[secdir] secdir review of draft-ietf-v6ops-enterprise-incremental-ipv6-05.txt

Steve Hanna <steve@hannas.com> Mon, 09 June 2014 17:02 UTC

Return-Path: <steve@hannas.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D44C1A0274; Mon, 9 Jun 2014 10:02:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ENyo5wNHFcCm; Mon, 9 Jun 2014 10:02:13 -0700 (PDT)
Received: from hannas.com (hannas.com [206.130.105.83]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52B2E1A0286; Mon, 9 Jun 2014 10:02:12 -0700 (PDT)
Received: from [192.168.1.4] (c-50-164-134-218.hsd1.ma.comcast.net [50.164.134.218]) (authenticated bits=0) by hannas.com (8.13.1/8.13.1) with ESMTP id s59H29LJ019933; Mon, 9 Jun 2014 11:02:09 -0600
Message-ID: <5395E891.7090505@hannas.com>
Date: Mon, 09 Jun 2014 13:02:09 -0400
From: Steve Hanna <steve@hannas.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-v6ops-enterprise-incremental-ipv6.all@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/UzI2Uzmz83BKBiVHCNCq-Rf_ri4
Subject: [secdir] secdir review of draft-ietf-v6ops-enterprise-incremental-ipv6-05.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jun 2014 17:02:15 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document provides advice for enterprise administrators working
on deploying IPv6 in their networks. I don't have much experience in
this area (deploying IPv6 on an enterprise network) and I'm not even
an IPv6 security expert but... I found the document easy to understand,
thorough, and apparently based on real experiences. I was happy to see
that security issues were thoroughly covered throughout and that simple,
practical recommendations were given. I did find a few tiny typos and
possible clarifications that are listed at the end of this email.

In my view, this document is Ready with nits. The nits are tiny so
they can be handled in AUTH48 or whenever the next draft is posted.

Thanks,

Steve

-----------

Small Typos in draft-ietf-v6ops-enterprise-incremental-ipv6-05.txt

* At the bottom of page 12, there is an extra close parenthesis
   after the word "implemented".

* On page 17, "outside worlds" should be "outside world".

* On page 20, at the end of section 3.5, "included both" should be
   "including both". At least, I think so. It's not quite clear what
   this parenthetical comment means. If it means that use of NPTv6
   can be chosen independently of whether PA or PI addresses are
   used, this text might be better:

    Use of NPTv6 can be chosen independently from how addresses are
    assigned and routed within the internal network, how prefixes are
    routed towards the Internet, or whether PA or PI addresses are
    used.