Last Call Review of draft-ietf-radext-ipv6-access-13
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
The draft adds IPv6 RADIUS attributes for information received using DHCP. The attributes include IPv6 address, DNS server address, IPv6 route information, delegated IPv6 prefix, and stateful IPv6 address pool.
The security considerations section covers general vulnerabilities in RADIUS just to say that those apply here as well. It also makes a reference to IPsec as "natively defined for IPv6". This can IMO be omitted, as pretty much every platform that has IPsec for IPv6 has it for IPv4 as well, and IPsec is not longer required for compliance with IPv6, otherwise all those smart objects would be non-compliant.
There is no treatment of the issue of a rogue RADIUS server supplying bad routes to the NAS. This can be explained away by saying that a trust relationship exists between RADIUS server and NAS, but I think this should be mentioned.