In all of these discussions, I am amazed that no one has mentioned that NIST has written a set of IPv6 implementation requirements for all US manufactured equipment that addresses many of the discussion issues.
NIST SP-800-115 Guidelines for the Secure Deployment of IPv6 NIST SP-500-267 A Profile for IPv6 in the US Government - Version 1.0 These documents were developed under the statutory responsibilities of the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. The recommendations in these reports are enforced by the Federal Acquisition Language (FAR) requirements stated in RIN 9000-AK57 as FAR Case 2006-041, Internet Protocol Version 6 (IPv6). In short, follow the FAR law for IPv6 devices or the US Government will not purchase a vendor IPv6 device. This law applies to all Federal Government departments, agencies, offices, including DoD, NASA, Dept of Commerce, Veterans Administration, literally all Federal government purchasing offices and all equipment purchased via Federal funding dollars or the GSA bidding process. IPv6 routers are similar to automobiles at this point in time. If the device is sold in the US, then it must conform to US law. That is the way that unleaded gas came into use, through Federal Law implemented as a certain size gas tank nozzle. For IPv6, the transported packets may not be liquid, but the core principle of controlling the transport "ground rules" is the same. A vendor can break the law just as replica makers violate copyright law, but the vendor is liable for damages if that is his organization's choice. Carroll Perkins -----Original Message----- From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On Behalf Of Ole Troan Sent: Friday, March 26, 2010 11:12 AM To: STARK, BARBARA H (ATTLABS) Cc: IETF IPv6 Mailing List; Brian E Carpenter Subject: Re: draft-ietf-v6ops-ipv6-cpe-router-04 > Yeah, I think that after the bloody simple-security debates of the past > week, that many are amazed that anyone on this list was able to miss the > carnage. Anyway, the current CPE router draft has the following security > requirements in section 4.4: > > S-1: The IPv6 CE router SHOULD support > [I-D.ietf-v6ops-cpe-simple-security]. > > S-2: The IPv6 CE router MUST support ingress filtering in accordance > with [RFC2827](BCP 38) > > The simple-security draft referenced in S-1 describes exactly what > you're asking for (IMO), only in much greater detail. So I think what > you're asking for is already in the cpe-router draft, and it would be a > good idea for you to look at the simple-security draft and provide > comments to it, if you think there's something missing. indeed, apart from the fact that it does not/will not make any recommendation about default on or off. cheers, Ole -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
