secid review of draft-ietf-ipv6-deprecate-rh0-01

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

-
The purpose of draft-ietf-ipv6-deprecate-rh0-01 is to deprecate a
feature of IPv6 which has been shown to have undesirable security
implications.  In particular, RH0 provides a mechanism for traffic
amplification, which might be used as a denial-of-service attack. 

As such, the whole document is a security consideration. The
vulnerability appears well-documented, and the guidelines for handling
the deprecated RH0 are clear.

I have a few comments
1) RH0 really is something we do not want to see used, right? Should
this RH be obsoleted rather than deprecated? 
2) Per BCP61, MUST is for implementers, and SHOULD is for
users/deployers. There is a MUST NOT in section 4.2 that is a
deployment decision, so this should be a SHOULD NOT. At the same time,
there is a "must" in section 4.2 that is an implementation
requirement, so this should be a MUST.
3) Section three uses "must" where MUST would seem appropriate.


David Harrington
dbharrington@xxxxxxxxxxx
ietfdbh@xxxxxxxxxxx



_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]