Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-shield-07.txt
"C. M. Heard" <heard@pobox.com> Sun, 31 May 2015 03:35 UTC
Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1B311ACE92 for <opsec@ietfa.amsl.com>; Sat, 30 May 2015 20:35:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zy0IMWcIa_uw for <opsec@ietfa.amsl.com>; Sat, 30 May 2015 20:35:00 -0700 (PDT)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81F1E1ACE8D for <opsec@ietf.org>; Sat, 30 May 2015 20:35:00 -0700 (PDT)
Received: (qmail 19186 invoked from network); 30 May 2015 20:34:50 -0700
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 30 May 2015 20:34:50 -0700
Date: Sat, 30 May 2015 20:34:50 -0700
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: OPSEC <opsec@ietf.org>
In-Reply-To: <20150515163152.27063.80335.idtracker@ietfa.amsl.com>
Message-ID: <Pine.LNX.4.64.1505302026550.16871@shell4.bayarea.net>
References: <20150515163152.27063.80335.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/4v0oqkyyC3j32fc3mvmuM545ZPs>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-shield-07.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 May 2015 03:35:01 -0000
Greetings, The text in Section 3 seems to have dropped the step saying that if the packet is identified to be a DHCPv6 packet meant for a DHCPv6 client then a DHCPv6-Shield implementation MUST drop the packet. That omission defeats the entire purpose of the draft and renders it unsuitable for publication. As noted in http://www.ietf.org/mail-archive/web/opsec/current/msg01870.html, this problem was introduced in the -06 version of the draft. Could the authors PLEASE fix this, or else point out where in -07 this step is spelled out? //cmh On Fri, 15 May 2015, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure Working Group of the IETF. > > Title : DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers > Authors : Fernando Gont > Will Liu > Gunter Van de Velde > Filename : draft-ietf-opsec-dhcpv6-shield-07.txt > Pages : 11 > Date : 2015-05-15 > > Abstract: > This document specifies a mechanism for protecting hosts connected to > a switched network against rogue DHCPv6 servers. It is based on > DHCPv6 packet-filtering at the layer-2 device at which the packets > are received. A similar mechanism has been widely deployed in IPv4 > networks ('DHCP snooping'), and hence it is desirable that similar > functionality be provided for IPv6 networks. This document specifies > a Best Current Practice for the implementation of DHCPv6 Shield. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-opsec-dhcpv6-shield-07 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-dhcpv6-shield-07 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > >
- [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-shiel… internet-drafts
- Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-s… C. M. Heard
- Re: [OPSEC] FW: I-D Action: draft-ietf-opsec-dhcp… C. M. Heard
- Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-s… Fernando Gont
- Re: [OPSEC] FW: I-D Action: draft-ietf-opsec-dhcp… Fernando Gont
- Re: [OPSEC] FW: I-D Action: draft-ietf-opsec-dhcp… C. M. Heard