Re: [secdir] SecDir Review of draft-ietf-opsec-dhcpv6-shield

Fernando Gont <fgont@si6networks.com> Fri, 05 December 2014 12:36 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE6691ACE3F; Fri, 5 Dec 2014 04:36:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FvQ0qQ8P_9bH; Fri, 5 Dec 2014 04:36:48 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4271ACE57; Fri, 5 Dec 2014 04:36:48 -0800 (PST)
Received: from 248-241-235-201.fibertel.com.ar ([201.235.241.248] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1Xws7l-0004Xf-2X; Fri, 05 Dec 2014 13:36:41 +0100
Message-ID: <5481A448.8090805@si6networks.com>
Date: Fri, 05 Dec 2014 09:25:44 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, secdir@ietf.org, iesg@ietf.org, draft-ietf-opsec-dhcpv6-shield@tools.ietf.org
References: <54818D34.4060604@gmx.net>
In-Reply-To: <54818D34.4060604@gmx.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/y4k1PNErYKY2DBbqUMzxWwCj6Mk
Subject: Re: [secdir] SecDir Review of draft-ietf-opsec-dhcpv6-shield
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2014 12:36:50 -0000

Hi, Hannes,

Thanks so much for your feedback! Please find my comments in-line....

On 12/05/2014 07:47 AM, Hannes Tschofenig wrote:
> 
> The document is well-written and I don't see any problems with the 
> write-up. While specifying packet filtering firewall rules is an 
> implementation / configuration dependent task that does not
> require standardization as such this work follows earlier patterns,
> namely the RA-Guard mechanism for the protection against rogue
> router advertisements.

Other than following earlier patterns, the goal is to avoid
implementation flaws (such as those described in RFC7113.



> The only question I have whether the document type (currently set
> to 'Best Current Practice') is appropriate.

The idea is that this document specifies the best current way of
implementing the filtering rules for such packets




> PS: Minor editorial nit:
> 
> " Finally, we note that the security of a site employing DHCPv6
> Shield could be further improved by deploying [I-D.ietf-savi-dhcp],
> to mitigate IPv6 address. spoofing attacks. ^^^ "

Will do.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492