
"There are many other miscellaneous"