Skip to main content

Last Call Review of draft-iana-rfc3330bis-
review-iana-rfc3330bis-secdir-lc-hoffman-2009-04-02-00

Request Review of draft-iana-rfc3330bis
Requested revision No specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-04-07
Requested 2009-03-24
Authors Michelle Cotton , Leo Vegoda
I-D last updated 2009-04-02
Completed reviews Secdir Last Call review of -?? by Paul E. Hoffman
Secdir Telechat review of -?? by Paul E. Hoffman
Assignment Reviewer Paul E. Hoffman
State Completed
Request Last Call review on draft-iana-rfc3330bis by Security Area Directorate Assigned
Completed 2009-04-02
review-iana-rfc3330bis-secdir-lc-hoffman-2009-04-02-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This is essentially a security-free document. Having said that, the one
paragraph in the Security Considerations section could use a bit of
clarification. It says:

   The particular assigned values of special-use IPv4 addresses
   cataloged in this document do not directly raise security issues.
   However, the Internet does not inherently protect against abuse of
   these addresses; if you expect (for instance) that all packets from
   the 10.0.0.0/8 block originate within your subnet, all border routers
   should filter such packets that originate from elsewhere.  Attacks
   have been mounted that depend on the unexpected use of some of these
   addresses.

I think that "all packets from the 10.0.0.0/8 block" should be "all packets
from a private address space such as the 10.0.0.0/8 block or the link local
block 169.254.0.0/16".

Also, I believe that "all border routers should filter such packets that
originate from elsewhere" should be "all routers at the border of your network
should filter such packets that originate from outside your network".

Please also note the messages on ietf-general from this past weekend; having
another example block would help many IETF documents.

--Paul Hoffman, Director
--VPN Consortium