[secdir] Review of draft-ietf-6man-prefixlen-p2p-01

Rob Austein <sra@hactrn.net> Sun, 30 January 2011 22:44 UTC

Return-Path: <sra@hactrn.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E88733A6B44; Sun, 30 Jan 2011 14:44:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.295
X-Spam-Level:
X-Spam-Status: No, score=-100.295 tagged_above=-999 required=5 tests=[AWL=0.534, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mwIpiqTNu-pp; Sun, 30 Jan 2011 14:44:58 -0800 (PST)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by core3.amsl.com (Postfix) with ESMTP id D66E63A6B47; Sun, 30 Jan 2011 14:44:57 -0800 (PST)
Received: from angband.hactrn.net (host-174-45-45-87.gdj-co.client.bresnan.net [174.45.45.87]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "angband.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 9AC052846B; Sun, 30 Jan 2011 22:48:06 +0000 (UTC)
Received: from angband.hactrn.net (localhost [IPv6:::1]) by angband.hactrn.net (Postfix) with ESMTP id 75A0915ED88; Sun, 30 Jan 2011 13:48:10 +0000 (UTC)
Date: Sun, 30 Jan 2011 08:48:09 -0500
From: Rob Austein <sra@hactrn.net>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-6man-prefixlen-p2p.all@tools.ietf.org
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20110130134810.75A0915ED88@angband.hactrn.net>
Subject: [secdir] Review of draft-ietf-6man-prefixlen-p2p-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jan 2011 22:44:59 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This draft discusses several reasons why the recommendations against
using 127-bit prefixes on inter-router IPv6 point-to-point links in
the current RFCs are not merely specious but actively harmful, and
details several attack scenarios in which 127-bit prefixes on
inter-router point-to-point links are a better defense than anything
that can be done with 64-bit prefixes.  The draft concludes by
requiring (if this draft is adopted) router support for 127-bit
prefixes and makes some recommendations on how to avoid having use of
127-bit prefixes cause problems with other IPv6 implementations.

I have no security concerns regarding this document.  Should have done
this years ago, and the authors of this draft deserve our thanks for
their perseverance.