Re: [secdir] SecDir review of draft-ietf-radext-ipv6-access-13

Benoit Claise <bclaise@cisco.com> Fri, 11 January 2013 11:25 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5539C21F88EA; Fri, 11 Jan 2013 03:25:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.414
X-Spam-Level:
X-Spam-Status: No, score=-10.414 tagged_above=-999 required=5 tests=[AWL=0.185, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7UPygxm8HTD; Fri, 11 Jan 2013 03:25:44 -0800 (PST)
Received: from av-tac-bru.cisco.com (weird-brew.cisco.com [144.254.15.118]) by ietfa.amsl.com (Postfix) with ESMTP id 645C721F8873; Fri, 11 Jan 2013 03:25:44 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id r0BBPYC4020686; Fri, 11 Jan 2013 12:25:34 +0100 (CET)
Received: from [10.60.67.89] (ams-bclaise-8918.cisco.com [10.60.67.89]) by strange-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id r0BBPXIo023756; Fri, 11 Jan 2013 12:25:33 +0100 (CET)
Message-ID: <50EFF6AD.1040808@cisco.com>
Date: Fri, 11 Jan 2013 12:25:33 +0100
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: "draft-ietf-radext-ipv6-access.all@tools.ietf.org" <draft-ietf-radext-ipv6-access.all@tools.ietf.org>
References: <20550.1861.349381.646147@fireball.kivinen.iki.fi> <4613980CFC78314ABFD7F85CC30277210152E3@IL-EX10.ad.checkpoint.com>
In-Reply-To: <4613980CFC78314ABFD7F85CC30277210152E3@IL-EX10.ad.checkpoint.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "Wojciech Dec \(wdec\)" <wdec@cisco.com>, "iesg@ietf.org IESG" <iesg@ietf.org>, "radext-chairs@tools.ietf.org" <radext-chairs@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-radext-ipv6-access-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2013 11:25:45 -0000

draft-ietf-radext-ipv6-access authors,

Can you please address Yoav' point.

Regards, Benoit
> Hi
>
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
>
> The draft adds IPv6 RADIUS attributes for information received using DHCP. The attributes include IPv6 address, DNS server address, IPv6 route information, delegated IPv6 prefix, and stateful IPv6 address pool.
>
> The security considerations section covers general vulnerabilities in RADIUS just to say that those apply here as well. It also makes a reference to IPsec as "natively defined for IPv6". This can IMO be omitted, as pretty much every platform that has IPsec for IPv6 has it for IPv4 as well, and IPsec is not longer required for compliance with IPv6, otherwise all those smart objects would be non-compliant.
>
> There is no treatment of the issue of a rogue RADIUS server supplying bad routes to the NAS. This can be explained away by saying that a trust relationship exists between RADIUS server and NAS, but I think this should be mentioned.
>
> Yoav
>
>
>
>
>