[secdir] Review of draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-04
Shawn Emery <shawn.emery@oracle.com> Wed, 20 February 2013 08:01 UTC
Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF3C21F893E; Wed, 20 Feb 2013 00:01:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKpsYEcvNCdE; Wed, 20 Feb 2013 00:01:16 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4CB21F888B; Wed, 20 Feb 2013 00:01:16 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r1K81BXR013490 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 20 Feb 2013 08:01:12 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r1K81BcE022034 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 Feb 2013 08:01:11 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r1K81AOo019521; Wed, 20 Feb 2013 02:01:10 -0600
Received: from [10.159.102.43] (/10.159.102.43) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 20 Feb 2013 00:01:09 -0800
Message-ID: <5124827A.3070407@oracle.com>
Date: Wed, 20 Feb 2013 00:59:54 -0700
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:10.0.11) Gecko/20121204 Thunderbird/10.0.11
MIME-Version: 1.0
To: secdir@ietf.org
References: <5112164C.3060009@oracle.com>
In-Reply-To: <5112164C.3060009@oracle.com>
X-Forwarded-Message-Id: <5112164C.3060009@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt.all@tools.ietf.org, The IESG <iesg@ietf.org>
Subject: [secdir] Review of draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 08:01:17 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This internet-draft describes a way to provide a client link-layer addresses in DHCPv6 Relay-Forward messages.. The security considerations section does exist and discusses an attack scenario involving rogue relay agents and clients where a DHCPv6 node could spoof the address of a separate DHCPv4 node. Subsequently if a Dynamic DNS update is made then a dual-stack node could be made to connect to the DHCPv6 client instead of the DHCPv4 client. To thwart such an attack the draft recommends that administrators configure IPsec between the DHCP server(s) and the relay agents. Besides the security considerations of DHCP in general, I think that this document adequately covers the feature being introduced. General comments: None. Editorial comments: s/will help above mentioned scenarios/will help with the scenarios mentioned above/ s/used in wide/used in a wide/ Shawn. --
- [secdir] Review of draft-ietf-mpls-tp-identifiers… Shawn Emery
- [secdir] Review of draft-ietf-sidr-ghostbusters-14 Shawn Emery
- [secdir] Review of draft-ietf-rtgwg-lfa-applicabi… Shawn Emery
- Re: [secdir] Review of draft-ietf-rtgwg-lfa-appli… Stewart Bryant
- [secdir] Review of draft-ietf-manet-smf-13 Shawn Emery
- Re: [secdir] Review of draft-ietf-manet-smf-13 Joe Macker
- [secdir] Review of draft-ietf-conex-concepts-uses… Shawn Emery
- [secdir] Review of draft-melnikov-smtp-priority-t… Shawn Emery
- Re: [secdir] Review of draft-melnikov-smtp-priori… Alexey Melnikov
- [secdir] Review of draft-ietf-dnsop-rfc4641bis-12 Shawn Emery
- Re: [secdir] Review of draft-ietf-dnsop-rfc4641bi… Matthijs Mekking
- Re: [secdir] Review of draft-ietf-dnsop-rfc4641bi… Shawn Emery
- [secdir] Review of draft-ietf-karp-ospf-analysis-… Shawn Emery
- [secdir] Review of draft-ietf-oauth-assertions-09 Shawn Emery
- Re: [secdir] Review of draft-ietf-oauth-assertion… Shawn Emery
- [secdir] Review of draft-ietf-dhc-dhcpv6-client-l… Shawn Emery
- Re: [secdir] Review of draft-ietf-dhc-dhcpv6-clie… Gaurav Halwasia (ghalwasi)
- [secdir] Review of draft-ietf-netmod-interfaces-c… Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-interfac… Martin Bjorklund
- Re: [secdir] Review of draft-ietf-netmod-interfac… Benoit Claise
- Re: [secdir] Review of draft-ietf-netmod-interfac… Shawn Emery
- [secdir] Review of draft-ietf-xrblock-rtcp-xr-jb-… Shawn M Emery
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-xr… Qin Wu
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-xr… Gonzalo Camarillo
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-xr… Gonzalo Camarillo
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-xr… Donald Eastlake
- [secdir] Review of draft-ietf-repute-query-http-09 Shawn M Emery
- Re: [secdir] Review of draft-ietf-repute-query-ht… Shawn M Emery
- Re: [secdir] Review of draft-ietf-repute-query-ht… Uri Blumenthal
- Re: [secdir] Review of draft-ietf-repute-query-ht… Dave Crocker
- Re: [secdir] Review of draft-ietf-repute-query-ht… Murray S. Kucherawy
- Re: [secdir] Review of draft-ietf-repute-query-ht… Shawn M Emery
- [secdir] Review of draft-ietf-tictoc-security-req… Shawn M Emery
- Re: [secdir] Review of draft-ietf-tictoc-security… Tal Mizrahi
- [secdir] Review of draft-ietf-cdni-requirements-13 Shawn M Emery
- Re: [secdir] Review of draft-ietf-cdni-requiremen… Kent Leung (kleung)
- [secdir] Review of draft-ietf-isis-rfc6326bis-01 Shawn M Emery
- [secdir] Review of draft-ietf-tcpm-fastopen-08 Shawn M Emery
- Re: [secdir] Review of draft-ietf-tcpm-fastopen-08 Scharf, Michael (Michael)
- [secdir] Review of draft-ietf-hip-rfc5202-bis-05 Shawn M Emery