Last Call Review of draft-ietf-pana-preauth-
review-ietf-pana-preauth-secdir-lc-salowey-2010-01-21-00

Request Review of draft-ietf-pana-preauth
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-01-19
Requested 2009-12-18
Authors Alper Yegin, Yoshihiro Ohba
Draft last updated 2010-01-21
Completed reviews Secdir Last Call review of -?? by Joseph Salowey
Assignment Reviewer Joseph Salowey
State Completed
Review review-ietf-pana-preauth-secdir-lc-salowey-2010-01-21
Review completed: 2010-01-21

Review
review-ietf-pana-preauth-secdir-lc-salowey-2010-01-21

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these as
comments just like any other last call comments.  I apologize for the
late review.  

I did not find any major issues with the document.  The security
considerations section does describe the additional DOS threat
associated with the operation of the protocol.  I think the potential
mitigations could be described better.  1) it seems that the stateless
PCI should be moved up in the section since it is related to the last
sentence of the first paragraph. 2) it's not clear that "authorized" is
the best word to use here since authentication has not completed yet.
It might be better to say "It is recommended that messages are only
accepted from PACs originating from well known IP networks for a given
PAA."  It's not really clear how effective or practical this restriction
would be, but I'm not very familiar with PANA deployments.  

Cheers,

Joe