Last Call Review of draft-ietf-v6ops-incremental-cgn-
review-ietf-v6ops-incremental-cgn-secdir-lc-kivinen-2010-12-03-00

Request Review of draft-ietf-v6ops-incremental-cgn
Requested rev. no specific revision (document currently at 03)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-12-14
Requested 2010-11-30
Draft last updated 2010-12-03
Completed reviews Secdir Last Call review of -?? by Tero Kivinen
Tsvdir Early review of -?? by Yoshifumi Nishida
Assignment Reviewer Tero Kivinen
State Completed
Review review-ietf-v6ops-incremental-cgn-secdir-lc-kivinen-2010-12-03
Review completed: 2010-12-03

Review
review-ietf-v6ops-incremental-cgn-secdir-lc-kivinen-2010-12-03

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document describes how to use Carrier Grade NAT with IPv6 over
IPv4 tunneling feature to provide incremental Carrier Grade NAT
approach. It seems to mostly describe overall architecture, leaving
specific protocols out (or listing multiple protocols). As such this
is not really anything that can be implemented, but might provide
information when someone selects the suitable protocols for different
pieces, and what kind of features to include in different devices.

The security consideration section refers to RFC2663 and RFC2993 for
NAT security issues. The tunnel security issues are considered
relatevely simple as the tunnel is entirely within a single ISP
network. 

One nit:

In section 2:

                                    ISPs facing only one pressure out of 
   two could adopt either CGN (for shortage of IPv6 addresses) or 6rd 
   (to provide IPv6 connectivity services). 

I do not think there is shortage of IPv6 addresses... I assume it is
meaning shortage of IPv4 addresses.
-- 
kivinen at iki.fi