Telechat Review of draft-krishnan-v6ops-teredo-update-
review-krishnan-v6ops-teredo-update-secdir-telechat-yu-2010-06-03-00
| Request | Review of | draft-krishnan-v6ops-teredo-update |
|---|---|---|
| Requested revision | No specific revision (document currently at 10) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2010-06-01 | |
| Requested | 2010-04-27 | |
| Authors | James Hoagland , Suresh Krishnan , Dave Thaler | |
| I-D last updated | 2010-06-03 | |
| Completed reviews |
Secdir Early review of -?? by Taylor Yu
Secdir Telechat review of -?? by Taylor Yu |
|
| Assignment | Reviewer | Taylor Yu |
| State | Completed | |
| Review |
review-krishnan-v6ops-teredo-update-secdir-telechat-yu-2010-06-03
|
|
| Completed | 2010-06-03 |
review-krishnan-v6ops-teredo-update-secdir-telechat-yu-2010-06-03-00
This is a re-review of draft-krishnan-v6ops-teredo-update-07, which I previously reviewed in its -03 version. Most of my concerns from the previous review have been adequately addressed. I concur with the ballot comment by Russ Housley about quantifying the resistance of this randomization scheme to address scanning in relation to the general IPv6 address scanning risk. For example, if the attacker knows the Teredo server's IPv4 address and client's external IPv4 address but the client's Teredo UDP port number, the effective search space after the flag randomization is 28 bits. Effective address search spaces for similar scenarios can be computed easily. Explicitly comparing the values in section 2.3 of RFC 5157 with the search space sizes resulting from implementing the technique in this update may be helpful to the reader.