Last Call Review of draft-ietf-softwire-4rd-08
review-ietf-softwire-4rd-08-secdir-lc-atkins-2014-10-09-00

Request Review of draft-ietf-softwire-4rd
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-10-10
Requested 2014-10-06
Draft last updated 2014-10-09
Completed reviews Genart Last Call review of -08 by Christer Holmberg (diff)
Genart Last Call review of -09 by Christer Holmberg (diff)
Secdir Last Call review of -08 by Derek Atkins (diff)
Assignment Reviewer Derek Atkins
State Completed
Review review-ietf-softwire-4rd-08-secdir-lc-atkins-2014-10-09
Reviewed rev. 08 (document currently at 10)
Review result Has Issues
Review completed: 2014-10-09

Review
review-ietf-softwire-4rd-08-secdir-lc-atkins-2014-10-09

Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I see no major technical issues with this document, although I do have
one question:  In the Security Considerations section under Spoofing
attacks you talk about ingress filtering and address consistency, but
couldn't one could theoretically spoof ICMP messages by injecting
messages with the "reserved IPv4 dummy address" specified in section
4.8?  Moreover, the whole security of the system depends on everyone
in the network behaving properly.  Is that something we can really
assume to be true?

I also have one editorial comment:

In Section 3, on page 7 you say:

   For IPv4 anti-spoofing protection to extend to IPv4, ingress
   filtering has to be effective in IPv6 (Section 4.4 and Section 5).

I suspect this should read "For IPv6 anti-spoofing protection to
extend to IPv4,...".  Or maybe the other way around?  I'm not sure
what you mean here; the current phrasing is confusing.

Thanks,

-derek
-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant