Re: [v6ops] Asking for a review of draft-ietf-opsec-v6-08

["Eric Vyncke (evyncke)" <evyncke@cisco.com>]

Markus

Thanks very much for your review, I know it takes time to do.

I have accepted most of them except those marked with EVY>>

Thanks again and see you in Berlin, your ::1 ;-)

-éric


From: Markus deBruen <linkedin@xn--debrn-nva.de<mailto:linkedin@xn--debrn-nva.de>>
Date: Wednesday 15 June 2016 at 07:04
To: Eric Vyncke <evyncke@cisco.com<mailto:evyncke@cisco.com>>
Cc: "opsec@ietf.org<mailto:opsec@ietf.org>" <opsec@ietf.org<mailto:opsec@ietf.org>>, "v6ops@ietf.org<mailto:v6ops@ietf.org>" <v6ops@ietf.org<mailto:v6ops@ietf.org>>, Fred Baker <fred@cisco.com<mailto:fred@cisco.com>>, "fgont@si6networks.com<mailto:fgont@si6networks.com>" <fgont@si6networks.com<mailto:fgont@si6networks.com>>, "Howard, Lee" <lee.howard@twcable.com<mailto:lee.howard@twcable.com>>, "draft-ietf-opsec-v6@ietf.org<mailto:draft-ietf-opsec-v6@ietf.org>" <draft-ietf-opsec-v6@ietf.org<mailto:draft-ietf-opsec-v6@ietf.org>>
Subject: Aw: Asking for a review of draft-ietf-opsec-v6-08

Hi Eric,

the draft is very well written and contains useful guidance/recommendations. Sections 2.4 and 2.5 do not contain much IPv6-specific information and sections 2.7.2.* do not give much guidance. However, these three sections together amount to ~11 pages (1/3 of the document). If you could shorten these sections, the document would become more manageable.

EVY>> hum good idea: we the authors also feel that the overall text could be improved in the form (keeping the content), alas, we also lack time to redo much of it... (see my reply 4 weeks after your review!)

Some minor comments and nits:
2.1.2
"... The latter would be problematic."
I suspect by "latter" you mean NPTv6. Better make that explicit.

EVY>> actually, we meant that IPv6 NAPT is problematic regarding logging... Thanks



"A typical argument is that there are too many mistakes made with filters and
ULAs make things easier to hide machines."
Why "to hide machienes"? I would suggest "to set filters".

2.1.4
"... privacy extension addresses should be used"
Punctuation mark is missing.

2.2
still TBD

EVY>> argh indeed, cannot fix it in -09, so, a -10 is to be expected

2.3.2
"... for protecting hosts connected against..."
"Connected hosts" maybe!?

2.3.4
"RFC6980 [RFC6980] aims to update RFC4861 [RFC4861]"
"[RFC6980] updates [RFC4861]"

EVY>>> time flies... The original sentence was written when RFC 6980 was still a draft...


2.7.2
"embeb" -> embed

2.7.2.4
"... operational problems"
Punctuation mark is missing.

EVY>> Sigh... Working in XML does not help :-( Thanks



2.7.2.8
The second "MAP-E" should be "MAP-T".

2.8
"device to authenticated" -> "device authenticated"

EVY>> ??? We wanted to say that only authenticated and authorised user can manage the devices (changed the text to "authorised users" as authorisation requires authentication)



3.1
"bogon and reserved space"
Some links might be helpful (e.g. to IANA).

5
"[RFC7084] (which obsoletes [RFC6204]"
Missing ")"

"[RFC7084] states that a clear choice must be given to the user to select one
of those two policies."
Does it? I did not find the corresponding passage.

EVY>> good catch, it is REC-49 of RFC 6092


Throughout the document there are some "IPV6", "DOS" and " ", which should be
replaced with "IPv6", "DoS" and " ".

I hope these comments are helpful.

Cheers,
Markus



---- Ein Mi, 15 Jun 2016 12:50:29 +0200 Eric Vyncke (evyncke)<evyncke@cisco.com<mailto:evyncke@cisco.com>> hat geschrieben ----
The authors (and OPSEC WG chairs) would really appreciate if a review of https://tools.ietf.org/html/draft-ietf-opsec-v6-08 is done in the coming days/weeks (in time to submit a -09 in case it needs to be amended).

This I-D is about the operation security considerations when operating an IPv6 network (both as Service Provider and enterprise/subscriber).

Thanks a lot in advance for your review and be sure to include opsec@ietf.org<mailto:opsec@ietf.org> in your reply.

- the authors (Merike, KK and Eric)
- the chairmen (Gunter and Eric)

PS: Markus, Fred, Fernando and Lee, as you kindly volunteered to review it during IETF-95, I also put your names ;-)