[secdir] Review of draft-ietf-v6ops-incremental-cgn-02
Tero Kivinen <kivinen@iki.fi> Thu, 02 December 2010 13:14 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3EA853A693F; Thu, 2 Dec 2010 05:14:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.569
X-Spam-Level:
X-Spam-Status: No, score=-102.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bzyDDzQ5Lwf; Thu, 2 Dec 2010 05:14:50 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 09A5B3A693C; Thu, 2 Dec 2010 05:14:49 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id oB2DG1Ma012199 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2010 15:16:01 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id oB2DG0qr024069; Thu, 2 Dec 2010 15:16:00 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19703.39952.702085.728298@fireball.kivinen.iki.fi>
Date: Thu, 02 Dec 2010 15:16:00 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: iesg@ietf.org, secdir@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 14 min
X-Total-Time: 20 min
Cc: draft-ietf-v6ops-incremental-cgn.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-v6ops-incremental-cgn-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2010 13:14:51 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes how to use Carrier Grade NAT with IPv6 over IPv4 tunneling feature to provide incremental Carrier Grade NAT approach. It seems to mostly describe overall architecture, leaving specific protocols out (or listing multiple protocols). As such this is not really anything that can be implemented, but might provide information when someone selects the suitable protocols for different pieces, and what kind of features to include in different devices. The security consideration section refers to RFC2663 and RFC2993 for NAT security issues. The tunnel security issues are considered relatevely simple as the tunnel is entirely within a single ISP network. One nit: In section 2: ISPs facing only one pressure out of two could adopt either CGN (for shortage of IPv6 addresses) or 6rd (to provide IPv6 connectivity services). I do not think there is shortage of IPv6 addresses... I assume it is meaning shortage of IPv4 addresses. -- kivinen@iki.fi
- [secdir] Review of draft-ietf-v6ops-incremental-c… Tero Kivinen