Re: [v6ops] Revised I-D: Advice on RA-Guard Implementation
Fernando Gont <fgont@si6networks.com> Mon, 09 January 2012 09:59 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 384FD21F8699 for <v6ops@ietfa.amsl.com>; Mon, 9 Jan 2012 01:59:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[AWL=-0.664, BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7azjH0q93Jr5 for <v6ops@ietfa.amsl.com>; Mon, 9 Jan 2012 01:59:44 -0800 (PST)
Received: from srv01.bbserve.nl (srv01.bbserve.nl [46.21.160.232]) by ietfa.amsl.com (Postfix) with ESMTP id 86AF121F8697 for <v6ops@ietf.org>; Mon, 9 Jan 2012 01:59:44 -0800 (PST)
Received: from [186.137.77.114] (helo=[192.168.1.106]) by srv01.bbserve.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <fgont@si6networks.com>) id 1RkC0y-0001mC-Ne; Mon, 09 Jan 2012 10:59:41 +0100
Message-ID: <4F0A4D7F.6000101@si6networks.com>
Date: Sun, 08 Jan 2012 23:14:23 -0300
From: Fernando Gont <fgont@si6networks.com>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16
MIME-Version: 1.0
To: Simon Perreault <simon.perreault@viagenie.ca>
References: <4F04F5CA.6010802@si6networks.com> <4F05AA98.4090400@viagenie.ca>
In-Reply-To: <4F05AA98.4090400@viagenie.ca>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Revised I-D: Advice on RA-Guard Implementation
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2012 09:59:45 -0000
Hi, Simon,
Thanks so much for your feedback! Please find my comments in-line...
On 01/05/2012 10:50 AM, Simon Perreault wrote:
> Fernando Gont wrote, on 01/04/2012 07:58 PM:
>> We've published the IETF I-D "Implementation Advice for IPv6 Router
>> Advertisement Guard (RA-Guard)". It is available at:
>> <http://www.ietf.org/id/draft-gont-v6ops-ra-guard-implementation-00.txt>
>
> Section 3 (implementation advice) does not explicitly mention fragment handling.
> Is this intentional? Does the advice implicitly apply to fragments? Some
> clarification is needed IMHO.
The second bullet in Section 3 is meant to address fragment-handling:
o If the layer-2 device is unable to identify whether the packet is
an ICMPv6 Router Advertisement message or not (i.e., the packet is
a fragment, and the necessary information is missing), and the
IPv6 Source Address of the packet is a link-local address or the
unspecified address (::), block the packet.
The idea is that if that non-first fragments are always forwarded,
whereas first-fragments are blocked if:
a) We've found that what follows the fragment header is an RA packet, or,
b) this is a first-fragment, and it is missing upper-layer protocol
information.
Please let me know if you still feel that further clarification is
needed. And, if so, whether you feel that an additional bullet should be
added, or whether the aforementioned clarification should be added right
after the bullets (i.e., non-bulleted).
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [v6ops] Revised I-D: Advice on RA-Guard Implement… Fernando Gont
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Marc Blanchet
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Fernando Gont
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Simon Perreault
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Gunter Van de Velde (gvandeve)
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Fernando Gont
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Gunter Van de Velde (gvandeve)
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Gert Doering
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Fernando Gont
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Fernando Gont
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Philip Homburg
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Joel jaeggli
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Gert Doering
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Simon Perreault
- Re: [v6ops] Revised I-D: Advice on RA-Guard Imple… Fernando Gont