Telechat Review of draft-ietf-v6ops-tunnel-loops-
review-ietf-v6ops-tunnel-loops-secdir-telechat-yu-2011-01-04-00

Request Review of draft-ietf-v6ops-tunnel-loops
Requested rev. no specific revision (document currently at 07)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2011-01-04
Requested 2011-01-04
Authors Gabi Nakibly, Fred Templin
Draft last updated 2011-01-04
Completed reviews Secdir Telechat review of -?? by Taylor Yu
Assignment Reviewer Taylor Yu
State Completed
Review review-ietf-v6ops-tunnel-loops-secdir-telechat-yu-2011-01-04
Review completed: 2011-01-04

Review
review-ietf-v6ops-tunnel-loops-secdir-telechat-yu-2011-01-04

This document describes routing loop vulnerabilities inherent in the
existing design of IPv6-in-IPv4 tunneling protocols, and suggests
mitigation strategies.

While the Security Considerations section of this document claims that
the recommended checks do not introduce new security threats, Section
3.1 mentions that the additional processing overhead for checking
destination and source addresses may be considerable.  It would be
useful to have measurements or estimates of how this additional
processing overhead compares to the effects of the routing loop attack
that it is intended to mitigate.

This document makes no mention of the Teredo attacks that are
discussed in the USENIX WOOT paper.  The authors may wish to mention
draft-gont-6man-teredo-loops-00 for the sake of completeness.

Editorial:

Section 3 lists three categories of mitigation measures but the
accompanying text states that they fall under two categories.

In Section 3.1, in the sentence "However, this approach has some
inherit limitations", replace "inherit" with "inherent".

In Section 4, in the sentence "...other mitigation measures may be
allowed is specific deployment scenarios", replace "may be allowed is"
with "may be feasible in".