[secdir] Secdir review of draft-ietf-opsec-ipv6-host-scanning-07

Dacheng <zhang_dacheng@hotmail.com> Sun, 05 July 2015 13:47 UTC

Return-Path: <zhang_dacheng@hotmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80E591A88EF; Sun, 5 Jul 2015 06:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.291
X-Spam-Level: ****
X-Spam-Status: No, score=4.291 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CHARSET_FARAWAY_HEADER=3.2, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEEmQueKkTTH; Sun, 5 Jul 2015 06:47:05 -0700 (PDT)
Received: from BLU004-OMC2S21.hotmail.com (blu004-omc2s21.hotmail.com [65.55.111.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3E6F1A8880; Sun, 5 Jul 2015 06:47:01 -0700 (PDT)
Received: from BLU436-SMTP157 ([65.55.111.72]) by BLU004-OMC2S21.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sun, 5 Jul 2015 06:47:00 -0700
X-TMN: [FvjhkNSz7euSCW/RyzCoUKiqsKONGQIX]
X-Originating-Email: [zhang_dacheng@hotmail.com]
Message-ID: <BLU436-SMTP157140B304A7487FDAFBB4188940@phx.gbl>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8170D665-0530-4692-A2FD-A72FCE65A8A3"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Dacheng <zhang_dacheng@hotmail.com>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12ADE7046@SZXEMA502-MBS.china.huawei.com>
Date: Sun, 5 Jul 2015 21:46:49 +0800
References: <C02846B1344F344EB4FAA6FA7AF481F12ADE7046@SZXEMA502-MBS.china.huawei.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
X-OriginalArrivalTime: 05 Jul 2015 13:46:59.0573 (UTC) FILETIME=[10B73A50:01D0B729]
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Opg3xNcdHjFcMcARpI-86kONhdQ>
Cc: "draft-ietf-opsec-ipv6-host-scanning.all@ietf.org" <draft-ietf-opsec-ipv6-host-scanning.all@ietf.org>
Subject: [secdir] =?gb2312?b?U2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLW9wc2Vj?= =?gb2312?b?LWlwdjYtaG9zdC1zY2FubmluZ6OtMDc=?=
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jul 2015 13:47:06 -0000

I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document explores the topic of Network Reconnaissance in IPv6 networks. It analyzes the feasibility of address-scan attacks in IPv6 networks in different scenarios and proposes comments to mitigate to certain issues. 
Follows are two comments:
1) There are overlaps in the contents of the security consideration and conclusions. Maybe it is reasonable to integrate the the conclusions into security considerations. In addition, the security consideration section is normally about the new issues or concerns raised by the proposed work. However, this memo does not propose any new mechanism and so introduce no security vulnerability. I suggest the authors clarify this in the security consideration section. 
2) There is a very big section and a lot of short sections. I suggest to combine sections 4-14 into a single one to make the lengths of different sections more balanced. 
Anyway,  the  analysis in this work is quite extensive. I really enjoy reading it. I think this document is nearly ready for publication with some tiny modifications. 
Cheers
Dacheng