Telechat Review of draft-ietf-v6ops-transition-ipv4aas-12
review-ietf-v6ops-transition-ipv4aas-12-secdir-telechat-huitema-2019-01-06-00

Request Review of draft-ietf-v6ops-transition-ipv4aas
Requested rev. no specific revision (document currently at 15)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2019-01-08
Requested 2019-01-02
Draft last updated 2019-01-06
Completed reviews Tsvart Last Call review of -11 by Martin Stiemerling (diff)
Opsdir Last Call review of -11 by Dan Romascanu (diff)
Rtgdir Last Call review of -11 by Daniele Ceccarelli (diff)
Genart Last Call review of -12 by Matthew Miller (diff)
Secdir Last Call review of -11 by Christian Huitema (diff)
Secdir Telechat review of -12 by Christian Huitema (diff)
Assignment Reviewer Christian Huitema
State Completed
Review review-ietf-v6ops-transition-ipv4aas-12-secdir-telechat-huitema-2019-01-06
Reviewed rev. 12 (document currently at 15)
Review result Ready
Review completed: 2019-01-06

Review
review-ietf-v6ops-transition-ipv4aas-12-secdir-telechat-huitema-2019-01-06

I already reviewed the version 11 of this draft. From a security point of view, the main change between the two versions is the addition of a paragraph acknowledging the potential risks of relying on DHCP for configuration. To quote: "As described in [RFC8026] and [RFC8026] Security Consideration sections, there are generic DHCP security issues, which in the case of this document means that malicious nodes may alter the priority of the transition mechanisms."

Well, on the one hand, this does directly address the point I raised in the previous review. On the other hand, it is a bit sad to have a dry acknowledgement like that, without any hint at mitigations. If I was writing an April's fool RFC, I would qualify that as one of those security sections that seem written primarily for appeasing the security reviewer. But then, do we want to give some advice to implementers? For example, do we want to tell them that it is OK to deploy compliant devices in a basic home network? Probably. In the branch office of a financial institution? Most probably not. Do we have a way to convey that in simple terms? I would add something like:

"As stated in the introduction, this document addresses deployment of IPv4 as a service in a residential or small-office network. Deployment in more challenging environments would require additional security analysis."