Telechat Review of draft-ietf-6man-rfc2460bis-09
review-ietf-6man-rfc2460bis-09-secdir-telechat-orman-2017-04-13-00

Request Review of draft-ietf-6man-rfc2460bis
Requested rev. no specific revision (document currently at 13)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2017-04-11
Requested 2017-03-17
Other Reviews Intdir Early review of -08 by Bob Halley (diff)
Genart Last Call review of -08 by Peter Yee (diff)
Tsvart Telechat review of -09 by Martin Stiemerling (diff)
Rtgdir Last Call review of -08 by Papadimitriou Dimitri (diff)
Opsdir Early review of -09 by Linda Dunbar (diff)
Review State Completed
Reviewer Hilarie Orman
Review review-ietf-6man-rfc2460bis-09-secdir-telechat-orman-2017-04-13
Posted at https://mailarchive.ietf.org/arch/msg/secdir/4hDGrIPgjO-zvHSA1y462qUUwIA
Reviewed rev. 09 (document currently at 13)
Review result Has Issues
Draft last updated 2017-04-13
Review completed: 2017-04-13

Review
review-ietf-6man-rfc2460bis-09-secdir-telechat-orman-2017-04-13

                    Security review of
       Internet Protocol, Version 6 (IPv6) Specification
              draft-ietf-6man-rfc2460bis-09

Do not be alarmed.  I have reviewed this document as part of the
security directorate’s ongoing effort to review all IETF documents
being processed by the IESG. These comments were written primarily for
the benefit of the security area directors.  Document editors and WG
chairs should treat these comments just like any other last call
comments.

This document is the IPv6 specification.  Recent modifications have
clarified how to process extension headers.

The security considerations are brief and have not changed:

    IPv6 ... has security properties similar to IPv4.  Risks of
    corruption, forgery, and interception of packets, resulting in the
    exposure of private information, may be mitigated by use of the
    Security Architecture for the Internet Protocol [RFC4301] or
    encryption at higher layers of the protocol stack.
 
I wonder if the only security consideration for IP is the risk of
exposure of private information?  Of course not.  But, I suppose
that's not in scope of this review.

One thing worth mentioning about the changes re header processing
is that is contributes to security by reducing complexity and
reducing the attack surface.

Hilarie