Last Call Review of draft-ietf-conex-destopt-09
review-ietf-conex-destopt-09-secdir-lc-sparks-2015-08-27-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: On the right track with open issues

I was also the Gen-Art reviewer for this draft
My Gen-Art Review can be found here:
<

http://mailarchive.ietf.org/arch/msg/gen-art/kxvhQcl3d2fS5aX_4nXUqGRBy0w

>
Please skim that review if you have not already seen it for context.



This document defines a new IPv6 Destination Option. It relies on AH to 


detect any tampering (particularly removal) with the option.






The document is currently formulated to simply define the option, and 


leaves it to other documents to describe when to use the option and how 


audit mechanisms in protocols that use the option can protect themselves 


from likely attacks. If the document clarifies that the option must not 


be used except by a protocol that has defined these things, I believe 


sufficient effort has been put into the security considerations. If the 


group intends for this option to be usable without such an additional 


protocol definition, this document needs to contain more discussion.