Re: Gen-ART LC Review of draft-ietf-opsec-dhcpv6-shield-04
Jari Arkko <jari.arkko@piuha.net> Thu, 22 January 2015 13:00 UTC
Return-Path: <jari.arkko@piuha.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 646181ACC8D; Thu, 22 Jan 2015 05:00:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jEViyWEsMSif; Thu, 22 Jan 2015 05:00:56 -0800 (PST)
Received: from p130.piuha.net (p130.piuha.net [IPv6:2a00:1d50:2::130]) by ietfa.amsl.com (Postfix) with ESMTP id 172391A1A1B; Thu, 22 Jan 2015 05:00:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 4C6102CCBE; Thu, 22 Jan 2015 15:00:04 +0200 (EET) (envelope-from jari.arkko@piuha.net)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gBtCxJH7fLtc; Thu, 22 Jan 2015 15:00:03 +0200 (EET)
Received: from [127.0.0.1] (p130.piuha.net [IPv6:2a00:1d50:2::130]) by p130.piuha.net (Postfix) with ESMTP id 95F982CC4D; Thu, 22 Jan 2015 15:00:03 +0200 (EET) (envelope-from jari.arkko@piuha.net)
Content-Type: multipart/signed; boundary="Apple-Mail=_261828C3-86E8-4ACC-8332-D8394886B75C"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Subject: Re: Gen-ART LC Review of draft-ietf-opsec-dhcpv6-shield-04
From: Jari Arkko <jari.arkko@piuha.net>
In-Reply-To: <54BCB932.30609@si6networks.com>
Date: Thu, 22 Jan 2015 12:41:12 +0100
Message-Id: <70CCC1A2-A7F0-4CBE-B5B9-0DABCB18C4ED@piuha.net>
References: <E5BE273D-3996-4086-B5D9-FFFB437774DE@nostrum.com> <547D9C86.6040701@si6networks.com> <64775586-CC1E-4360-9122-F000EB45F475@nostrum.com> <54BCB932.30609@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/OeW6QXiw3sEIEgtXnwW4VWUaRAs>
Cc: Ben Campbell <ben@nostrum.com>, "gen-art@ietf.org Team (gen-art@ietf.org)" <gen-art@ietf.org>, draft-ietf-opsec-dhcpv6-shield.all@ietf.org, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2015 13:01:00 -0000
Ben, Fernando, Thanks for the review and responses. I have placed a no-objection position for this draft in tonight’s IESG telechat. Jari On 19 Jan 2015, at 08:58, Fernando Gont <fgont@si6networks.com> wrote: > Hi, Ben, > > It looks like I never responded to this one. -- My apologies for that. > Please find my comments in-line... > > > On 12/11/2014 06:56 PM, Ben Campbell wrote: >>>> Minor issues: >>>> >>>> -- abstract, last sentence: >>>> >>>> I didn't find this assertion in the body itself. It would be nice >>>> to see support for it (perhaps with citations). >>> >>> I guess one could provide references to some vendor's manuals? Is >>> that what you have in mind? (although I'd prefer not to do so). >> >> The citations part was more of a nice to have. But it would be worth >> putting some words around that in the body, even if there's nothing >> to reference. > > ANy suggestions on this one? > > > > >>>> -- section 4: >>>> >>>> Am I correct in understanding that this is opt in only? You >>>> would disallow a rule of the form of "allow on any port except >>>> [list]"? >>> >>> Not sure what you mean. >>> >>> The idea is that if you want to enable dhcpv6 shield, you need to >>> specify on which port(s) the dhcpv6 server(s) is/are connected. >> >> Would a rule of the form "Allow DHCPv6 on all ports except port X" be >> allowed? > > Yes. That's another way of saying: "Enable DHCPv6-Shield. Allow DHCPv6 > on ports 1-7" -- when a device has ports 1-8. i.e., DHCPv6-Shield is, > when enabled, a "default deny" -- and you need to specify on which > port(s) DHCPv6 should be allowed. > > > >>>> -- section 1, 3rd paragraph: >>>> >>>> It would be helpful to define what a "DHCP-Shield device" is, >>>> prior to talking about deploying and configuring them. >>> >>> How about adding (in Section 1) the following text: >>> >>> This document specifies DHCPv6 Shield: a set of filtering rules >>> meant to mitigate attacks that employ DHCPv6-server packets. >>> Throughout this document we refer to a device implementing the >>> DHCPv6 Shield filtering rules as the "DHCPv6 Shield device" >>> >>> ? >> >> Yes, thanks. > > FWIW, we ended up adding all these definitions to the "Terminology" section. > > > >>>> -- section 3, paragraph ending with with "... used as follows >>>> [RFC7112]:" >>>> >>>> I'm a bit confused by the citation. Are these defined "as >>>> follows", or in 7112? >>>> >> >> You did not respond to this one. I note that my next few comments >> might no longer apply if the 7112 reference is clarified. Is the >> point to say that 7112 contains the following definitions, which are >> repeated here for the sake of convenience? > > Yes, that's the point. And we've updated the text to say "..used as > defined in [RFC7112]". > > > > >>>> Also, while this section talks about some aspects of header >>>> chains, it never actually defines the term. >>> >>> Which one? >> >> The term "header chain". That is, something of the form of "The IPv6 >> header chain is a linked-list of IPv6 headers. It contains ...". > > We never use "header chain" alone, but rather "IPv6 header chain". > > > >>>> -- section 3, "Upper-Layer Header" >>>> >>>> Again, this section talks about the term without defining it. >>>> >>>> -- section 5, list entry "1": "... the IPv6 entire header chain >>>> ..." >>> >>> Not sure what you mean: Section 3 is all about defining the terms. >>> Am I missing something? >> >> Again, the definition doesn't actually define the term. For example, >> "An upper-layer header is a header belonging to an upper-layer >> protocol" > > mm.. but that wouldn't be correct. The current definition seems to be > more correct than that. Not sure what is missing... > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > >
- Gen-ART LC Review of draft-ietf-opsec-dhcpv6-shie… Ben Campbell
- Re: Gen-ART LC Review of draft-ietf-opsec-dhcpv6-… Fernando Gont
- Re: Gen-ART LC Review of draft-ietf-opsec-dhcpv6-… Ben Campbell
- Re: Gen-ART LC Review of draft-ietf-opsec-dhcpv6-… Fernando Gont
- Re: Gen-ART LC Review of draft-ietf-opsec-dhcpv6-… Jari Arkko