Last Call Review of draft-ietf-behave-ftp64-
review-ietf-behave-ftp64-secdir-lc-eastlake-2011-06-17-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This draft is about trying to secure access to IPv4 FTP servers from
IPv6 clients. The results are not terribly encouraging but I find they
are quite accurately described in the Security Considerations Section
and I don't think you could do much better given a requirement to work
with existing FTP servers.

I have a bit of a problem with the title  ("An FTP ALG for
IPv6-to-IPv4 translation") and the slant of some of the wording. It
claims to be able to describe, as an Application Level Gateway,
various recommendations which are then combined with a separate
existing IPv6-to-IPv4 ALG. It talks about multiple ALGs being
implemented at a single entity that are handling an single FTP
session. This just all seems very odd to me as it isn't very clear
what the interface between these different ALGs all somehow
cooperating on one session is. I believe, in reality, anyone
implementing this will take an existing ALG and modify it as suggested
in the draft. The draft would therefore make more sense if written as
suggested changes to a single ALG rather than as an additional ALG
that is somehow compounded with an existing FTP ALG... Just my
opinion.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street
 Milford, MA 01757 USA
 d3e3e3 at gmail.com