Telechat Review of draft-ietf-6man-rfc6874bis-09
review-ietf-6man-rfc6874bis-09-secdir-telechat-johansson-2023-08-21-00
| Request | Review of | draft-ietf-6man-rfc6874bis |
|---|---|---|
| Requested revision | No specific revision (document currently at 09) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2023-03-14 | |
| Requested | 2023-02-24 | |
| Authors | Brian E. Carpenter , Stuart Cheshire , Bob Hinden | |
| I-D last updated | 2023-08-21 | |
| Completed reviews |
Artart Last Call review of -02
by Martin Thomson
(diff)
Secdir Last Call review of -02 by Leif Johansson (diff) Genart Last Call review of -02 by Roni Even (diff) Opsdir Last Call review of -02 by Jürgen Schönwälder (diff) Intdir Telechat review of -05 by Carlos J. Bernardos (diff) Secdir Telechat review of -09 by Leif Johansson |
|
| Assignment | Reviewer | Leif Johansson |
| State | Completed | |
| Request | Telechat review on draft-ietf-6man-rfc6874bis by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/rSudEJEL3KA-SwAgzHi5x_PsM3s | |
| Reviewed revision | 09 | |
| Result | Has nits | |
| Completed | 2023-08-21 |
review-ietf-6man-rfc6874bis-09-secdir-telechat-johansson-2023-08-21-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready (with one question below) The only question I have is on this paragraph in the Security Considerations section: "In the case that a zone identifier contains the hexadecimal MAC address of a network interface, it will be revealed to the HTTP recipient and to any observer on the link. Since the MAC address will also be visible in the underlying layer 2 frame, this is not a new exposure. Nevertheless, this method of naming interfaces might be considered to be a privacy issue." Modern operating systems have the ability to randomize MAC addresses for privacy reasons. The Security considerations section doesn't mention this practice and I'm wondering if it should and in particular if the section above is impacted by this practice. Other than that I find the document well written and a good attempt to describe the various challenges in this space. Well done!