Re: [secdir] [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12

JORDI PALET MARTINEZ <> Wed, 09 January 2019 10:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 500D312F1AC; Wed, 9 Jan 2019 02:30:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jtr_gUOWMrtU; Wed, 9 Jan 2019 02:30:26 -0800 (PST)
Received: from ( [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A14DD12F1A2; Wed, 9 Jan 2019 02:30:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; s=MDaemon; t=1547029824; x=1547634624;; q=dns/txt; h=User-Agent:Date: Subject:From:To:CC:Message-ID:Thread-Topic:References: In-Reply-To:Mime-version:Content-type:Content-transfer-encoding; bh=vT/XEAgZAZVb0i7qY5c5RVHoIgywp4H58PJGELx2mE8=; b=QHj5p8jFlG+ct AKyIPwvDX2RkZKxJXNm8Ff9r5uqmW2QfytlFAg1EDQrGElbSzyEZyZRtowIFORuB XRlRA6ptB6qcs+8oKMbooWbIwJhgKoOSzCFHQruPbvR4CcKrjoWoHSwnbfEJp0J9 WjkOkhkd5qSf3TzhLJAh4DQ9cntJ2Q=
X-MDAV-Result: clean
X-MDAV-Processed:, Wed, 09 Jan 2019 11:30:24 +0100
X-Spam-Processed:, Wed, 09 Jan 2019 11:30:22 +0100
Received: from [] by (MDaemon PRO v16.5.2) with ESMTPA id md50006103042.msg; Wed, 09 Jan 2019 11:30:20 +0100
X-MDRemoteIP: 2001:470:1f09:495:4069:342c:af81:26bf
X-MDHelo: []
X-MDArrival-Date: Wed, 09 Jan 2019 11:30:20 +0100
User-Agent: Microsoft-MacOutlook/
Date: Wed, 09 Jan 2019 11:30:17 +0100
To: Christian Huitema <>, "STARK, BARBARA H" <>
CC: "" <>, "" <>, "" <>
Message-ID: <>
Thread-Topic: [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <>
Subject: Re: [secdir] [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Jan 2019 10:30:28 -0000

Hi Christian,

No, it was not intended to configure the LANs, just the CE.

I think that's clear in the document (abstract, intro), so if you feel that something else need to be included to make sure that is not misunderstood, please, let me know.

In Section 3.2 I've added this, let me know if you think is now clearer:

   Note that this document is only configuring the IPv4aaS in the IPv6
   Transition CE Router itself, and not forwarding such information to
   devices attached to the LANs, so the WAN configuration, availability
   of native IPv4 or IPv4aaS, is transparent for them.

Regarding the Security Section, following your points and Barbara suggestions I've this:

   The IPv6 Transition CE Router must comply with the Security
   Considerations as stated in [RFC7084], as well as those stated by
   each transition mechanism implemented by the IPv6 Transition CE

   As described in [RFC8026] and [RFC8415] Security Consideration
   sections, there are generic DHCP security issues, which in the case
   of this document means that malicious nodes may alter the priority of
   the transition mechanisms.

   Access network architecture for securing DHCP within the access
   network is out of scope of this document.  Securing DHCP in the LAN
   is also not in scope.  DHCP packets MUST NOT be forwarded between LAN
   and WAN interfaces of an IPv6 Transition CE router.


-----Mensaje original-----
De: ietf <>; en nombre de Christian Huitema <>;
Fecha: miércoles, 9 de enero de 2019, 7:14
CC: ""; <>;, ""; <>;, ""; <>;
Asunto: Re: [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12

    On 1/8/2019 10:38 AM, JORDI PALET MARTINEZ wrote:
    > The security concerns raised *initially* by Christian were related to the use of DHCP for configuring the WAN. At least that was what I understood. Then we continued discussing about the LAN, which I agree with you, is not a requirement on this document.
    I may be very confused, because the way I read your draft I assumed that
    the DHCPv6 S46 option was meant to inform the LAN-side devices of the
    available and preferred transition services. From what you are telling
    me, the S46 option is actually provided by the WAN side DHCPv6 server,
    of which the CPE is a client. That would be the preferred way for an ISP
    to configure the customer premise device.
    If the DHCPv6 option is only used on the WAN side, then I agree with
    Barbara and you that solutions like DHCP Guard or 802.1x are not
    relevant. There is no need for the proposed paragraph starting with
    "considering that" and ending with "scope of this document".
    On the other hand, if I was that much confused, others will be too. I
    might be useful to drop a line in section 3.2 explain in layman terms
    how the S46 option is used.
    -- Christian Huitema

IPv4 is over
Are you ready for the new Internet ?
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.