Skip to main content

Last Call Review of draft-ietf-radext-ipv6-access-13

Request Review of draft-ietf-radext-ipv6-access
Requested revision No specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2012-11-13
Requested 2012-11-01
Authors Wojciech Dec , Behcet Sarikaya , Glen Zorn , David Miles , Benoit Lourdelet
I-D last updated 2012-11-18
Completed reviews Secdir Last Call review of -13 by Yoav Nir (diff)
Assignment Reviewer Yoav Nir
State Completed
Request Last Call review on draft-ietf-radext-ipv6-access by Security Area Directorate Assigned
Reviewed revision 13 (document currently at 16)
Result Has nits
Completed 2012-11-18

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

The draft adds IPv6 RADIUS attributes for information received using DHCP. The
attributes include IPv6 address, DNS server address, IPv6 route information,
delegated IPv6 prefix, and stateful IPv6 address pool.

The security considerations section covers general vulnerabilities in RADIUS
just to say that those apply here as well. It also makes a reference to IPsec
as "natively defined for IPv6". This can IMO be omitted, as pretty much every
platform that has IPsec for IPv6 has it for IPv4 as well, and IPsec is not
longer required for compliance with IPv6, otherwise all those smart objects
would be non-compliant.

There is no treatment of the issue of a rogue RADIUS server supplying bad
routes to the NAS. This can be explained away by saying that a trust
relationship exists between RADIUS server and NAS, but I think this should be