[secdir] Review of draft-arkko-townsley-coexistence-04

Shawn Emery <shawn.emery@oracle.com> Mon, 11 October 2010 06:37 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 2DFE03A68CC; Sun, 10 Oct 2010 23:37:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.588
X-Spam-Status: No, score=-6.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 6VAc84SAcAY3; Sun, 10 Oct 2010 23:37:34 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com []) by core3.amsl.com (Postfix) with ESMTP id E512E3A6767; Sun, 10 Oct 2010 23:37:33 -0700 (PDT)
Received: from rcsinet13.oracle.com (rcsinet13.oracle.com []) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o9B6cSm2001543 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 11 Oct 2010 06:38:33 GMT
Received: from acsmt353.oracle.com (acsmt353.oracle.com []) by rcsinet13.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o9B1vmLf030800; Mon, 11 Oct 2010 06:38:27 GMT
Received: from abhmt005.oracle.com by acsmt353.oracle.com with ESMTP id 679033411286779083; Sun, 10 Oct 2010 23:38:03 -0700
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 10 Oct 2010 23:38:03 -0700
Message-ID: <4CB2B0C4.9080000@oracle.com>
Date: Mon, 11 Oct 2010 00:37:56 -0600
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv: Gecko/20100913 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: secdir@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-arkko-townsley-coexistence.all@tools.ietf.org, iesg@ietf.org
Subject: [secdir] Review of draft-arkko-townsley-coexistence-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 06:37:38 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors. Document editors and WG chairs should treat 
these comments just like any other last call comments.

This is an information draft that provides guidance for effectively 
managing IPv4/IPv6 addresses by address and protocol translation mechanisms.

The security considerations section does exist and defers to 
wing-nat-pt-replacement-comparison for some of the solutions.  
wing-nat-pt-replacement-comparison discusses possible DoS and spoofing 
attacks when sharing an IPv4 amongst multiple subscribers.  Though it 
would be nice if either this draft or the one referenced would prescribe 
techniques to mitigate such attacks.

General comments:


Editorial comments:

s/reader to be consider/reader to consider/

This sentence should be restructured for readability purposes:

For deployments where the GW is owned and operated by the customer, this becomes
operational overhead for the Internet Service Provider (ISP) that it
will no longer be able to rely on the customer and the seller of the
GW device for.

s/of NAT444 need/of NAT444 needs/

s/tunnel could created/tunnel could be created/