Last Call Review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
review-ietf-opsec-ipv6-implications-on-ipv4-nets-03-secdir-lc-salowey-2013-04-18-00

Request Review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-04-12
Requested 2013-04-04
Authors Fernando Gont, Will LIU
Draft last updated 2013-04-18
Completed reviews Genart Last Call review of -03 by Roni Even (diff)
Secdir Last Call review of -03 by Joseph Salowey (diff)
Assignment Reviewer Joseph Salowey
State Completed
Review review-ietf-opsec-ipv6-implications-on-ipv4-nets-03-secdir-lc-salowey-2013-04-18
Reviewed rev. 03 (document currently at 07)
Review result Has Issues
Review completed: 2013-04-18

Review
review-ietf-opsec-ipv6-implications-on-ipv4-nets-03-secdir-lc-salowey-2013-04-18

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I consider this document ready with issues described below.  

draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03 discusses issues with IPv6 running on networks that have incomplete security controls (firewall and IDS) for IPv6.    It basically describes what you need to filter on to filter out IPv6 traffic and tunneling technologies.   This seems like mostly useful information, however its not clear to me if you implement all the controls in the document if you would not still have a problem form IPv6 on a local link or IPv6 tunneled through some non-standard means.  It seems the document should at least mention this risk in the security considerations since hosts on these networks may be IPv6 enabled.    One related issue I have seen is in end host configuration where a host based firewall is configured with IPv4 rules and left silent on IPv6 with varying results.   I don't recall seeing any discussion of this in the document, but it might also be worth covering in security considerations as well. 

Cheers,

Joe