[secdir] secdir review of draft-ietf-behave-address-format-08.txt

Charlie Kaufman <charliek@microsoft.com> Sun, 13 June 2010 07:07 UTC

Return-Path: <charliek@microsoft.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id C29BB3A68B2; Sun, 13 Jun 2010 00:07:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id xYU-U2R8wtCN; Sun, 13 Jun 2010 00:07:12 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com []) by core3.amsl.com (Postfix) with ESMTP id E7DD53A68B0; Sun, 13 Jun 2010 00:07:11 -0700 (PDT)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com ( by TK5-EXGWY-E802.partners.extranet.microsoft.com ( with Microsoft SMTP Server (TLS) id; Sun, 13 Jun 2010 00:07:15 -0700
Received: from TK5EX14MBXC117.redmond.corp.microsoft.com ([]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([]) with mapi id 14.01.0160.007; Sun, 13 Jun 2010 00:07:16 -0700
From: Charlie Kaufman <charliek@microsoft.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-behave-address-format.all@tools.ietf.org" <draft-ietf-behave-address-format.all@tools.ietf.org>
Thread-Topic: secdir review of draft-ietf-behave-address-format-08.txt
Thread-Index: AcsKxwuZ3ScanT4WQ7eYfl1Y0uvxEg==
Date: Sun, 13 Jun 2010 07:07:12 +0000
Message-ID: <D80EDFF2AD83E648BD1164257B9B091212132D35@TK5EX14MBXC117.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [secdir] secdir review of draft-ietf-behave-address-format-08.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2010 07:07:12 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document discusses formats and algorithms around dealing with the translation of IPv4 addresses to IPv6 addresses and vice versa. Such translation is necessary when two endpoints and the network between them do not all support a single version of IP.

I found the document quite comprehensible, its decisions well considered, and I have only minor comments.

Security Related:

Section 5 discusses two threats related to routers that handle IPv6 addresses that embed IPv4 addresses. I believe an important third attack in the same category is where firewalls filter traffic based on IPv4 addresses. In all such scenarios, admins should assure that packets that embed those IPv4 addresses inside IPv6 addresses perform the same filtering on the IPv6 addresses. Otherwise, lots of traffic that was previously blocked might be able to pass through the firewalls disguised as IPv6 packets.

Section 3.1 says that the Well-Known Prefix MUST NOT be used to represent non global IPv4 addresses, such as those defined in [RFC1918]. First, especially given that this is a MUST, there should be an explicit list of forbidden IPv4 addresses rather than a vague reference to RFC1918. Second, the text should probably explicitly say that any translator that extracts an IPv4 address from an IPv6 address MUST check the IPv4 address against the forbidden list and drop the packet if it has such a forbidden address. Otherwise, the text could be interpreted as only forbidding encapsulation. In most attacks, the attacker does the encapsulation and the good guy does the decapsulation, so forbidding encapsulation doesn't help.

The last sentence of section 2.2 says "These bits are reserved for future extensions and SHOULD be set to zero." In any spec where it says that some bits SHOULD or MUST be set to zero, there should be corresponding text saying what an implementation SHOULD or MUST do if it receives data containing non-zero values. In this case, I couldn't tell whether the intended action was to ignore the non-zero bits or to drop the packet. The bits will be much more useful for future uses if we have confidence about how existing implementations handle them.


P5 middle: "prefic" -> "prefix"
P9 middle: "return them message in" -> "return them in"