Last Call Review of draft-ietf-ipsecme-ikev2-ipv6-config-
I am reviewing this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments. Feel free to
forward to any appropriate forum.
This document extends the limited support for IPv6 VPN solutions in
IKEv2, in particular allowing for multiple prefixes rather than a
fixed number of addresses, which in turn allows various addressing
strategies to be used.
The Security Considerations section is actually quite unclear to me -
at first glance, the opening phrase suggests that the solution does
indeed do the thing it warns against, that is, assigning each client
a unique, and therefore identifiable, prefix. It also fails to draw
the reader's attention to any other relevent considerations - I'm
assuming that the two and a half pages of security considerations in
RFC 4306 have some direct relevance here.
Also, the informative references noted in the Acknowledgements
section would appear to have some potentially important security
considerations - for example, RFC 4891's final consideration is:
Please note that using IPsec for the scenarios described in Figures
1, 2, and 3 does not aim to protect the end-to-end communication.
protects just the tunnel part. It is still possible for an IPv6
endpoint not attached to the IPsec tunnel to spoof packets.
... given that IKEv2's previous support for IPv6 limited it to a
single host at the client end, one assumes that this document
introduces at least this security consideration.