Last Call Review of draft-ietf-v6ops-ipv6-cpe-router-
review-ietf-v6ops-ipv6-cpe-router-secdir-lc-kelly-2010-07-30-00

Request Review of draft-ietf-v6ops-ipv6-cpe-router
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-08-10
Requested 2010-07-15
Draft last updated 2010-07-30
Completed reviews Secdir Last Call review of -?? by Scott Kelly
Assignment Reviewer Scott Kelly
State Completed
Review review-ietf-v6ops-ipv6-cpe-router-secdir-lc-kelly-2010-07-30
Review completed: 2010-07-30

Review
review-ietf-v6ops-ipv6-cpe-router-secdir-lc-kelly-2010-07-30

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

As the title implies, this document discusses basic requirements for IPv6 customer edge routers. The comments given here are limited to security only.

The security considerations section begins with a paragraph stating that basic stateless egress and ingress filters should be supported (lowercase "should"), and goes on to say that the CE router should offer mechanisms to filter traffic entering the customer network, but that how these are implemented is out of scope (lowercase "should"). Then, it has the following statements:

   Security requirements:

   S-1:  The IPv6 CE router SHOULD support
         [I-D.ietf-v6ops-cpe-simple-security].

   S-2:  The IPv6 CE router MUST support ingress filtering in accordance
         with [RFC2827] (BCP 38)

When I first read this, I thought the statements in the first paragraph were somewhat weak and imprecise, as they don't use RFC2119 language. When I read draft-ietf-v6ops-cpe-simple-security-12.txt, I thought that document gives a relatively thorough treatment of security considerations, but I'm not sure what it means to say "The IPv6 CE router SHOULD support" it. 

What does this mean? Since the referenced ID only makes recommendations (and explicitly states the RFC2119 language is not binding) what does it mean to "support" it? Must a device implement all recommendations? Must it implement only certain ones? 

I think it makes sense to reference the simple security document rather than re-writing significant sections of it here, but I also think that this statement of security requirements should be considerably more precise.

--Scott