Fear not as this is just the secdir review!

I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: Ready with nits.

Nits:

0. s1.1: This section can be removed because there’s no 2119-language in the draft, but that can be done by the RFC editor later.

1. s3.5: Somebody once suggested adding an IKEv2 payload for configuration data and got their head handed to them.  I guess it’s fine to leave the paragraph in the draft because this is just a possible solution, but I’d not count on it as a viable option.

2. s4.2: Makes me think of Fernado’s VPN leaks RFC: 

http://datatracker.ietf.org/doc/rfc7359/

.

3. s5.2.1: Makes me hope that the if there’s two connections and one is a VPN that lookups meant for that connection is only done over that connection and not leaked out.  I think this is covered later in the section though.

spt