Last Call Review of draft-ietf-radext-dtls-10

Request Review of draft-ietf-radext-dtls
Requested rev. no specific revision (document currently at 13)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-04-30
Requested 2014-04-17
Authors Alan DeKok
Draft last updated 2014-05-02
Completed reviews Genart Early review of -07 by Ben Campbell (diff)
Genart Last Call review of -10 by Ben Campbell (diff)
Secdir Early review of -06 by Brian Weis (diff)
Secdir Last Call review of -10 by Brian Weis (diff)
Assignment Reviewer Brian Weis
State Completed
Review review-ietf-radext-dtls-10-secdir-lc-weis-2014-05-02
Reviewed rev. 10 (document currently at 13)
Review result Ready
Review completed: 2014-05-02


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This is a re-review; I last reviewed draft-ietf-radext-dtls-06. Reproducing my summary from that review: This document describes requirements and implementation details regarding using DTLS as a transport layer for RADIUS packets. It is a companion to RFC 6614 ("TLS Encryption for RADIUS"), and this I-D references many of the sections in that RFC rather than re-defining them. While the security considerations of encapsulating RADIUS in TLS and DTLS are very similar there are a number of operational issues where a UDP protocol is more advantageous than a TCP, and vice versa. Both documents are worth specifying; providing more secure alternatives to the simple RADIUS MD5 integrity checks is critical.

The current draft addresses my earlier comments, and is much improved due to other changes as well. I believe is ready to publish.

I noticed one nit in the "DTLS Data" definition (Section 5.1): s/variable which may information about/variable which may contain information about/.