Hi, Stephen, Thanks so much for your feedback! Please find my comments in-line....
On 08/20/2015 12:57 AM, Stephen Farrell wrote: > > - general: @Fernando: thank you for writing a document that does > not recommend turning off IPv6:-) (a comment on this one at the end of this emai :-) ) (*) > - general: shouldn't you recommend a honeynet approach as another > way of spotting scans when there ought be none? That might fit in > 3.5 I guess. The goal here is not to detect host scanning, but to perform it or mitigate them -- rather than detecting the host scanning attacks. > - intro: what evidence is there that the number of hosts per > subnet is likely to stay the same? (And what do you consider an > IPv4 subnet here? a /16 is it? Maybe worth saying.) The density > point still applies though, but good to not assume things that > aren't needed. What evidence there is that this is going to change? > - 3.1.1 - I would recommend you check with Christian Huitema > about Windows10 which has some new features related to MAC > addresses. I don't know if there is new IPv6 handling associated > with those changes. I will. > - 3.4.1 s/patters/patterns/ Will fix. <off-topic> (*) P.S.: You keep repeating this one :-), but the only document in which I noted that the unfortunate only possible approach might be to disable v6 at the time was RFC7359 (and in RFC7123, as one possible approach). As unfortunate as it was, it was correct. And there was a recent wave of press on this topic: <http://docs.media.bitpipe.com/io_10x/io_102267/item_465972/VPN%20Looking%20Glass.pdf> with kind of sad comments about IPv6. I think our advice was timely, and in line with a quote from Bertrand Russell I like: "The intellectual thing I should want to say is this: When you are studying any matter, or considering any philosophy, ask yourself only what are the facts and what is the truth that the facts bear out. Never let yourself be diverted either by what you wish to believe, or by what you think would have beneficent social effects if it were believed. But look only, and solely, at what are the facts." Everything else I've authored has been about improvements, not "turning it off"... and for instance, I've been IPv6 enabled for years... ;-) </off-topic> Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
