IETF Logo Mail Archive

AD review of draft-krishnan-v6ops-teredo-update

Jari Arkko <jari.arkko@piuha.net> Tue, 27 April 2010 08:41 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ACAFD3A68C0 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 27 Apr 2010 01:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.856
X-Spam-Level:
X-Spam-Status: No, score=-99.856 tagged_above=-999 required=5 tests=[AWL=-1.315, BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ie1T2qHdo68f for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 27 Apr 2010 01:41:49 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BFD873A6926 for <v6ops-archive@lists.ietf.org>; Tue, 27 Apr 2010 01:41:37 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1O6gEx-000GE5-FZ for v6ops-data0@psg.com; Tue, 27 Apr 2010 08:33:59 +0000
Received: from [2001:14b8:400::130] (helo=p130.piuha.net) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <jari.arkko@piuha.net>) id 1O6gEr-000GBm-60 for v6ops@ops.ietf.org; Tue, 27 Apr 2010 08:33:53 +0000
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 314262CECB; Tue, 27 Apr 2010 11:33:52 +0300 (EEST)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCY0vbeUhgwJ; Tue, 27 Apr 2010 11:33:51 +0300 (EEST)
Received: from [IPv6:::1] (unknown [IPv6:2001:14b8:400::130]) by p130.piuha.net (Postfix) with ESMTP id 646622CCC0; Tue, 27 Apr 2010 11:33:51 +0300 (EEST)
Message-ID: <4BD6A16E.5090601@piuha.net>
Date: Tue, 27 Apr 2010 11:33:50 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: draft-krishnan-v6ops-teredo-update@tools.ietf.org, 'IPv6 Operations' <v6ops@ops.ietf.org>
Subject: AD review of draft-krishnan-v6ops-teredo-update
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

I have reviewed this draft and have the following comments. In general, the draft is in good shape and can move forward. I have two small technical issues and a few minor editorial ones. Nevertheless, I have decided to initiate last call, but I would appreciate a quick document update in the next few days to correct these issues.

Technical:
Teredo Client: A node that has access to the IPv4 Internet and wants
to gain access to the IPv6 Internet.
There are lots of such nodes, but not all of them are Teredo clients, i.e., implement the Teredo protocol... please correct the definition.

Opening a hole in an enterprise firewall
[http://tools.ietf.org/html/draft-krishnan-v6ops-teredo-update-06#ref-I-D.ietf-v6ops-tunnel-security-concerns" title='"Security Concerns With IP Tunneling"' rel="nofollow">I-D.ietf-v6ops-tunnel-security-concerns]: Teredo is NOT RECOMMENDED
as a solution for managed networks.  Administrators of such networks
may wish to filter all Teredo traffic at the boundaries of their
networks.

I'm not sure the term "managed networks" is a correct one here. There are many types of managed networks, some care about blocking Teredo and some would not. Suggested rewrite:

"Opening a hole in an enterprise firewall [I-D.ietf-v6ops-tunnel-security-concerns]: Teredo is NOT RECOMMENDED as a solution for networks that wish to implement strict controls for what traffic passes to and from the Internet.  Administrators of such networks may wish to filter all Teredo traffic at the boundaries of their networks."

(Also, speaking personally, I may not completely agree with the conclusions from draft-ietf-v6ops-tunnel-security-concerns that inspection of tunneled traffic is always hard and inefficient. I think there is some room to allow firewalls to inspect tunneling traffic on top of well-known and established tunneling protocols such as Teredo.)

Editorial:

Teredo IPv6 Address: An IPv6 address that starts with the prefix
2001:0000:/32 and is formed as specified in http://tools.ietf.org/html/rfc4380#section-2.14" rel="nofollow">[RFC4380] section 2.14.

Wouldn't Section 4 be a better reference here?

Teredo addresses are structured and some of the fields contained in
them are fairly predictable.  This can be used to better predict the
address.

I would rewrite the second sentence (which currently doesn't say much) as follows: "This makes it easier to predict an address, opening a (small) vulnerability."

   open on a IPv4 address, prior to trying to form a Teredo address for
s/on a/on an/

4. Acknowledgments
....
5. Security Considerations

I think it would be better if all the technical parts of the document were explained first, followed by the acknowledgment section. That is, I think Section 5 would come more naturally before Section 4.

Jari

v2.23.0 | Report a Bug | By Email