Telechat Review of draft-ietf-v6ops-tunnel-loops-
review-ietf-v6ops-tunnel-loops-secdir-telechat-yu-2011-01-04-00
Request | Review of | draft-ietf-v6ops-tunnel-loops |
---|---|---|
Requested revision | No specific revision (document currently at 07) | |
Type | Telechat Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2011-01-04 | |
Requested | 2011-01-04 | |
Authors | Gabi Nakibly , Fred Templin | |
I-D last updated | 2011-01-04 | |
Completed reviews |
Secdir Telechat review of -??
by Taylor Yu
|
|
Assignment | Reviewer | Taylor Yu |
State | Completed | |
Request | Telechat review on draft-ietf-v6ops-tunnel-loops by Security Area Directorate Assigned | |
Completed | 2011-01-04 |
review-ietf-v6ops-tunnel-loops-secdir-telechat-yu-2011-01-04-00
This document describes routing loop vulnerabilities inherent in the existing design of IPv6-in-IPv4 tunneling protocols, and suggests mitigation strategies. While the Security Considerations section of this document claims that the recommended checks do not introduce new security threats, Section 3.1 mentions that the additional processing overhead for checking destination and source addresses may be considerable. It would be useful to have measurements or estimates of how this additional processing overhead compares to the effects of the routing loop attack that it is intended to mitigate. This document makes no mention of the Teredo attacks that are discussed in the USENIX WOOT paper. The authors may wish to mention draft-gont-6man-teredo-loops-00 for the sake of completeness. Editorial: Section 3 lists three categories of mitigation measures but the accompanying text states that they fall under two categories. In Section 3.1, in the sentence "However, this approach has some inherit limitations", replace "inherit" with "inherent". In Section 4, in the sentence "...other mitigation measures may be allowed is specific deployment scenarios", replace "may be allowed is" with "may be feasible in".