[secdir] SecDir review of draft-ietf-radext-ipv6-access-13

Yoav Nir <ynir@checkpoint.com> Tue, 13 November 2012 17:32 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1F70021F8614; Tue, 13 Nov 2012 09:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.573
X-Spam-Status: No, score=-10.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0tZFQ49n1Acr; Tue, 13 Nov 2012 09:32:32 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com []) by ietfa.amsl.com (Postfix) with ESMTP id 774E821F85D9; Tue, 13 Nov 2012 09:32:30 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qADHWCJD001102; Tue, 13 Nov 2012 19:32:17 +0200
X-CheckPoint: {50A2811E-2-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([]) by IL-EX10.ad.checkpoint.com ([]) with mapi id 14.02.0318.004; Tue, 13 Nov 2012 19:32:11 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "iesg@ietf.org IESG" <iesg@ietf.org>, "draft-ietf-radext-ipv6-access.all@tools.ietf.org" <draft-ietf-radext-ipv6-access.all@tools.ietf.org>
Thread-Topic: SecDir review of draft-ietf-radext-ipv6-access-13
Thread-Index: AQHNwcTPUbHJ2GPZ5UOxjF/f4n0iqg==
Date: Tue, 13 Nov 2012 17:32:10 +0000
Message-ID: <4613980CFC78314ABFD7F85CC30277210152E3@IL-EX10.ad.checkpoint.com>
References: <20550.1861.349381.646147@fireball.kivinen.iki.fi>
In-Reply-To: <20550.1861.349381.646147@fireball.kivinen.iki.fi>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11899cbe73b9f71bcbeed90d6889320e646a9ed742
Content-Type: text/plain; charset="us-ascii"
Content-ID: <F56829D9D827AD4CBCC8F94F7CECC9BA@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: [secdir] SecDir review of draft-ietf-radext-ipv6-access-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2012 17:32:33 -0000


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The draft adds IPv6 RADIUS attributes for information received using DHCP. The attributes include IPv6 address, DNS server address, IPv6 route information, delegated IPv6 prefix, and stateful IPv6 address pool.

The security considerations section covers general vulnerabilities in RADIUS just to say that those apply here as well. It also makes a reference to IPsec as "natively defined for IPv6". This can IMO be omitted, as pretty much every platform that has IPsec for IPv6 has it for IPv4 as well, and IPsec is not longer required for compliance with IPv6, otherwise all those smart objects would be non-compliant.

There is no treatment of the issue of a rogue RADIUS server supplying bad routes to the NAS. This can be explained away by saying that a trust relationship exists between RADIUS server and NAS, but I think this should be mentioned.