Re: [Gen-art] Re: Partial review of draft-ietf-v6ops-security-overview-04.txt
Brian E Carpenter <brc@zurich.ibm.com> Tue, 06 June 2006 09:40 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnY2n-0003fN-HJ; Tue, 06 Jun 2006 05:40:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnY2m-0003fI-84 for gen-art@ietf.org; Tue, 06 Jun 2006 05:40:12 -0400
Received: from mtagate3.de.ibm.com ([195.212.29.152]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnY2j-0000Vt-MW for gen-art@ietf.org; Tue, 06 Jun 2006 05:40:12 -0400
Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate3.de.ibm.com (8.13.6/8.13.6) with ESMTP id k569e8B0015962 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <gen-art@ietf.org>; Tue, 6 Jun 2006 09:40:08 GMT
Received: from d12av04.megacenter.de.ibm.com (d12av04.megacenter.de.ibm.com [9.149.165.229]) by d12nrmr1607.megacenter.de.ibm.com (8.13.6/NCO/VER7.0) with ESMTP id k569g4KA096240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <gen-art@ietf.org>; Tue, 6 Jun 2006 11:42:04 +0200
Received: from d12av04.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id k569e7AM001688 for <gen-art@ietf.org>; Tue, 6 Jun 2006 11:40:07 +0200
Received: from sihl.zurich.ibm.com (sihl.zurich.ibm.com [9.4.16.232]) by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k569e6iP001556; Tue, 6 Jun 2006 11:40:06 +0200
Received: from zurich.ibm.com (sig-9-146-217-178.de.ibm.com [9.146.217.178]) by sihl.zurich.ibm.com (AIX4.3/8.9.3p2/8.9.3) with ESMTP id LAA60578; Tue, 6 Jun 2006 11:40:04 +0200
Message-ID: <44854D75.5050304@zurich.ibm.com>
Date: Tue, 06 Jun 2006 11:40:05 +0200
From: Brian E Carpenter <brc@zurich.ibm.com>
Organization: IBM
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en, fr, de
MIME-Version: 1.0
To: Elwyn Davies <elwynd@dial.pipex.com>
Subject: Re: [Gen-art] Re: Partial review of draft-ietf-v6ops-security-overview-04.txt
References: <713043CE8B8E1348AF3C546DBE02C1B408AADFBD@zcarhxm2.corp.nortel.com> <4475D2BF.2050805@dial.pipex.com>
In-Reply-To: <4475D2BF.2050805@dial.pipex.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc: david.kessens@nokia.com, fred.baker@cisco.com, gen-art@ietf.org, suresh.krishnan@ericsson.com, kurtis@kurtis.pp.se, psavola@funet.fi
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
Actually this got deferred by one telechat, so maybe Sharon has the chance to look at the rest... I will very likely be a No Objection, this being a draft I have kept an eye on; it would be rather hypocritical to Discuss it at this late stage. Since there are a couple of quite tricky Discuss comments, there well may be a revision coming, at which point I trust the authors will review Sharon's comments. Brian Elwyn Davies wrote: > > > Sharon Chisholm wrote: > >> Attached is my review of the specified document, submitted as part of >> the Gen-ART process. For background on Gen-ART, please see the FAQ at >> <http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html>. >> >> Document: >> http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-0 >> 4.txt >> >> Summary: This draft is basically ready for publication, but has nits >> that >> should be fixed before publication. >> >> Comments: >> >> I somehow wasn't paying attention and only realized at the last minute >> that I was assigned this review for today's meeting. Apologies for the >> lateness and incompleteness of this review. I only managed to review to >> the end of section 2.3. >> >> 1. In section 1, second paragraph, it says "It is important to >> understand that we have to be concerned not about replacing IPv4 with >> IPv6", which seems a bit bold of a statement without a clarification >> like "in the near future" or some form of explanation. >> > > The sentence is intended to mean that we aren't going to see the > all-IPv4 net going away to be replaced by the all-IPv6 network (in the > short term - actually that is an understatement- more like the long > teerm). Instead we have to deal with co-existence for a very long time. > > Maybe the words could be improved. > >> 2. In section 2.1.1, second paragraph and after the bullets, there is a >> typo - "point wher it is being " >> >> 3. The document contains a number of references to internet drafts that >> originally defined the problems discussed. The document claims "Several >> of these issues have been discussed in separate drafts but are >> summarized here to avoid normative references that may not become RFCs", >> but it isn't clear what the RFC editor should do. Should it delete all >> these references or just delete the ones that are not RFCs at the time >> of publication, or should it evaluate which it thinks will someday >> become RFCs and then wait for them? >> > > I believe that it is OK to leave the references as 'work in progress' > since they are informative in an Informational document. > >> 4. Section 2.1.9. 1 does not make a recommendation. Are we suggesting >> that middleware boxes should inspect these packets or just letting >> people know about the conflict. A recommendation of some sort would seem >> more satisfying. >> > > Yes it would... unfortunately this is difficult because doing what is > advisable breaks the letter of the IPv6 standard and doing what the > standard says can lead to a security hole. IMO the standard should be > fixed but that is not something we can recommend or expect here- so we > can point out that you can do it and leave it to operators to do as they > see fit. Recommending either way would be to upset somebody. > >> 5. In section 2.1.9.2, third paragraph says that "This either limits the >> security that can be applied in firewalls or makes it difficult to >> deploy new extension header types", but I did not find information in >> this section to support that conclusion. It may well be true, but it >> isn't supported. Why is it difficult to skip over header extensions I >> don't recognize, for example? >> > > Because there is no guarantee that a random new header is in the right > TLV format. It alsmost certainly would be but the standard doesn't > *guarantee* it. Again this ought to be fixed. > >> 6. In section 2.3.2, second paragraph, second bullet, isn't it mandatory >> to implement ipsec in IPv6 but it isn't mandatory to deploy it is it? >> I'm not sure this distinction is clear in this bullet. (Assuming my >> understanding is correct that is) >> > > A conforming implementation has to implement it - and hence it *should* > be deployed. The choice is whether the user chooses to use it for any > given session. I think the statements in the section are correct. > > Regards, > Elwyn > >> Sharon Chisholm >> Nortel Ottawa, Ontario >> Canada >> > > > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www1.ietf.org/mailman/listinfo/gen-art > _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Partial review of draft-ietf-v6ops-secu… Sharon Chisholm
- [Gen-art] Re: Partial review of draft-ietf-v6ops-… Elwyn Davies
- Re: [Gen-art] Re: Partial review of draft-ietf-v6… Brian E Carpenter
- Re: [Gen-art] Re: Partial review of draft-ietf-v6… Elwyn Davies
- RE: [Gen-art] Re: Partial review of draft-ietf-v6… Sharon Chisholm
- [Gen-art] Re: Partial review of draft-ietf-v6ops-… Elwyn Davies