[secdir] secdir review of draft-ietf-6man-lineid
"Dan Harkins" <dharkins@lounge.org> Sat, 30 June 2012 17:49 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC6C121F85B6; Sat, 30 Jun 2012 10:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.406
X-Spam-Level:
X-Spam-Status: No, score=-4.406 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6RZJ2OBpPIC; Sat, 30 Jun 2012 10:49:02 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 091B821F84FE; Sat, 30 Jun 2012 10:49:02 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id C75AB1022400A; Sat, 30 Jun 2012 10:49:02 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Sat, 30 Jun 2012 10:49:02 -0700 (PDT)
Message-ID: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net>
Date: Sat, 30 Jun 2012 10:49:02 -0700
From: Dan Harkins <dharkins@lounge.org>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-6man-lineid.all@tools.ietf.org
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: [secdir] secdir review of draft-ietf-6man-lineid
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jun 2012 17:49:02 -0000
Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft defines a new destination option for IPv6 datagrams that tunnel router solicitation and router advertisement messages. The purpose of the option is to allow an edge router in a broadband subscriber network to identify a particular subscriber that comes up. I found the draft a bit confusing. Terms are referred to before they are defined and once defined are not consistently used. There were several paragraphs that I had to re-read a couple times to figure out what was being intended. I would suggest the following editorial changes: - in section 1.1, move definition of GPON and RG up before they are referred to (AN, and Edge Router, respectively) - in section 5.3, pick either AN or "access node" and stick to it. By sometimes referring to the entity by acronym and sometimes by full name, the casual reader (me) does not immediately tie them together and creates 2 entities in his mind as he's putting the described behavior together. - in section 6.2 it talks about creating a new IPv6 datagram, then about adding the option to it and how to determine the contents of this datagram, and then it says a new IPv6 datagram is created. Wait, so there's 2 IPv6 datagrams or is this the same one? I had to read this a few times to figure out what's going on. There is an apparent technical problem in section 7 where the new option is laid out. The option type is an octet and the option length is also an octet (whose length does not include the option type or itself). Then follows the a field for the length of the lineID and the lineID itself. But the length of the lineID is 2 octets implying that a lineID can be more than 255 octets long. How does this work? If the lineID itself is greater than 253 octets then the length required to be encoded in the option length would be greater than 255 which cannot be described with a single octet. Either there is the possibility of a valid but unparsable option that would likely make the rest of the packet unparsable too (which is bad) or the lineID can never be greater than 253 octets which then makes me ask why the field to encode its length has to be 2 octets? The other option is, of course, that I'm completely missing something. If that's the case, forgive my ignorance but please do enlighten me. I found no security issues with the draft that require the attention of the ADs. The Security Considerations mention that this is all unauthenticated and should only be used on a network where the communicating entities are already trusted, which seems reasonable for the way this will be deployed. regards, Dan.
- [secdir] secdir review of draft-ietf-6man-lineid Dan Harkins
- [secdir] Secdir review of draft-ietf-appsawg-rece… Paul Hoffman
- Re: [secdir] secdir review of draft-ietf-6man-lin… Suresh Krishnan
- [secdir] Secdir review of draft-ietf-krb-wg-kdc-m… Alexey Melnikov
- Re: [secdir] Secdir review of draft-ietf-krb-wg-k… Jeffrey Hutzelman
- Re: [secdir] Secdir review of draft-ietf-krb-wg-k… Alexey Melnikov