[secdir] Review of draft-ietf-v6ops-incremental-cgn-02

Tero Kivinen <kivinen@iki.fi> Thu, 02 December 2010 13:14 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 3EA853A693F; Thu, 2 Dec 2010 05:14:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.569
X-Spam-Status: No, score=-102.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0bzyDDzQ5Lwf; Thu, 2 Dec 2010 05:14:50 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi []) by core3.amsl.com (Postfix) with ESMTP id 09A5B3A693C; Thu, 2 Dec 2010 05:14:49 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost []) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id oB2DG1Ma012199 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2010 15:16:01 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id oB2DG0qr024069; Thu, 2 Dec 2010 15:16:00 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19703.39952.702085.728298@fireball.kivinen.iki.fi>
Date: Thu, 2 Dec 2010 15:16:00 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: iesg@ietf.org, secdir@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 14 min
X-Total-Time: 20 min
Cc: draft-ietf-v6ops-incremental-cgn.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-v6ops-incremental-cgn-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2010 13:14:51 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document describes how to use Carrier Grade NAT with IPv6 over
IPv4 tunneling feature to provide incremental Carrier Grade NAT
approach. It seems to mostly describe overall architecture, leaving
specific protocols out (or listing multiple protocols). As such this
is not really anything that can be implemented, but might provide
information when someone selects the suitable protocols for different
pieces, and what kind of features to include in different devices.

The security consideration section refers to RFC2663 and RFC2993 for
NAT security issues. The tunnel security issues are considered
relatevely simple as the tunnel is entirely within a single ISP

One nit:

In section 2:

                                    ISPs facing only one pressure out of 
   two could adopt either CGN (for shortage of IPv6 addresses) or 6rd 
   (to provide IPv6 connectivity services). 

I do not think there is shortage of IPv6 addresses... I assume it is
meaning shortage of IPv4 addresses.