Last Call Review of draft-ietf-softwire-4rd-08
review-ietf-softwire-4rd-08-secdir-lc-atkins-2014-10-09-00

Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I see no major technical issues with this document, although I do have
one question:  In the Security Considerations section under Spoofing
attacks you talk about ingress filtering and address consistency, but
couldn't one could theoretically spoof ICMP messages by injecting
messages with the "reserved IPv4 dummy address" specified in section
4.8?  Moreover, the whole security of the system depends on everyone
in the network behaving properly.  Is that something we can really
assume to be true?

I also have one editorial comment:

In Section 3, on page 7 you say:

   For IPv4 anti-spoofing protection to extend to IPv4, ingress
   filtering has to be effective in IPv6 (Section 4.4 and Section 5).

I suspect this should read "For IPv6 anti-spoofing protection to
extend to IPv4,...".  Or maybe the other way around?  I'm not sure
what you mean here; the current phrasing is confusing.

Thanks,

-derek
-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant