fwd'ing, since there was a typo in the original email...
-------- Forwarded Message -------- Subject: Re: [v6ops] [OPSEC] WGLC for draft-ietf-opsec-v6 Date: Tue, 18 Apr 2017 12:10:37 +0100 From: Fernando Gont <fg...@si6networks.com> To: otr...@employees.org, op...@ietf.ortg CC: Gunter Van De Velde <guntervandeveld...@icloud.com>, v6...@ietf.org Operations <v6...@ietf.org>, 6...@ietf.org On 04/18/2017 09:18 AM, otr...@employees.org wrote: > A few initial comments. Draft is not quite ready. > > Section 2.1.3: > 6164 does not _recommend_ /127 it _permits_ /127 on p2p links. Agreed on this. > The ping pong attack is mitigated in RFC4443. I must be missing something.. what does RFC4443 have to do with this? A ping pong attack does not require the attack packets to be ICMPv6 echo requests... > I am not convinced there is justification that this document should > recommend /127 for "security reasons". Besides ping-pong, there's NCE. While I do agree that the real solution to the above two issues is *not* to use a /127, this document being an operational one, I can see why the authors may want to recommend /127. > Section 2.2: > I am not sure that extension headers are one of the most critical > differentiators between IPv4 and IPv6. IPv4 had variable length options... The packet structure does make a big difference. For instance, it's trivial to find (in IPv4-based packets) the upper layer protocol type and protocol header, while in IPv6 it actually isn't. > Section 2.3.2: > Consider Secure DHCPv6? Question: is that doable? (i.e., widely supported) > Section 3.1: > In general update references. e.g. ipv6-eh-filtering is outdated. > I question referencing opsec-ipv6-eh-filtering. It has wrong and outdated > advice. E.g. on section of HBH header. > The advice in ipv6-eh-filtering is essentially to ossify the network. Have you read the I-D? Because the I-D boils down to: "pass all EHs unless they are known to be very harmdful". Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 . _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
