[secdir] secdir review of draft-vinapamula-softwire-dslite-prefix-binding-07

"Dan Harkins" <dharkins@lounge.org> Fri, 07 August 2015 16:13 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id C38C01B2EAC; Fri, 7 Aug 2015 09:13:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.167
X-Spam-Status: No, score=-1.167 tagged_above=-999 required=5 tests=[BAYES_50=0.8, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VbliybEVe62W; Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net []) by ietfa.amsl.com (Postfix) with ESMTP id 5A32F1B2A0C; Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
Received: from www.trepanning.net (localhost []) by colo.trepanning.net (Postfix) with ESMTP id 2632510224008; Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
Received: from (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
Message-ID: <d382a567352201437592e63f00180e93.squirrel@www.trepanning.net>
Date: Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
From: "Dan Harkins" <dharkins@lounge.org>
To: iesg@ietf.org, secdir@ietf.org, draft-vinapamula-softwire-dslite-prefix-binding.all@tools.ietf.org
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ktMtS_MOrbuKXOyR0h1tz-uEx8s>
Subject: [secdir] secdir review of draft-vinapamula-softwire-dslite-prefix-binding-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2015 16:13:31 -0000


  I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

  This draft proposes several recommendations to handle the case
where a Basic Bridging Broadband element in a DS-Lite deployment
gets a new IPv6 address. Such a change can have problems associated
with address-specific policy enforcement, subscriber resource
tracking, as well as loss of packets going to the previous address
and the recommendations are designed to minimize and mitigate those

  The main part of the solution is the introduction of a "Subscriber
Mask" that allows a subscriber's CPE to be unambiguously identified
when the mask is applied to a source IPv6 address. This identification
allows for enforcement of per-subscriber policies even in the event
of an address change.

  The Security Considerations are sparse but address a potential
DOS issue with a misbehaving user attempting to obtain additional
resources by changing the address on its Basic Bridging Broadband
element which seems to be the big issue here. All the other
Security Considerations of DS-Lite apply and it refers to RFC 6333.

  I consider the document Ready.