IETF Logo Mail Archive

Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-shield-06.txt

"C. M. Heard" <heard@pobox.com> Tue, 03 March 2015 05:20 UTC

Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6C3D1A007A for <opsec@ietfa.amsl.com>; Mon, 2 Mar 2015 21:20:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.111
X-Spam-Level:
X-Spam-Status: No, score=-1.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_HDRS_LCASE=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5Bvk3EMY-UG for <opsec@ietfa.amsl.com>; Mon, 2 Mar 2015 21:20:46 -0800 (PST)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB051A0095 for <opsec@ietf.org>; Mon, 2 Mar 2015 21:20:43 -0800 (PST)
Received: (qmail 12379 invoked from network); 2 Mar 2015 21:19:48 -0800
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Mar 2015 21:19:48 -0800
Date: Mon, 02 Mar 2015 21:19:48 -0800
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: opsec@ietf.org, draft-ietf-opsec-dhcpv6-shield@ietf.org, draft-ietf-opsec-dhcpv6-shield.ad@ietf.org, draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org, kk.chittimaneni@gmail.com, opsec-chairs@ietf.org, brian.e.carpenter@gmail.com, joelja@bogus.com, ted.lemon@nominum.com, alissa@cooperw.in
Message-ID: <Pine.LNX.4.64.1503022108560.8287@shell4.bayarea.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/xTM1sCN7JKsxCoba3ice4udwPRc>
Cc: presnick@qti.qualcomm.com
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-shield-06.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2015 05:20:47 -0000

Greetings,

Unless I missed something, it seems that a vital porrtion 
of the text of Section 5 was dropped in going from -05 to 
-06.  One possible fix would be to reinstate it as follows:

OLD:
   4.  In all other cases, DHCPv6-Shield MUST pass the packet as usual.
NEW:
   4.  When parsing the IPv6 header chain, if the packet is identified	 	   
       to be a DHCPv6 packet meant for a DHCPv6 client, DHCPv6-Shield 
       MUST drop the packet, and ought to log the packet drop event in 
       an implementation-specific manner as a security alert.

   5.  In all other cases, DHCPv6-Shield MUST pass the packet as usual.
END.

Thanks,

Mike Heard

On Wed, 25 Feb 2015, internet-drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>  This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure Working Group of the IETF.
> 
>         Title           : DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers
>         Authors         : Fernando Gont
>                           Will Liu
>                           Gunter Van de Velde
> 	Filename        : draft-ietf-opsec-dhcpv6-shield-06.txt
> 	Pages           : 10
> 	Date            : 2015-02-25
> 
> Abstract:
>    This document specifies a mechanism for protecting hosts connected to
>    a switched network against rogue DHCPv6 servers.  It is based on
>    DHCPv6 packet-filtering at the layer-2 device at which the packets
>    are received.  A similar mechanism has been widely deployed in IPv4
>    networks ('DHCP snooping'), and hence it is desirable that similar
>    functionality be provided for IPv6 networks.  This document specifies
>    a Best Current Practice for the implementation of DHCPv6 Shield.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/
> 
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-ietf-opsec-dhcpv6-shield-06
> 
> A diff from the previous version is available at:
> http://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-dhcpv6-shield-06
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
>

v2.23.0 | Report a Bug | By Email