Last Call Review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
review-ietf-opsec-ipv6-implications-on-ipv4-nets-03-secdir-lc-salowey-2013-04-18-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

I consider this document ready with issues described below.

draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03 discusses issues with IPv6
running on networks that have incomplete security controls (firewall and IDS)
for IPv6.    It basically describes what you need to filter on to filter out
IPv6 traffic and tunneling technologies.   This seems like mostly useful
information, however its not clear to me if you implement all the controls in
the document if you would not still have a problem form IPv6 on a local link or
IPv6 tunneled through some non-standard means.  It seems the document should at
least mention this risk in the security considerations since hosts on these
networks may be IPv6 enabled.    One related issue I have seen is in end host
configuration where a host based firewall is configured with IPv4 rules and
left silent on IPv6 with varying results.   I don't recall seeing any
discussion of this in the document, but it might also be worth covering in
security considerations as well.

Cheers,

Joe