Last Call Review of draft-ietf-6renum-enterprise-04
review-ietf-6renum-enterprise-04-secdir-lc-sheffer-2012-12-20-00

Request Review of draft-ietf-6renum-enterprise
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2012-12-12
Requested 2012-11-29
Other Reviews Genart Telechat review of -05 by Wassim Haddad (diff)
Secdir Telechat review of -05 by Yaron Sheffer (diff)
Review State Completed
Reviewer Yaron Sheffer
Review review-ietf-6renum-enterprise-04-secdir-lc-sheffer-2012-12-20
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg03665.html
Reviewed rev. 04 (document currently at 06)
Review result Has Nits
Draft last updated 2012-12-20
Review completed: 2012-12-20

Review
review-ietf-6renum-enterprise-04-secdir-lc-sheffer-2012-12-20

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.



This document reviews best practices in renumbering IPv6 enterprise 


networks.






I apologize for my belated review, and hope it is still useful to the 


authors and document reviewers.




Summary



The Security Considerations section appears appropriate for this type of 


document. I do not see any issues that should block the document from 


advancing.




Details



- Usage of FQDN: I don't understand why RFC 5996 (IKEv2) is cited, I 


suspect this is a typo. Otherwise, please clarify.


- The "Security" subsection of 4.1 overlaps with the Security 


Considerations section, and I would recommend to consolidate them.


- 4.1, "Miscellaneous": I accept the recommendation to use FQDNs instead 


of IP addresses. But saying "connections can survive" implies to me that 


live TCP connections will survive an IP renumbering event, which is not 


the case. I would say "connectivity to the remote side can survive" instead.


- 4.3: RFC 2230 is mentioned as a way to deal with naming of IPsec 


endpoints. I am not aware of current implementations of this RFC (in 


fact it is not even mentioned in the current IPsec Roadmap document, RFC 


6071). Moreover, there is community consensus that IPsec should not be 


used in the absence of a key management protocol. And IKE/IKEv2 


certainly supports naming/identifying endpoints by FQDN.


- The Security Considerations are sufficient IMO. The first point (using 


renumbering to escape blacklisting) is appropriate in the context, even 


if per Martin Stiemerling's comment, this strategy may not be very 


effective. This is not a recommendation on how to bypass blacklisting, 


just a description of a potential vulnerability.




Thanks,
     Yaron