I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-anima-prefix-management-05
Reviewer: Russ Housley
Review Date: 2017-10-05
IETF LC End Date: 2017-10-12
IESG Telechat date: Unknown

Summary: Has Issues


No Major Concerns


Minor Concerns

This document uses "DHCPv6-PD" and "DHCPv6 PD".  At first, I was going
to recommend picking one spelling.  However, RFC 3633 does not define
either of these.  So, some explanation is needed in addition to being
consistent.

In Section 3, the document says that roles can be locally defined.  If
I properly understood the rest of the document, this is just a indirect
way to state the prefix size.  If I got that right, it would help to
explain this to the reader as soon as possible.

In Section 3.2.1, please give some examples of device identities.  Are
we talking about a serial number or something else?

In Section 4.1, the document says:

  It should decide the length of the requested prefix and request it by
  the mechanism described in Section 6.

However, Section 6 talks about:

   ...  Thus it would be possible to apply an
   intended policy for every device in a simple way, without traditional
   configuration files.

I do not see how the mechanisms in Section 6 increases the allocation
for a single router.  It seems to increase the allocation to all routers
with a particular role.


Nits

Throughout the document, I find that "administrator(s)" grabs my
attention.  I suggest that "administrators" would be better for the
reader.

In Section 1, please spell out the first use of "ASA".

In Section 3.1: s/with minimum efforts/with minimum effort/