[secdir] secdir review for draft-ietf-ipsecme-ad-vpn-problem-07

Carl Wallace <carl@redhoundsoftware.com> Thu, 20 June 2013 11:26 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE12121F9A5E for <secdir@ietfa.amsl.com>; Thu, 20 Jun 2013 04:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.424
X-Spam-Level:
X-Spam-Status: No, score=-2.424 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id diw4HWXWbxm7 for <secdir@ietfa.amsl.com>; Thu, 20 Jun 2013 04:26:08 -0700 (PDT)
Received: from mail-qc0-x232.google.com (mail-qc0-x232.google.com [IPv6:2607:f8b0:400d:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 69F1221F9A59 for <secdir@ietf.org>; Thu, 20 Jun 2013 04:26:08 -0700 (PDT)
Received: by mail-qc0-f178.google.com with SMTP id c11so3620996qcv.37 for <secdir@ietf.org>; Thu, 20 Jun 2013 04:26:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=user-agent:date:subject:from:to:message-id:thread-topic :mime-version:content-type:content-transfer-encoding :x-gm-message-state; bh=5B5OwsQb6JiPPDwu++YCC7h6XghMbSMzsW/rrcaeiGk=; b=cEUHcojVMmTbwdfNk58HPIZXaYPQzYHs8ndvgR7nHN1rxhcbOCo+dPCvurW+XRMeS1 E6G+6NSqwrG4uTDofkAdgznUNBuJ/ss4QCtSxCJ6I4y4HhAmMNoTcI1XzYyUf3ORa7CR RGCBMHuqUSuaawGM7w6DCIVL3TytpbYkoFJm5YW7t42Q8cKJ7hI94RUnZUhUeSf1cyiE rzl1q+S83I4iCSbpVYyS9OdJAoZDFLCWTIoABEDygp/TBLxkboaaYoUEVAJSn0U3u+cd 3zNnHAqHza5GY47IS/rUZkRvGwM2QxQmm0I6l4eALi4MK4VQumJUiZZwIkjmbDe8HwT7 HxnA==
X-Received: by 10.49.118.166 with SMTP id kn6mr8989630qeb.39.1371727567502; Thu, 20 Jun 2013 04:26:07 -0700 (PDT)
Received: from [192.168.2.6] (pool-173-79-116-61.washdc.fios.verizon.net. [173.79.116.61]) by mx.google.com with ESMTPSA id j5sm305229qan.7.2013.06.20.04.26.05 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 20 Jun 2013 04:26:06 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.3.1.130117
Date: Thu, 20 Jun 2013 07:26:06 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: <iesg@ietf.org>, <secdir@ietf.org>, <draft-ietf-ipsecme-ad-vpn-problem.all@tools.ietf.org>
Message-ID: <CDE85F0E.45BF3%carl@redhoundsoftware.com>
Thread-Topic: secdir review for draft-ietf-ipsecme-ad-vpn-problem-07
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-Gm-Message-State: ALoCoQnAGfhBExd57mvqEfmg4Nk+Gy3wX1hQlDG2mUKJCmGs4eOoxJy1B0BqBgCEsF5DQ070aULC
Subject: [secdir] secdir review for draft-ietf-ipsecme-ad-vpn-problem-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 11:26:09 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments
just like any other last call comments.


This document describes the problem of enabling a large number of systems
to communicate directly using IPSec and defines requirements for
prospective solutions.  As a problem statement, it does not introduce any
new security concerns.  I have no new use cases, requirements or security
concerns to contribute.  I had one minor nit.  The use cases specifically
call out a need for an authentication mechanism.  The requirements do not
(other than implicitly through requirement 5).