Skip to main content

Telechat Review of draft-ietf-6man-comp-rtg-hdr-06
review-ietf-6man-comp-rtg-hdr-06-secdir-telechat-weis-2024-05-17-00

Request Review of draft-ietf-6man-comp-rtg-hdr
Requested revision No specific revision (document currently at 10)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2024-05-28
Requested 2024-05-03
Authors Ron Bonica , Yuji Kamite , Andrew Alston , Daniam Henriques , Luay Jalil
I-D last updated 2024-05-17
Completed reviews Secdir Telechat review of -06 by Brian Weis (diff)
Genart Last Call review of -05 by Elwyn B. Davies (diff)
Secdir Last Call review of -05 by Brian Weis (diff)
Opsdir Last Call review of -05 by Susan Hares (diff)
Tsvart Last Call review of -05 by Gorry Fairhurst (diff)
Assignment Reviewer Brian Weis
State Completed
Request Telechat review on draft-ietf-6man-comp-rtg-hdr by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/LI6xQ8mI9saZw7A30bIDlux7GJ0
Reviewed revision 06 (document currently at 10)
Result Has nits
Completed 2024-05-17
review-ietf-6man-comp-rtg-hdr-06-secdir-telechat-weis-2024-05-17-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Has Nits

The main issues of concern from my first review have been addressed:

— Describing dependance on ICMP messages

— Rationalization of how AH processing is affected, which is declaring
that a sender “MUST calculate the Integrity Check Value (ICV) over
the packet as it arrives at the destination node”.  This matches
the intent of RFC 4302, and is in fact possible for the CRH originator.

I still think the following comment from my original review is
important enough to mention, but I don’t consider it an issue.

“One general comment is that I would expect the network operators
in some networks  to deploy packet inspection devices (e.g., firewall,
intrusion detection) at choke points within the network. Because
the IPv6 Destination Address is changed hop-by-hop they cannot
simply compare the packets SA and DA to {source, destination} rules
simply by extracting the SA an DA from the packet. In order for
these packet inspection devices to validate based on endpoint
addresses they will need to be aware of the mapping of SIDs to IP
addresses. I think this issue is worth mentioning in Security
Considerations.”