IETF Last Call Review of draft-ietf-6man-icmpv6-reflection-11
review-ietf-6man-icmpv6-reflection-11-tsvart-lc-rose-2025-10-15-00

This document has been reviewed as part of the transport area review team's
ongoing effort to review key IETF documents. These comments were written
primarily for the transport area directors, but are copied to the document's
authors and WG to allow them to address any issues raised and also to the IETF
discussion list for information.

When done at the time of IETF Last Call, the authors should consider this
review as part of the last-call comments they receive. Please always CC
tsv-art@ietf.org if you reply to or forward this review.

This document is Almost Ready.

This document describes a mechanism for reflecting the prefix of an IPv6 packet
back to its source (or to whatever the destination sees as the source),
leveraging the ICMPv6 Extended Echo mechanism. It is designed to avoid
amplification attacks by requiring the request and response to be the same size.

My only comments regard the (presumably normative) requirement that "Middle
boxes must not modify the Reflect All extension object. This ensures that the
reflected information reaches the probing node exactly as sent by the probed
node." Firstly, I assume this should be a "MUST NOT". Secondly: I assume this
language was carefully chosen not to preclude wholesale filtering, but instead
to either let the request and response through untouched, *or* filter them
entirely. Was that the intent?

I imagine most network admins will not want to rely on endpoints, many of which
they have minimal control over, to filter requests or scrub replies that could
be used by adversaries to construct a model of their internal network topology,
and will take the easy path of entirely filtering these requests at network
boundaries.

You may wish to consider an update to RFC 4890 with guidance on how and when it
is appropriate to filter such requests or responses.