Last Call Review of draft-ietf-softwire-4rd-08
review-ietf-softwire-4rd-08-secdir-lc-atkins-2014-10-09-00
| Request | Review of | draft-ietf-softwire-4rd |
|---|---|---|
| Requested revision | No specific revision (document currently at 10) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2014-10-10 | |
| Requested | 2014-10-06 | |
| Authors | Remi Despres , Sheng Jiang , Reinaldo Penno , Yiu Lee , Gang Chen , Maoke Chen | |
| Draft last updated | 2014-10-09 | |
| Completed reviews |
Genart Last Call review of -08
by
Christer Holmberg
(diff)
Genart Last Call review of -09 by Christer Holmberg (diff) Secdir Last Call review of -08 by Derek Atkins (diff) |
|
| Assignment | Reviewer | Derek Atkins |
| State | Completed | |
| Review |
review-ietf-softwire-4rd-08-secdir-lc-atkins-2014-10-09
|
|
| Reviewed revision | 08 (document currently at 10) | |
| Result | Has Issues | |
| Completed | 2014-10-09 |
review-ietf-softwire-4rd-08-secdir-lc-atkins-2014-10-09-00
Hi,
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
I see no major technical issues with this document, although I do have
one question: In the Security Considerations section under Spoofing
attacks you talk about ingress filtering and address consistency, but
couldn't one could theoretically spoof ICMP messages by injecting
messages with the "reserved IPv4 dummy address" specified in section
4.8? Moreover, the whole security of the system depends on everyone
in the network behaving properly. Is that something we can really
assume to be true?
I also have one editorial comment:
In Section 3, on page 7 you say:
For IPv4 anti-spoofing protection to extend to IPv4, ingress
filtering has to be effective in IPv6 (Section 4.4 and Section 5).
I suspect this should read "For IPv6 anti-spoofing protection to
extend to IPv4,...". Or maybe the other way around? I'm not sure
what you mean here; the current phrasing is confusing.
Thanks,
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant