Last Call Review of draft-ietf-6man-text-addr-representation-

Request Review of draft-ietf-6man-text-addr-representation
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-02-02
Requested 2010-01-21
Draft last updated 2010-01-31
Completed reviews Secdir Last Call review of -?? by Taylor Yu
Assignment Reviewer Taylor Yu
State Completed
Review review-ietf-6man-text-addr-representation-secdir-lc-yu-2010-01-31
Review completed: 2010-01-31


This draft indicates that it has no security considerations.  I think
that conflicts with Section 3.2.5, which gives an example of
inappropriate (textual) verification of IPv6 addresses in an X.509
certificate.  Although (in my understanding) IPv6 addresses in X.509
certificates are in binary form and probably should be compared as
such, if the authors feel the need to explicitly call out an example
of inappropriate textual verification of addresses, which could have
security consequences if the address values in question are used for
access control.

The text in Section 3.3.3 about network abuse reporting would also
appear to have some operational (but probably not protocol) security
consequences, especially if a network operator would need to respond
rapidly to an ongoing attack.


In Section 3.3.2, I believe the claim that IPv4 addresses cannot be
abbreviated is false.  Historically, BSD implementations of textual
IPv4 address parsing have accepted a number of variant abbreviated
notations.  I think they have generally output canonical dotted-quad
IPv4 addresses though.