[OPSEC] Protocol Action: 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' to Best Current Practice (draft-ietf-opsec-dhcpv6-shield-08.txt)
The IESG <iesg-secretary@ietf.org> Mon, 06 July 2015 22:57 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2F321A0115; Mon, 6 Jul 2015 15:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHyxiqeNasQV; Mon, 6 Jul 2015 15:57:45 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 426C11A016B; Mon, 6 Jul 2015 15:57:39 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.4.p1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150706225739.12089.17217.idtracker@ietfa.amsl.com>
Date: Mon, 06 Jul 2015 15:57:39 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/sWDGu1Ghpm3WYobLSNMb4y8_Ysk>
Cc: opsec mailing list <opsec@ietf.org>, opsec chair <opsec-chairs@tools.ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [OPSEC] Protocol Action: 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' to Best Current Practice (draft-ietf-opsec-dhcpv6-shield-08.txt)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 22:57:47 -0000
The IESG has approved the following document: - 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' (draft-ietf-opsec-dhcpv6-shield-08.txt) as Best Current Practice This document is the product of the Operational Security Capabilities for IP Network Infrastructure Working Group. The IESG contact persons are Benoit Claise and Joel Jaeggli. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/ Technical Summary This document describes a mechanism for protecting hosts connected to a switched network against rogue DHCPv6 servers. This mechanism is based on DHCPv6 packet-filtering at the layer-2 device at which the packets are received. A similar mechanism has been widely deployed in IPv4 networks ('DHCP snooping'), and hence it is desirable that similar functionality be provided for IPv6 networks. Working Group Summary This document received a fair bit of in-depth review from key members of the WG. The WGLC concluded that this is useful information that is presented in an easy to read format. Document Quality This document provides advice to IPv6 implementors for protecting hosts connected to a switched network against rogue DHCPv6 servers. There is a valid implementation of this functionality on Cisco equipment. Everyone who reviewed and commented on this document agrees that this is a significant security issue and that the mechanism that this draft provides is easy to use given its similarity to a similar feature (DHCP snooping) that has existed for IPv4 networks for a while. Personnel Kiran Kumar Chittimaneni is the Document Shepherd. Joel Jaeggli is the Area Director.