[secdir] secir review of draft-ietf-6man-text-addr-representation-04
Tom Yu <tlyu@MIT.EDU> Sat, 30 January 2010 03:44 UTC
Return-Path: <tlyu@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3BAC93A6860; Fri, 29 Jan 2010 19:44:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hW-q6hUBf20d; Fri, 29 Jan 2010 19:44:47 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (DMZ-MAILSEC-SCANNER-1.MIT.EDU [18.9.25.12]) by core3.amsl.com (Postfix) with ESMTP id 4EE973A6765; Fri, 29 Jan 2010 19:44:47 -0800 (PST)
X-AuditID: 1209190c-b7b6aae000000979-4c-4b63ab47a9d9
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by dmz-mailsec-scanner-1.mit.edu (Symantec Brightmail Gateway) with SMTP id D7.15.02425.74BA36B4; Fri, 29 Jan 2010 22:45:11 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id o0U3iJO5026612; Fri, 29 Jan 2010 22:44:19 -0500 (EST)
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id o0U3jSdJ017105 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 29 Jan 2010 22:45:28 -0500 (EST)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id o0U3iwqJ013479; Fri, 29 Jan 2010 22:44:58 -0500 (EST)
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-6man-text-addr-representation@tools.ietf.org, 6man-chairs@tools.ietf.org
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 29 Jan 2010 22:44:57 -0500
Message-ID: <ldvhbq4fe86.fsf@cathode-dark-space.mit.edu>
Lines: 22
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.42
X-Brightmail-Tracker: AAAAAA==
Subject: [secdir] secir review of draft-ietf-6man-text-addr-representation-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jan 2010 03:44:48 -0000
This draft indicates that it has no security considerations. I think that conflicts with Section 3.2.5, which gives an example of inappropriate (textual) verification of IPv6 addresses in an X.509 certificate. Although (in my understanding) IPv6 addresses in X.509 certificates are in binary form and probably should be compared as such, if the authors feel the need to explicitly call out an example of inappropriate textual verification of addresses, which could have security consequences if the address values in question are used for access control. The text in Section 3.3.3 about network abuse reporting would also appear to have some operational (but probably not protocol) security consequences, especially if a network operator would need to respond rapidly to an ongoing attack. Editorial: In Section 3.3.2, I believe the claim that IPv4 addresses cannot be abbreviated is false. Historically, BSD implementations of textual IPv4 address parsing have accepted a number of variant abbreviated notations. I think they have generally output canonical dotted-quad IPv4 addresses though.