Document: draft-ietf-pana-framework-08.txt Reviewer: David L. Black Review Date: June 4, 2007 IETF LC End Date: June 7, 2007 Summary: This draft is on the right track but has open issues, described in the review. Comments: This draft has changed significantly since it's -06 version that I previously reviewed for Gen-ART. Sections 5-10 of the -06 draft have been removed, resulting in a considerably higher level -08 document that is appropriate to publish as Informational (my previous review of -06 had expressed a concern about whether it should be standards track instead of informational). Much of my previous Gen-ART review concerned portions of the -06 draft that have been removed: http://www.alvestrand.no/ietf/gen/reviews/draft-ietf-pana-framework-06-b lack.txt The following points from that review of -06 has not been addressed: Section 3 could use a discussion about the relationship of the access network to the network that PANA controls access to. Figure 1 ought to show the latter (accessed) network as connected to the EP, and a two-cloud ASCII diagram would be very useful. Among other things, this would make it clear that the access network is in general a shared access network Section 4 talks about authentication at two levels - the lower level (link native or IPsec) and EAP over PANA. It needs to describe the recommended or required relationships between the identities used for these authentications. If there is no relationship, there is a potential vulnerability (particularly in the IPsec scenario) to a man-in-the-middle attack where the secure channel ends are not at the PaC and EP. The latter concern needs to be noted in the Security Considerations section, even if it is addressed elsewhere - the solution need not be in this draft, but the identity correspondence problem is an aspect of the PANA framework and needs to be noted as a security consideration. - Alper's email address needs to be updated, as the one in the draft does not work. - idnits 2.04.08 complains that there's no Intended Status on the first page.