Document:  draft-ietf-mip6-cn-ipsec-05
Reviewer:  Christian Vogt
Review Date:  September 10, 2007
IETF LC End Date:  September 9, 2007
IESG Telechat date:  --

Summary:  Ready with nits.

Comments:

An important requirement for IPsec-based protection of Mobile IPv6 route optimization is that the IPsec security associations are bound to the mobile node's home address.  A malicious mobile node could otherwise misuse its own security association for impersonating the home address of a different mobile node.  The draft ensures this requirement in section 3 by saying that...

>  -  the Traffic Selectors MUST match exclusively the Home Address of
>     the Mobile Node and an address of the Correspondent Node (the
>     address used for communication between peers).

Yet the importance of this requirement, as well as its reason and effect, is unlikely to become clear to the non-expert reader.  I would recommend adding a section in the Security Considerations sections elaborating on this.

Three nits in addition:

- Abstract:

>                         This document defines how IPsec can be used
>    between the Mobile Node and Correspondent Nodes for Home Address
>    Option validation (aka. triangular routing) and protection of
>    mobility signaling for Route Optimization.

The phrase "aka. triangular routing" is out of context here.  Just drop it.

- Section 1:  "This document defines an alternative mechanism" --> "...an alternative mechanism for Mobile IPv6 route optimization"

- Section 3: "anti-replay services MUST be selected" --> "...MUST be enabled"