IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-radext-ipv6-access-13

"Wojciech Dec (wdec)" <wdec@cisco.com> Fri, 11 January 2013 11:48 UTC

Return-Path: <wdec@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C900321F87B3; Fri, 11 Jan 2013 03:48:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q9BfwraQyC4c; Fri, 11 Jan 2013 03:48:45 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id A4C3521F87AD; Fri, 11 Jan 2013 03:48:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1534; q=dns/txt; s=iport; t=1357904925; x=1359114525; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=QrRSzJoRJAlxsERLyS2AcHPY4DTNAguuorP25WTcujg=; b=Gym4h9nnOGK8FI3iGutvnlkLohmJn/LJBMCAGcPXAsDaUymAdFyWvpfN W3uHoudUE7q1c7ttdK+laKx8S8lDb0ZaAfI3CtK9rHlpsE+pqzl0Ujefr KSNmGU3Qg2WBmtMVueFDchWbJeIU7jDgIhKprn3wBMpoIsEpgzOipRSd4 o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAHb771CtJXHA/2dsb2JhbABEvXkWc4IgAQQ6OAcSAQgiFEIlAgQBDQUIiBG1PZA+YQOmU4J1giQ
X-IronPort-AV: E=Sophos;i="4.84,451,1355097600"; d="scan'208";a="161374288"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-3.cisco.com with ESMTP; 11 Jan 2013 11:48:45 +0000
Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id r0BBmiVh027400 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 11 Jan 2013 11:48:45 GMT
Received: from xmb-aln-x05.cisco.com ([169.254.11.135]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.02.0318.004; Fri, 11 Jan 2013 05:48:44 -0600
From: "Wojciech Dec (wdec)" <wdec@cisco.com>
To: "Benoit Claise (bclaise)" <bclaise@cisco.com>, "draft-ietf-radext-ipv6-access.all@tools.ietf.org" <draft-ietf-radext-ipv6-access.all@tools.ietf.org>
Thread-Topic: SecDir review of draft-ietf-radext-ipv6-access-13
Thread-Index: AQHN7+5hTcFX1L/h0Em0c0QGTPnw2phEeK2A
Date: Fri, 11 Jan 2013 11:48:43 +0000
Message-ID: <19F346EB777BEE4CB77DA1A2C56F20B31D5932@xmb-aln-x05.cisco.com>
In-Reply-To: <50EFF6AD.1040808@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.5.121010
x-originating-ip: [10.61.104.83]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <905D47184D70E546BE5E6EFF457483C6@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Fri, 11 Jan 2013 08:09:19 -0800
Cc: "iesg@ietf.org IESG" <iesg@ietf.org>, "radext-chairs@tools.ietf.org" <radext-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-radext-ipv6-access-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2013 11:48:47 -0000

Thanks. Comment is addressed in draft 15.
Rgds
Woj..

On 11/01/2013 12:25, "Benoit Claise (bclaise)" <bclaise@cisco.com> wrote:

>draft-ietf-radext-ipv6-access authors,
>
>Can you please address Yoav' point.
>
>Regards, Benoit
>> Hi
>>
>> I have reviewed this document as part of the security directorate's
>>ongoing effort to review all IETF documents being processed by the IESG.
>> These comments were written primarily for the benefit of the security
>>area directors.  Document editors and WG chairs should treat these
>>comments just like any other last call comments.
>>
>> The draft adds IPv6 RADIUS attributes for information received using
>>DHCP. The attributes include IPv6 address, DNS server address, IPv6
>>route information, delegated IPv6 prefix, and stateful IPv6 address pool.
>>
>> The security considerations section covers general vulnerabilities in
>>RADIUS just to say that those apply here as well. It also makes a
>>reference to IPsec as "natively defined for IPv6". This can IMO be
>>omitted, as pretty much every platform that has IPsec for IPv6 has it
>>for IPv4 as well, and IPsec is not longer required for compliance with
>>IPv6, otherwise all those smart objects would be non-compliant.
>>
>> There is no treatment of the issue of a rogue RADIUS server supplying
>>bad routes to the NAS. This can be explained away by saying that a trust
>>relationship exists between RADIUS server and NAS, but I think this
>>should be mentioned.
>>
>> Yoav
>>
>>
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email