Re: [secdir] secdir review of draft-ietf-6man-addr-select-opt

[Ole Troan <otroan@employees.org>]

Dan,

let me chime in as the document shepherd.
(thank you very much for the thorough comments by the way).

>  For instance, while I think I understand the policy override of RFC
> 6724, having the Automatic Row Additions Flag be part of the address
> selection options seems problematic. If it is set to zero, then what are
> the semantics of such a message? "Here's an address selection option
> but don't you dare use it!"? What is the point? Me, as a node, can have
> this as part of my policy state which would allow me to ignore such
> an update but to have the bit be part of the option to update does
> not seem to make much sense. The semantics of the message needs
> to be explained much more clearly, or the bit needs to be removed
> from the message.

my reading of the meaning of the A flag is a little different. (I have cc'ed the authors of rfc6724 for confirmation.)

an implementation of RFC6724 may automatically add entries in the policy table based on addresses configured on the node.
e.g. the node has an interface with a ULA address.

RFC6724 also says:
   An implementation SHOULD provide a means (the Automatic Row Additions flag) for an administrator to disable
   automatic row additions.

the A-flag in draft-ietf-6man-addr-select-opt provides the means.

it does not affect the policy entries that is contained in the DHCP option.
the A-flag only affects the RFC6724 behaviour of adding entries based on address configuration on the node.

cheers,
Ole