[secdir] sec-dir review of draft-ietf-softwire-4rd-08

Derek Atkins <derek@ihtfp.com> Mon, 06 October 2014 18:31 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 199AC1A87C6; Mon, 6 Oct 2014 11:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.289
X-Spam-Status: No, score=-1.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id bMum562cAmrI; Mon, 6 Oct 2014 11:31:14 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25D4B1A87BC; Mon, 6 Oct 2014 11:31:14 -0700 (PDT)
Received: from localhost (localhost []) by mail2.ihtfp.org (Postfix) with ESMTP id EF768E2034; Mon, 6 Oct 2014 14:31:11 -0400 (EDT)
Received: from mail2.ihtfp.org ([]) by localhost (mail2.ihtfp.org []) (amavisd-maia, port 10024) with ESMTP id 14050-06; Mon, 6 Oct 2014 14:31:09 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id A66B4E2031; Mon, 6 Oct 2014 14:31:09 -0400 (EDT)
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id s96IV8xs019509; Mon, 6 Oct 2014 14:31:08 -0400
From: Derek Atkins <derek@ihtfp.com>
To: iesg@ietf.org, secdir@ietf.org
Date: Mon, 06 Oct 2014 14:31:08 -0400
Message-ID: <sjmfvf1qccz.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/5sS4I2B6IdiQw7OlXuGdAhv-cbs
Cc: software-chairs@tools.ietf.org, phdgang@gmail.com, fibrib@gmail.com, Yiu_Lee@Cable.Comcast.com, despres.remi@laposte.net, repenno@cisco.com, jiangsheng@huawei.com
Subject: [secdir] sec-dir review of draft-ietf-softwire-4rd-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2014 18:31:16 -0000


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I see no major technical issues with this document, although I do have
one question:  In the Security Considerations section under Spoofing
attacks you talk about ingress filtering and address consistency, but
couldn't one could theoretically spoof ICMP messages by injecting
messages with the "reserved IPv4 dummy address" specified in section
4.8?  Moreover, the whole security of the system depends on everyone
in the network behaving properly.  Is that something we can really
assume to be true?

I also have one editorial comment:

In Section 3, on page 7 you say:

   For IPv4 anti-spoofing protection to extend to IPv4, ingress
   filtering has to be effective in IPv6 (Section 4.4 and Section 5).

I suspect this should read "For IPv6 anti-spoofing protection to
extend to IPv4,...".  Or maybe the other way around?  I'm not sure
what you mean here; the current phrasing is confusing.


       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant