Last Call Review of draft-kivinen-ipsecme-oob-pubkey-11
review-kivinen-ipsecme-oob-pubkey-11-opsdir-lc-romascanu-2015-09-30-00

Request Review of draft-kivinen-ipsecme-oob-pubkey
Requested rev. no specific revision (document currently at 14)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2015-09-23
Requested 2015-09-01
Authors Tero Kivinen, Paul Wouters, Hannes Tschofenig
Draft last updated 2015-09-30
Completed reviews Genart Last Call review of -11 by Francis Dupont (diff)
Genart Telechat review of -12 by Francis Dupont (diff)
Secdir Last Call review of -11 by Derek Atkins (diff)
Opsdir Last Call review of -11 by Dan Romascanu (diff)
Assignment Reviewer Dan Romascanu
State Completed
Review review-kivinen-ipsecme-oob-pubkey-11-opsdir-lc-romascanu-2015-09-30
Reviewed rev. 11 (document currently at 14)
Review result Ready
Review completed: 2015-09-30

Review
review-kivinen-ipsecme-oob-pubkey-11-opsdir-lc-romascanu-2015-09-30






 




Hi,




 




I have reviewed this document as part of the Operational directorate's





ongoing effort to review all IETF documents being processed by the IESG.  These





comments were written with the intent of improving the operational aspects of the





IETF drafts. Comments that are not addressed in last call may be included in AD reviews





during the IESG review.  Document editors and WG chairs should treat these comments





just like any other last call comments.




 




This is a relative simple specification that updates RFC 7296 extending the range of types of public keys supported by IKEv2. It is clear, well written and has a couple of examples that
 help with understanding the need and applicability. It is ready for publication from an Operational and Manageability point of view, and a RFC 5706 full review would not apply.





 




There are no special manageability or operational concerns. There is however an operational impact that is mentioned only indirectly in Section 4 (Security Considerations) and which would
 have deserved maybe some text. To be deployed the new raw public keys need to be either preconfigured, or configured through a configuration interface, or secure DNS should be used. In any case there is an increased level of operational complexity involved
 in the deployment, and this could have been explicitly mentioned. 




 




I hope this helps,




 




Regards,




 




Dan