[secdir] Secdir review of draft-iana-rfc3330bis-06
Paul Hoffman <paul.hoffman@vpnc.org> Mon, 30 March 2009 16:27 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFFFD3A6D35 for <secdir@core3.amsl.com>; Mon, 30 Mar 2009 09:27:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[AWL=0.505, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Njs7FXzubLfA for <secdir@core3.amsl.com>; Mon, 30 Mar 2009 09:27:42 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id B5AD83A6D39 for <secdir@ietf.org>; Mon, 30 Mar 2009 09:27:41 -0700 (PDT)
Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n2UGSGEA087900 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 30 Mar 2009 09:28:17 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624082ec5f6a14f36f4@[10.20.30.158]>
Date: Mon, 30 Mar 2009 09:28:14 -0700
To: secdir@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: leo.vegoda@icann.org, michelle.cotton@icann.org
Subject: [secdir] Secdir review of draft-iana-rfc3330bis-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2009 16:27:42 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is essentially a security-free document. Having said that, the one paragraph in the Security Considerations section could use a bit of clarification. It says: The particular assigned values of special-use IPv4 addresses cataloged in this document do not directly raise security issues. However, the Internet does not inherently protect against abuse of these addresses; if you expect (for instance) that all packets from the 10.0.0.0/8 block originate within your subnet, all border routers should filter such packets that originate from elsewhere. Attacks have been mounted that depend on the unexpected use of some of these addresses. I think that "all packets from the 10.0.0.0/8 block" should be "all packets from a private address space such as the 10.0.0.0/8 block or the link local block 169.254.0.0/16". Also, I believe that "all border routers should filter such packets that originate from elsewhere" should be "all routers at the border of your network should filter such packets that originate from outside your network". Please also note the messages on ietf-general from this past weekend; having another example block would help many IETF documents. --Paul Hoffman, Director --VPN Consortium
- [secdir] Secdir review of draft-iana-rfc3330bis-06 Paul Hoffman