Re: [secdir] secdir review of draft-ietf-v6ops-464xlat-08
joel jaeggli <joelja@bogus.com> Sun, 23 December 2012 18:03 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1674721F8561; Sun, 23 Dec 2012 10:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Np37POd680aG; Sun, 23 Dec 2012 10:03:36 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 7F71D21F8551; Sun, 23 Dec 2012 10:03:36 -0800 (PST)
Received: from joels-MacBook-Air.local (c-71-193-176-225.hsd1.wa.comcast.net [71.193.176.225]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id qBNI3YOU024143 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Sun, 23 Dec 2012 18:03:35 GMT (envelope-from joelja@bogus.com)
Message-ID: <50D74775.9070701@bogus.com>
Date: Sun, 23 Dec 2012 10:03:33 -0800
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20121128 Thunderbird/18.0
MIME-Version: 1.0
To: Stephen Hanna <shanna@juniper.net>
References: <F1DFC16DCAA7D3468651A5A776D5796E068FAB13@SN2PRD0510MB372.namprd05.prod.outlook.com>
In-Reply-To: <F1DFC16DCAA7D3468651A5A776D5796E068FAB13@SN2PRD0510MB372.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Sun, 23 Dec 2012 18:03:35 +0000 (UTC)
Cc: "draft-ietf-v6ops-464xlat.all@tools.ietf.org" <draft-ietf-v6ops-464xlat.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-v6ops-464xlat-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Dec 2012 18:03:37 -0000
On 12/21/12 5:38 PM, Stephen Hanna wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments > just like any other last call comments. > > This document describes an architecture for providing IPv4 connectivity > across an IPv6-only network. I'm not a fan of documents where the > Security Considerations section just says "See these other two specs > for the Security Considerations" but in this case it seems that this > is adequate. This document is effectively recommends a concatenation > stateless v4/v6 translation on the customer side and stateful v6/v4 > translation in the provider so it does make sense that the combination > of the RFC 6145 and RFC 6146 Security Considerations would do it. And > a review of those documents shows that their Security Considerations > are thoughtful and well-considered. I'm in general agreeement with you here. fundamentally 464xlate is a deployment of 6145/6 with specific considerations. I don't believe that any new issues are introduced by deploying them in this fashion. > I did find a few minor typos in section 8.2. In the first paragraph: > > "a explanation" should be "an explanation" > "using combination" should be "using a combination" > "is delegated IPv6 prefix" should be "is delegated an IPv6 prefix" > > Those were the only typos or errors that I found. > > Note that I am not an expert in address translation or IPv6 operations > so there could be hidden security issues here that I didn't find. > > >
- [secdir] secdir review of draft-ietf-v6ops-464xla… Stephen Hanna
- Re: [secdir] secdir review of draft-ietf-v6ops-46… joel jaeggli