[secdir] Review of draft-ietf-6man-prefixlen-p2p-01
Rob Austein <sra@hactrn.net> Sun, 30 January 2011 22:44 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E88733A6B44; Sun, 30 Jan 2011 14:44:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.295
X-Spam-Level:
X-Spam-Status: No, score=-100.295 tagged_above=-999 required=5 tests=[AWL=0.534, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mwIpiqTNu-pp; Sun, 30 Jan 2011 14:44:58 -0800 (PST)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by core3.amsl.com (Postfix) with ESMTP id D66E63A6B47; Sun, 30 Jan 2011 14:44:57 -0800 (PST)
Received: from angband.hactrn.net (host-174-45-45-87.gdj-co.client.bresnan.net [174.45.45.87]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "angband.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 9AC052846B; Sun, 30 Jan 2011 22:48:06 +0000 (UTC)
Received: from angband.hactrn.net (localhost [IPv6:::1]) by angband.hactrn.net (Postfix) with ESMTP id 75A0915ED88; Sun, 30 Jan 2011 13:48:10 +0000 (UTC)
Date: Sun, 30 Jan 2011 08:48:09 -0500
From: Rob Austein <sra@hactrn.net>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-6man-prefixlen-p2p.all@tools.ietf.org
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20110130134810.75A0915ED88@angband.hactrn.net>
Subject: [secdir] Review of draft-ietf-6man-prefixlen-p2p-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jan 2011 22:44:59 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft discusses several reasons why the recommendations against using 127-bit prefixes on inter-router IPv6 point-to-point links in the current RFCs are not merely specious but actively harmful, and details several attack scenarios in which 127-bit prefixes on inter-router point-to-point links are a better defense than anything that can be done with 64-bit prefixes. The draft concludes by requiring (if this draft is adopted) router support for 127-bit prefixes and makes some recommendations on how to avoid having use of 127-bit prefixes cause problems with other IPv6 implementations. I have no security concerns regarding this document. Should have done this years ago, and the authors of this draft deserve our thanks for their perseverance.