Gen-ART LC review of draft-ietf-opsec-lla-only-07

"Peter Yee" <peter@akayla.com> Tue, 08 April 2014 06:58 UTC

Return-Path: <peter@akayla.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BFD1A014B; Mon, 7 Apr 2014 23:58:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJBHjiHz1Adf; Mon, 7 Apr 2014 23:58:35 -0700 (PDT)
Received: from p3plsmtpa09-08.prod.phx3.secureserver.net (p3plsmtpa09-08.prod.phx3.secureserver.net [173.201.193.237]) by ietfa.amsl.com (Postfix) with ESMTP id 265961A0146; Mon, 7 Apr 2014 23:58:29 -0700 (PDT)
Received: from spectre ([173.8.184.78]) by p3plsmtpa09-08.prod.phx3.secureserver.net with id nJyH1n0061huGat01JyHvd; Mon, 07 Apr 2014 23:58:24 -0700
From: "Peter Yee" <peter@akayla.com>
To: <draft-ietf-opsec-lla-only.all@tools.ietf.org>
Subject: Gen-ART LC review of draft-ietf-opsec-lla-only-07
Date: Mon, 7 Apr 2014 23:58:18 -0700
Message-ID: <012001cf52f7$f0361670$d0a24350$@akayla.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac9S8v0hRSibx5myQkiFkifq7Hdr0g==
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/ilCoUsNzn-BZI4BWUUARzKhRpcE
Cc: gen-art@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 06:58:39 -0000

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>

Please resolve these comments along with any other Last Call comments you
may receive.

Document: draft-ietf-opsec-lla-only-07
Reviewer: Peter Yee
Review Date: April-7-2014
IETF LC End Date: April-7-2014
IESG Telechat date: TBD

Summary: This draft is basically ready for publication as an Informational
RFC, but has issues that should be fixed before publication. [Ready with
issues.]

This document discusses the (controversial) use of IPv6 link-local addresses
on router infrastructure links.  I don't find all of the arguments for use
of link-local addresses to be terribly compelling, but I'm not utterly
averse to the document's publication as a summary of some of the pros and
cons for those who desire to configure their routers in the manner
prescribed.  There may be other reasons that should be taken into
consideration, but I lack a network operator's experience to discuss them.

Minor:

Page 4, 4th paragraph: I don't buy this argument.  DNS can be simplified for
non-link-local addresses by simply not registering those addresses in DNS.
Use of link-local addresses isn't a requirement to simplify DNS.

Page 4, 5th paragraph, 2nd sentence: SSH brute force password attacks aren't
really reduced unless the reduction is simply not being able to attack a
single router over multiple interfaces in parallel.  A better scheme for
reducing SSH brute force password attacks might be to limit the rate of
responses to SSH login attempts in the face of repeated failures.
Considering dropping this marginal example.

Page 4, 6th paragraph, 1st sentence: I'm not sure what is meant by "the same
result".  Is this in reference to all 5 paragraphs that precede the 6th?  If
so, you might wish to elaborate with "the same results as the above" .
However, if the same results can be obtained without going to link-local
addressing as this paragraph indicates, why is the use of link-local
addressing being suggested?  The paragraph might do well to explain why one
scheme is preferable over the other.

Page 6, 1st partial paragraph: the argument is made that "more work" is
required to discover all of an IXPs loopback interface addresses before a
generic attack can be mounted.  This wouldn't seem to be a lot of upfront
work and once it has been done, the advantage is negated.  I don't find the
argument particularly persuasive.  

Nits:

Page 2, Section 2 title: change "Address" to "Addressing".

Page 3, second paragraph: change "non link-local" to "non-link-local".

Page 4, 1st paragraph, 3rd sentence: change "accellerated" to "
accelerated".

Page 4, 5th paragraph, 2nd sentence: delete the comma after "[RFC4987])" and
change the "or" to "and".

Page 6, 1st full paragraph, 1st sentence: change "allow" to "allows" and
insert "an" before "MPLS LSP".


		-Peter Yee