Last Call Review of draft-ietf-v6ops-siit-eam-01
review-ietf-v6ops-siit-eam-01-secdir-lc-hallam-baker-2015-10-01-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

The draft is essentially describing an extension to the IPv4/6 mapping
mechanism to allow a mixture of mappings determined by fixed function and
mappings determined by an address table.

7

.  Security Considerations

   The EAM algorithm does not introduce any new security issues beyond
   those that are already discussed in

Section 7 of [RFC6145]

.

Which points to.

7

.  Security Considerations

   The use of stateless IP/ICMP translators does not introduce any new
   security issues beyond the security issues that are already present
   in the IPv4 and IPv6 protocols and in the routing protocols that are
   used to make the packets reach the translator.

Both statements are incorrect.

If we were to write out a modern Internet architecture we would no doubt decide
that addresses have no significance above the transport layer and should not be
visible to applications. But that isn't the Internet architecture we have today.

Further most Internet services  make use of IP addresses for various types of
abuse mitigation. This is something that these mapping functions will have a
significant impact on.

Adding an address table capability provides even more potential to play various
types of application layer routing games.

This needs a comprehensive analysis.