Telechat Review of draft-krishnan-v6ops-teredo-update-
|Requested rev.||no specific revision (document currently at 10)|
|Team||Security Area Directorate (secdir)|
|Draft last updated||2010-06-03|
Secdir Early review of -?? by Taylor Yu
Secdir Telechat review of -?? by Taylor Yu
This is a re-review of draft-krishnan-v6ops-teredo-update-07, which I previously reviewed in its -03 version. Most of my concerns from the previous review have been adequately addressed. I concur with the ballot comment by Russ Housley about quantifying the resistance of this randomization scheme to address scanning in relation to the general IPv6 address scanning risk. For example, if the attacker knows the Teredo server's IPv4 address and client's external IPv4 address but the client's Teredo UDP port number, the effective search space after the flag randomization is 28 bits. Effective address search spaces for similar scenarios can be computed easily. Explicitly comparing the values in section 2.3 of RFC 5157 with the search space sizes resulting from implementing the technique in this update may be helpful to the reader.