[secdir] Secdir review of draft-ietf-ospf-ipv4-embedded-ipv6-routing-09

Ben Laurie <benl@google.com> Fri, 05 April 2013 15:00 UTC

Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA6D921F9802 for <secdir@ietfa.amsl.com>; Fri, 5 Apr 2013 08:00:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.978
X-Spam-Level:
X-Spam-Status: No, score=-101.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTHn98kPHQ8q for <secdir@ietfa.amsl.com>; Fri, 5 Apr 2013 08:00:29 -0700 (PDT)
Received: from mail-ia0-x233.google.com (mail-ia0-x233.google.com [IPv6:2607:f8b0:4001:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id 40FA321F97F2 for <secdir@ietf.org>; Fri, 5 Apr 2013 08:00:29 -0700 (PDT)
Received: by mail-ia0-f179.google.com with SMTP id x24so3239471iak.38 for <secdir@ietf.org>; Fri, 05 Apr 2013 08:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=SrdxXRM6xMysrZFSkpkqEkEYZ70KyEGzHW0uxfJ+1E0=; b=mF7jH/zugGQ4JUJetSmg8+LNlvON/gmelM9OxW0ZgP+DNlSvmSNTGmgHwfUsuX/W8Q 4REeRGlBjZeTF5ZaJmzeCmf4qKMHtpJ7r37aSj9Izj8k6C+3dhfFj2FAS6EGgsErT3NX JL4IRoYbmQG2NRqaAObo4PvehLFDl2hPkz79colBUSmPkEUxTcrB00WDIZlSZ94DMqt0 r9gH5zSNMN8wt/BeBRzPU4rSUDmtc6Bfm7VOofXPShkTU7Y2dD35XZ6nHQzM5NP7flPh sqUfVRNm/Lw4kVrdEiRW3L6knIrV+T2LnepW0Qvcb4mlo4yQEsbWFMWFUjpypdGbQocn i2sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=SrdxXRM6xMysrZFSkpkqEkEYZ70KyEGzHW0uxfJ+1E0=; b=bltDmlYLSzF5vv9JfvjcV1tZpgIiShSssLkXdC/WcNw/4DmuVsiehj8BwFfUz5rajK I0WBWO8/wAjLXFC2vdA7EmqLqYPNul+PVEtUpnZ/LAzHqpsegJ3lDBXKLeeFM/rcJw7h JEYkEDY/KkSeRlDwb2LOObhbfBHP2QB/hXYmlCYuudti+sWr7Y60vZBNVtddcQCzfN4s KzwNFeT8Ml3s4VpXhOMCcxqNAJcWJafUbiv50CW0w6+eR7DL1K9P713YQJJh4y8jSO4M sWTWaJ5kErQp0aZ4DgaqnIFh96kaniDHkJqWaMYaN8TxOsEFJOqW6LeujGmnvHXU01mT WRjw==
MIME-Version: 1.0
X-Received: by 10.50.70.9 with SMTP id i9mr1795053igu.60.1365174028732; Fri, 05 Apr 2013 08:00:28 -0700 (PDT)
Received: by 10.64.20.131 with HTTP; Fri, 5 Apr 2013 08:00:28 -0700 (PDT)
Date: Fri, 05 Apr 2013 16:00:28 +0100
Message-ID: <CABrd9SSfJuoySGv_k=AOtNu4SZJEnODOD=LjgO3BqcJK334V6A@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-ospf-ipv4-embedded-ipv6-routing.all@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQn+wiel/7JyQml30nLNfRGevfBlai37eZ03UpJW80UEDPJ4+v63gOypF6BJaNvBCkDTtrrJ2VxJUu47Rjw/dvf4viEtlJlDAENlMIG7RILYXvVABFuPM1BnXZxGwYdea28HC5y0I1dad67R7QLXj3FIMvr9oy2MCPyemGbYGs0xoG9/fMKyLpyLHc4yqBRig1Fmrgy6
Subject: [secdir] Secdir review of draft-ietf-ospf-ipv4-embedded-ipv6-routing-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 15:00:29 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: I-D is ready with potential nits.

Detail: as far as I can tell, this I-D does not introduce any new
mechanism and instead describes a particular configuration of existing
mechanisms. As such, it is hard for it to introduce security issues
that do not already exist. However, it is entirely possible the
document's advice is not optimal - I'm afraid my knowledge of IPv6 is
too limited to be a good judge of that.

The security considerations section does mention some potential
pitfalls, but it is hard to judge whether they are comprehensive, and
I would suggest they should be. I would advise the security ADs to
have it reviewed by an IPv6 security expert.