Skip to main content

Last Call Review of draft-ietf-v6ops-ipv6-cpe-router-

Request Review of draft-ietf-v6ops-ipv6-cpe-router
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-08-10
Requested 2010-07-15
Authors Wes Beebee , Chris Donley , Hemant Singh , Ole Trøan , Barbara Stark
I-D last updated 2010-07-30
Completed reviews Secdir Last Call review of -?? by Scott G. Kelly
Assignment Reviewer Scott G. Kelly
State Completed
Review review-ietf-v6ops-ipv6-cpe-router-secdir-lc-kelly-2010-07-30
Completed 2010-07-30
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

As the title implies, this document discusses basic requirements for IPv6
customer edge routers. The comments given here are limited to security only.

The security considerations section begins with a paragraph stating that basic
stateless egress and ingress filters should be supported (lowercase "should"),
and goes on to say that the CE router should offer mechanisms to filter traffic
entering the customer network, but that how these are implemented is out of
scope (lowercase "should"). Then, it has the following statements:

   Security requirements:

   S-1:  The IPv6 CE router SHOULD support

   S-2:  The IPv6 CE router MUST support ingress filtering in accordance
         with [RFC2827] (BCP 38)

When I first read this, I thought the statements in the first paragraph were
somewhat weak and imprecise, as they don't use RFC2119 language. When I read
draft-ietf-v6ops-cpe-simple-security-12.txt, I thought that document gives a
relatively thorough treatment of security considerations, but I'm not sure what
it means to say "The IPv6 CE router SHOULD support" it.

What does this mean? Since the referenced ID only makes recommendations (and
explicitly states the RFC2119 language is not binding) what does it mean to
"support" it? Must a device implement all recommendations? Must it implement
only certain ones?

I think it makes sense to reference the simple security document rather than
re-writing significant sections of it here, but I also think that this
statement of security requirements should be considerably more precise.