Re: [secdir] Review of draft-ietf-behave-v6v4-xlate-20

Tero Kivinen <kivinen@iki.fi> Mon, 16 August 2010 11:59 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F33A3A680E; Mon, 16 Aug 2010 04:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.197
X-Spam-Level:
X-Spam-Status: No, score=-102.197 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SCr5aI-mN-O0; Mon, 16 Aug 2010 04:59:19 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id C891E3A67B4; Mon, 16 Aug 2010 04:59:18 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o7GBxdjc025652 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Aug 2010 14:59:39 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o7GBxbmN025918; Mon, 16 Aug 2010 14:59:37 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19561.10281.349168.728229@fireball.kivinen.iki.fi>
Date: Mon, 16 Aug 2010 14:59:37 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Xing Li <xing@cernet.edu.cn>
In-Reply-To: <4C62CD51.60401@cernet.edu.cn>
References: <19474.9888.922292.408395@fireball.kivinen.iki.fi> <4C62CD51.60401@cernet.edu.cn>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 2 min
X-Total-Time: 1 min
Cc: draft-ietf-behave-v6v4-xlate.all@tools.ietf.org, congxiao <congxiao@cernet.edu.cn>, Fred Baker <fred@cisco.com>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-ietf-behave-v6v4-xlate-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 11:59:20 -0000

Xing Li writes:
> Thank you very much for the comments. With the help of the behave 
> chairs, we have updated the security session of xlate draft, the text reads

New version of security considerations section looks good for me.

> 7. Security Considerations
> 
> The use of stateless IP/ICMP translators does not introduce any new
> security issues beyond the security issues that are already present
> in the IPv4 and IPv6 protocols and in the routing protocols that are
> used to make the packets reach the translator.
> 
> There are potential issues that might arise by deriving an IPv4
> address from an IPv6 address - particularly addresses like broadcast
> or loopback addresses and the non IPv4-translatable IPv6 addresses,
> etc. The [I-D.ietf-behave-address-format] addresses these issues.
> 
> As with network address translation of IPv4 to IPv4, the IPsec
> Authentication Header [RFC4302] cannot be used across an IPv6 to IPv4
> translator.
> 
> As with network address translation of IPv4 to IPv4, packets with
> tunnel mode ESP can be translated since tunnel mode ESP does not
> depend on header fields prior to the ESP header. Similarly,
> transport mode ESP will fail with IPv6 to IPv4 translation unless
> checksum neutral addresses are used. In both cases, the IPsec ESP
> endpoints will normally detect the presence of the translator and
> encapsulate ESP in UDP packets [RFC3948].
-- 
kivinen@iki.fi