[secdir] SecDir Review of draft-ietf-opsec-dhcpv6-shield

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 05 December 2014 10:47 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25F411ACE30; Fri, 5 Dec 2014 02:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVX96HybbyPy; Fri, 5 Dec 2014 02:47:45 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42A2C1A0127; Fri, 5 Dec 2014 02:47:45 -0800 (PST)
Received: from [192.168.131.135] ([80.92.119.109]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0M0QLp-1XiBkN1VYT-00uZJP; Fri, 05 Dec 2014 11:47:22 +0100
Message-ID: <54818D34.4060604@gmx.net>
Date: Fri, 05 Dec 2014 11:47:16 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-opsec-dhcpv6-shield@tools.ietf.org
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="o285e6qjgqlmSCJ1JGN465RmXgPiRggsh"
X-Provags-ID: V03:K0:fkkt8/qZkhVnfg8lYcwq3AoYdNSFqAyjHszZLGairEyNZmAynVx oRQpyYG3ONga+6YD4rZPds40ExOR/CR6hwLqfAVjoxYlG4zyav81SHDVF5l8PTa0YDdBdpm t0smcgRRxrduinY3vcQcFykMGzkHqIVCikaPuwl0Zz6An+gNBgA/EyqVp9Ij017+D4a+9h3 6Fq8+HnG2oWIZhq/LQRmA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/gkgM_hmX_zK7-F3RAUSklC2twzg
Subject: [secdir] SecDir Review of draft-ietf-opsec-dhcpv6-shield
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2014 10:47:47 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This document specifies packet filtering criterion so that DHCPv6-server
messages are discarded by the layer-2 device unless they are received
on a specific (previously configured) ports of the layer-2 device.

The document is well-written and I don't see any problems with the
write-up. While specifying packet filtering firewall rules is an
implementation / configuration dependent task that does not require
standardization as such this work follows earlier patterns, namely
the RA-Guard mechanism for the protection against rogue router
advertisements.

The only question I have whether the document type (currently set to
'Best Current Practice') is appropriate.

Ciao
Hannes

PS: Minor editorial nit:

"
Finally, we note that the security of a site employing DHCPv6 Shield
   could be further improved by deploying [I-D.ietf-savi-dhcp], to
   mitigate IPv6 address. spoofing attacks.
                       ^^^
"