Last Call Review of draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-04
review-ietf-dhc-dhcpv6-client-link-layer-addr-opt-04-secdir-lc-emery-2013-02-21-00

I have reviewed this document as part of the security directorate's 


ongoing effort to review all IETF documents being processed by the IESG. 


These comments were written primarily for the benefit of the security 


area directors. Document editors and WG chairs should treat these 


comments just like any other last call comments.






This internet-draft describes a way to provide a client link-layer 


addresses in DHCPv6 Relay-Forward messages..






The security considerations section does exist and discusses an attack 


scenario involving rogue relay agents and clients where a DHCPv6 node 


could spoof the address of a separate DHCPv4 node.  Subsequently if a 


Dynamic DNS update is made then a dual-stack node could be made to 


connect to the DHCPv6 client instead of the DHCPv4 client.  To thwart 


such an attack the draft recommends that administrators configure IPsec 


between the DHCP server(s) and the relay agents.  Besides the security 


considerations of DHCP in general, I think that this document adequately 


covers the feature being introduced.




General comments:

None.

Editorial comments:



s/will help above mentioned scenarios/will help with the scenarios 


mentioned above/



s/used in wide/used in a wide/

Shawn.
--