IETF Logo Mail Archive

[secdir] SecDir review of draft-weil-shared-transition-space-request-03

Yaron Sheffer <yaronf@gmx.com> Mon, 22 August 2011 21:13 UTC

Return-Path: <yaronf@gmx.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 899CE21F8B79 for <secdir@ietfa.amsl.com>; Mon, 22 Aug 2011 14:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ftw1d-LzlNwv for <secdir@ietfa.amsl.com>; Mon, 22 Aug 2011 14:13:57 -0700 (PDT)
Received: from mailout-eu.gmx.com (mailout-eu.gmx.com [213.165.64.43]) by ietfa.amsl.com (Postfix) with SMTP id DCB2321F8B7E for <secdir@ietf.org>; Mon, 22 Aug 2011 14:13:56 -0700 (PDT)
Received: (qmail invoked by alias); 22 Aug 2011 21:15:00 -0000
Received: from bzq-79-181-242-252.red.bezeqint.net (EHLO [10.0.0.3]) [79.181.242.252] by mail.gmx.com (mp-eu006) with SMTP; 22 Aug 2011 23:15:00 +0200
X-Authenticated: #63966379
X-Provags-ID: V01U2FsdGVkX18ST7Zcw2sS54+ZYDlyQDLm0aLywSoCnUz6ChboiR kP6ngBvts5Lhu8
Message-ID: <4E52C6C8.5070804@gmx.com>
Date: Tue, 23 Aug 2011 00:14:48 +0300
From: Yaron Sheffer <yaronf@gmx.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: secdir@ietf.org, draft-weil-shared-transition-space-request.all@tools.ietf.org, iesg@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Mailman-Approved-At: Mon, 22 Aug 2011 14:21:29 -0700
Subject: [secdir] SecDir review of draft-weil-shared-transition-space-request-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2011 21:13:57 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary

Security considerations are missing and should be added.

Details

A number of objections were raised on the main IETF mailing list. Not being an expert on IPv6 transition strategies, I will not opine on the value of the proposed address space. However from the point of view of security, the draft needs to be improved.

For motivation, the draft refers to a "problem statement" draft, draft-bdgks-arin-shared-transition-space. Looking at the security considerations in draft-bdgks, it is clear that the current document should say much more than "this is not a protocol; there are no security implications," as it currently does. I'm afraid I disagree on both counts: this is indeed a protocol (it defines who is allowed to use these addresses and for what purpose, and it *should* specify how this can be enforced), and there are clear security implications: you don't want people outside the ISP's network (or the ISP's own customers, for that matter) to spoof tunnel termination points.

Following up on draft-bdgks, the current document should at least advise on (and better yet, mandate solutions for) "best practices associated with the use of this space, including considerations relating to filtering, routing, etc.".

Thanks,
     Yaron

v2.23.0 | Report a Bug | By Email