Re: [secdir] secdir review of draft-ietf-v6ops-464xlat-08

joel jaeggli <> Sun, 23 December 2012 18:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1674721F8561; Sun, 23 Dec 2012 10:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Np37POd680aG; Sun, 23 Dec 2012 10:03:36 -0800 (PST)
Received: from ( [IPv6:2001:418:1::81]) by (Postfix) with ESMTP id 7F71D21F8551; Sun, 23 Dec 2012 10:03:36 -0800 (PST)
Received: from joels-MacBook-Air.local ( []) (authenticated bits=0) by (8.14.4/8.14.4) with ESMTP id qBNI3YOU024143 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Sun, 23 Dec 2012 18:03:35 GMT (envelope-from
Message-ID: <>
Date: Sun, 23 Dec 2012 10:03:33 -0800
From: joel jaeggli <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20121128 Thunderbird/18.0
MIME-Version: 1.0
To: Stephen Hanna <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 ( []); Sun, 23 Dec 2012 18:03:35 +0000 (UTC)
Cc: "" <>, The IESG <>, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-v6ops-464xlat-08
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 23 Dec 2012 18:03:37 -0000

On 12/21/12 5:38 PM, Stephen Hanna wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security area
> directors. Document editors and WG chairs should treat these comments
> just like any other last call comments.
> This document describes an architecture for providing IPv4 connectivity
> across an IPv6-only network. I'm not a fan of documents where the
> Security Considerations section just says "See these other two specs
> for the Security Considerations" but in this case it seems that this
> is adequate. This document is effectively recommends a concatenation
> stateless v4/v6 translation on the customer side and stateful v6/v4
> translation in the provider so it does make sense that the combination
> of the RFC 6145 and RFC 6146 Security Considerations would do it. And
> a review of those documents shows that their Security Considerations
> are thoughtful and well-considered.
I'm in general agreeement  with you here. fundamentally 464xlate is a 
deployment of 6145/6 with specific considerations. I don't believe that  
any new issues are introduced by deploying them in this fashion.
> I did find a few minor typos in section 8.2. In the first paragraph:
> "a explanation" should be "an explanation"
> "using combination" should be "using a combination"
> "is delegated IPv6 prefix" should be "is delegated an IPv6 prefix"
> Those were the only typos or errors that I found.
> Note that I am not an expert in address translation or IPv6 operations
> so there could be hidden security issues here that I didn't find.