[secdir] SecDir Review of draft-bao-v6ops-rfc6145bis-05
Yoav Nir <ynir.ietf@gmail.com> Sat, 05 March 2016 22:56 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1CFD1B382B; Sat, 5 Mar 2016 14:56:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xm7pq9T3G--A; Sat, 5 Mar 2016 14:56:00 -0800 (PST)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16B0C1B382A; Sat, 5 Mar 2016 14:56:00 -0800 (PST)
Received: by mail-wm0-x22b.google.com with SMTP id l68so63470468wml.0; Sat, 05 Mar 2016 14:56:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=C3O8pyh8Ha6K1RjF3m/a0UURpf+N/QEaPmwoxuuHvck=; b=dZkVZTo3zlKrCSYyccDfyBPeg31sqCRo0hU6GNkz8WYcXc2LdDm1rp6MTJK4a5T/Vx 17FMlT32KDb0PDHj+MR7Sbuv5CH5TikBmAo0idNHJCpDgmg/mix3LJ83fvI+y1OTXOza BrmjF5pXoKdPwIzjZuqs0mNieUINdeCBybV1Uhl59sjUDqk5vpoxqeT68YNLcScvyNhZ 4DXVfoetJoHqg8lrWxZR1pHJEpzwa9RCin8O4QiABrO9uPunui2caD8Susg+sABce2lk gpdU9TxD1pMPtWXM7AqEj/s5jom4I6UovTpw0hMKJlGOnK7l/3iqqLB0PNqxCRFceLj3 G3hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=C3O8pyh8Ha6K1RjF3m/a0UURpf+N/QEaPmwoxuuHvck=; b=E1jxgNqRZI9Bz4z4DNYvAx38udhc6iET/kyWjbmDyBWWhjZE0YyLiPtrFhTvLGVuYv jok2N3qqnaS50fUACzBWX+jNvFu0vRMf1DUM4W2ANsbLhPdm/vle6bK6xirjKsRvwtAf klZ6PJ7dLQL0gJposio8enkW7ijpKaLU8q+ZfZKLuiBEIAMtScCHUaMD4UnR2zEXBnPe 2YFa0ZHmOapZWGVuhRZ7Qtl8Y0M1Nc7r8jvyhHwSxSzE6fxxqunnd7vGkteDbu5hQEjA uROP6DrZtxD1Ak6wu3Uf5U4/F8yK+SAi+jKCp7nD5mFmfvGD0cwkzy8nrMrUOW4ZgZyT DZXA==
X-Gm-Message-State: AD7BkJJfNM6+4TWYN5Sk837JrKn8fFXAfLBHoqdeS9q86MICkOafOVsfNvXrRrADeec7Hw==
X-Received: by 10.194.121.136 with SMTP id lk8mr17199323wjb.92.1457218558679; Sat, 05 Mar 2016 14:55:58 -0800 (PST)
Received: from [192.168.1.13] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id p191sm11710228wmb.0.2016.03.05.14.55.57 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 Mar 2016 14:55:57 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <D51FEF3F-512C-467F-8B9D-7EA6B78FA4CF@gmail.com>
Date: Sun, 06 Mar 2016 00:55:55 +0200
To: secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-bao-v6ops-rfc6145bis.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/GsFhoEGvg-vG1i86BJCwO793ZK8>
Subject: [secdir] SecDir Review of draft-bao-v6ops-rfc6145bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2016 22:56:02 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
Summary: Ready with nits.
The nits are not about security. they are mostly around readability. We have statements in one section that are only explained several sections later:
Section 1.2 says this:
Fragmented IPv4 UDP packets that do not contain a UDP checksum (i.e.,
the UDP checksum field is zero) are not of significant use in the
Internet, and in general will not be translated by the IP/ICMP
translator.
It's not clear why this is true. What do UDP checksums have to do with fragmentation? The mystery is solved in section 4.5 (You have to calculate the UDP checksum for IPv6, and you can’t recalculate it if it’s zero). It’s fine to explain later, but you should have a forward reference in section 1.2.
And speaking of the explanation in section 4.5:
For a stateful translator, the handling of fragmented UDP IPv4
packets with a zero checksum is discussed in [RFC6146]), Section
3.1.
There is an extra closing bracket at the reference, and the section is 3.4, not 3.1.
First paragraph in section 1.3 mentions a lot of terms that are not defined anywhere in the draft (masking addresses, hairpinning, contiguous routing connectivity). These terms are not explained in RFC 6144 either.
Section 4 talks about "IPv4 datagram addressed to a destination towards the IPv6 domain". This term is not clear, because IPv4 packets tend to have destination addresses that are IPv4. I take this to mean that some portion of the IPv4 space was allocated by DNS64 to "represent" IPv6 addresses, but the text should say this. Later, section 4.6 actually says this, but I think this needs to be mentioned before use.
The security considerations draft is fine and addresses all the issues I can think of. There is one nit, though:
As with network address translation of IPv4 to IPv4, packets with
tunnel mode Encapsulating Security Payload (ESP) can be translated
since tunnel mode ESP does not depend on header fields prior to the
ESP header.
...
the IPsec ESP endpoints will normally detect the presence of
the translator and encapsulate ESP in UDP packets [RFC3948].
If ESP packets could be translated with no problems, we wouldn’t need RFC 3948 (UDP encapsulation of IPsec ESP packets).
Yoav