[secdir] secdir review of draft-vinapamula-softwire-dslite-prefix-binding-07
"Dan Harkins" <dharkins@lounge.org> Fri, 07 August 2015 16:13 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C38C01B2EAC; Fri, 7 Aug 2015 09:13:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.167
X-Spam-Level:
X-Spam-Status: No, score=-1.167 tagged_above=-999 required=5 tests=[BAYES_50=0.8, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbliybEVe62W; Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 5A32F1B2A0C; Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 2632510224008; Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 7 Aug 2015 09:13:30 -0700 (PDT)
Message-ID: <d382a567352201437592e63f00180e93.squirrel@www.trepanning.net>
Date: Fri, 07 Aug 2015 09:13:30 -0700
From: Dan Harkins <dharkins@lounge.org>
To: iesg@ietf.org, secdir@ietf.org, draft-vinapamula-softwire-dslite-prefix-binding.all@tools.ietf.org
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ktMtS_MOrbuKXOyR0h1tz-uEx8s>
Subject: [secdir] secdir review of draft-vinapamula-softwire-dslite-prefix-binding-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2015 16:13:31 -0000
Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft proposes several recommendations to handle the case where a Basic Bridging Broadband element in a DS-Lite deployment gets a new IPv6 address. Such a change can have problems associated with address-specific policy enforcement, subscriber resource tracking, as well as loss of packets going to the previous address and the recommendations are designed to minimize and mitigate those problems. The main part of the solution is the introduction of a "Subscriber Mask" that allows a subscriber's CPE to be unambiguously identified when the mask is applied to a source IPv6 address. This identification allows for enforcement of per-subscriber policies even in the event of an address change. The Security Considerations are sparse but address a potential DOS issue with a misbehaving user attempting to obtain additional resources by changing the address on its Basic Bridging Broadband element which seems to be the big issue here. All the other Security Considerations of DS-Lite apply and it refers to RFC 6333. I consider the document Ready. regards, Dan.
- [secdir] secdir review of draft-vinapamula-softwi… Dan Harkins
- Re: [secdir] secdir review of draft-vinapamula-so… Daniel Kahn Gillmor
- Re: [secdir] secdir review of draft-vinapamula-so… Dan Harkins
- Re: [secdir] secdir review of draft-vinapamula-so… mohamed.boucadair
- Re: [secdir] secdir review of draft-vinapamula-so… Dan Harkins
- Re: [secdir] secdir review of draft-vinapamula-so… mohamed.boucadair