Hi Joe,
Fair point about the draft-gont document. I've taken it out
for now.
Which was the 6man I-D you meant? There are now two referenced
thanks to recent comments and both are draft-ietf-6man so have
presumably been adopted by the WG.
My current version is attached following today's edits in case
that helps.
I've still not included rfc 3514 but the more iterations this
takes, the more I'm getting more tempted:-)
Thanks,
S.
On 15/06/11 01:17, Joe Touch wrote:
> Hi, all,
>
> It'd be useful to wait until these docs (this v6ops one and the 6man one
> it refers) are adopted by the relevant WGs before noting them in
> recommendations to external parties, IMO.
>
> Some of the recommendations in these documents are akin to "if I didn't
> expect it, it's an attack", which I feel makes our protocols too brittle
> unless we are in a situation of known security compromise via other
> indicators. The latter doc (6man) also silently discards legitimate
> packets (complicating debugging), and ends up deprecating the entire
> extension header feature of IPv6 for all IPv6 signaling protocols -
> which seems like a bad idea overall.
>
> I'd prefer to see the relevant WGs endorse these as useful ways forward
> before adding them to this list.
>
> Joe
>
> On 6/14/2011 4:07 AM, Stephen Farrell wrote:
>>
>> Thanks Nick,
>>
>> I'll add that unless someone tells me its a bad plan.
>> Its a fairly fresh I-D, but I guess it looks pretty
>> relevant all right.
>>
>> S.
>>
>> On 14/06/11 11:00, Nick Hilliard wrote:
>>> On 14/06/2011 00:09, Stephen Farrell wrote:
>>>> * RFC 6105 – "IPv6 Router Advertisement Guard"
>>>> * RFC 6106 – "IPv6 Router Advertisement Options for DNS
>>>> Configuration", §7 in particular.
>>>
>>> maybe mention draft-gont-v6ops-ra-guard-evasion? It's not a strategic
>>> focused document, but gives specific advice on a specific issue which is
>>> relevant to ipv6 lan deployments.
>>>
>>> Nick
>>>
>> _______________________________________________
>> saag mailing list
>> s...@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>
From: IETF Security Area
To: Study Group 17, Questions 2 and 3
Title: Work on Security of IPv6
FOR ACTION
The IETF thanks Study Group 17 for its liaison LS-206 "Liaison on IPv6
security issues". As the world transitions to IPv6, new opportunities
and challenges arise. SG17's focus on deployment and
implementation considerations reflects this reality. We would like to
bring to your attention the following work which we believe may prove a
useful basis for both X.ipv6-secguide and X.mgv6:
* RFC 4294 â "IPv6 Node Requirements" (N.B., this work is currently
under revision as draft-ietf-6man-node-req-bis, submitted to
the IESG for approval on 2011-05-25)
* draft-ietf-6man-node-req-bis (work in progress) â "IPv6 Node
Requirements RFC 4294-bis"
* RFC 4864 â "Local Network Protection for IPv6"
* RFC 4942 - "IPv6 Transition/Coexistence Security Considerations"
* RFC 6092 â "Recommended Simple Security Capabilities in Customer
Premise Equipment (CPE) for Providing Residential IPv6 Internet
Service"
* RFC 6105 â "IPv6 Router Advertisement Guard"
* RFC 6106 â "IPv6 Router Advertisement Options for DNS
Configuration", §7 in particular.
As you are aware, every RFC contains a Security Considerations section.
In developing either an implementation or deployment guide, contributors
are strongly encouraged to review the RFCs and Internet-Drafts that
support any underlying function.
In addition, we bring to your attention the following IETF Working
Groups that are working on IPv6 security-related work:
Working Group Purpose Mailing list address
Name
6man IPv6 Maintenance ipv6@ietf.org
savi Source Address Validation s...@ietf.org
Improvements
dhc Dynamic Host Configuration dh...@ietf.org
v6ops IPv6 Operations v6...@ietf.org
opsec Operational Security op...@ietf.org
Capabilities for an IP
Network
In addition to the above working groups, the Security Area of the IETF
maintains a mailing list for general discussion, s...@ietf.org. We
encourage and invite open and informal discussion in these or other
relevant IETF fora on this very important topic. As with all IETF
working groups, any and all interested parties can choose to directly
contribute via the mailing lists above.
As in other areas, the Security Area of the IETF invites SG17 to bring
any new-found concerns about IETF protocols to our attention so that as
and when we revise our documents we can make appropriate amendments to
IETF protocols. In particular, as this planned work matures, we would
welcome hearing about it in more detail, perhaps via an invited
presentation at a saag meeting or via review of draft documents as may
be appropriate.
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
