Last Call Review of draft-ietf-radext-ipv6-access-13
review-ietf-radext-ipv6-access-13-secdir-lc-nir-2012-11-18-00

Request Review of draft-ietf-radext-ipv6-access
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2012-11-13
Requested 2012-11-01
Other Reviews
Review State Completed
Reviewer Yoav Nir
Review review-ietf-radext-ipv6-access-13-secdir-lc-nir-2012-11-18
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg03632.html
Reviewed rev. 13 (document currently at 16)
Review result Has Nits
Draft last updated 2012-11-18
Review closed: 2012-11-18

Review
review-ietf-radext-ipv6-access-13-secdir-lc-nir-2012-11-18

Hi

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The draft adds IPv6 RADIUS attributes for information received using DHCP. The attributes include IPv6 address, DNS server address, IPv6 route information, delegated IPv6 prefix, and stateful IPv6 address pool.

The security considerations section covers general vulnerabilities in RADIUS just to say that those apply here as well. It also makes a reference to IPsec as "natively defined for IPv6". This can IMO be omitted, as pretty much every platform that has IPsec for IPv6 has it for IPv4 as well, and IPsec is not longer required for compliance with IPv6, otherwise all those smart objects would be non-compliant.

There is no treatment of the issue of a rogue RADIUS server supplying bad routes to the NAS. This can be explained away by saying that a trust relationship exists between RADIUS server and NAS, but I think this should be mentioned.

Yoav