Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt>
RJ Atkinson <rja.lists@gmail.com> Fri, 08 June 2012 16:37 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DA1721F890B for <v6ops@ietfa.amsl.com>; Fri, 8 Jun 2012 09:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.235
X-Spam-Level:
X-Spam-Status: No, score=-3.235 tagged_above=-999 required=5 tests=[AWL=-0.236, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnlZhO8puSTt for <v6ops@ietfa.amsl.com>; Fri, 8 Jun 2012 09:37:26 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id D476521F8904 for <v6ops@ietf.org>; Fri, 8 Jun 2012 09:37:25 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so1330225vbb.31 for <v6ops@ietf.org>; Fri, 08 Jun 2012 09:37:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; bh=TLXIwx9qxX2tbqxF78B8QPC9OCVk2qFDmZDil0wZXww=; b=1Dm+rvdQRwUHKSRl6ElXolWCaEqXpEhMDeE4rFWKibjPlGDVvsatPjpKMZi9iD5hm+ e+9hf4edTmnOlAUphfwtGpygt+5wXCzHgD2jILylNvd8E0LrXoM+zvVCEJ+HKTid0zCV Fix32KuSjHDcnMOyC2Y2Efloxe9KgMv6Iqju/lJ0hHT+ySVwbsz2esmjMC5raOUdvNNE kEIppn2Hk4dwbiNSbNMedeD8n2A+ePalpGambPlRmicLV5Wd63KASM0857rQ9sjWUBna T0HLOWRXXPs4MiN8gWzd3Vnc1lSb1s9b5J2uVIXy8vHCZnKvKZ4t4kc5TntDTsDhUtcc Szrw==
Received: by 10.52.21.177 with SMTP id w17mr5879437vde.98.1339173445250; Fri, 08 Jun 2012 09:37:25 -0700 (PDT)
Received: from [10.30.20.11] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id c17sm10480960vdj.11.2012.06.08.09.37.22 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 08 Jun 2012 09:37:23 -0700 (PDT)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Fri, 08 Jun 2012 12:37:21 -0400
Message-Id: <1808D6C4-0207-4163-B364-7329C6D2572D@gmail.com>
To: v6ops@ietf.org
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt>
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 16:37:26 -0000
At this point, my understanding is that Fernando has agreed
to make some edits to draft-ietf-v6ops-ra-guard-implementation
to resolve the concerns raised on the v6ops list.
These edits include at least:
-- adding the 2 IPv6 specification update I-Ds as normative references,
draft-gont-6man-nd-extension-headers and also
draft-gont-6man-oversized-header-chain, so that the IETF avoids
recommending that RA Guard implementers violate the IETF IPv6
specifications.
-- updating the Security Considerations as discussed on v6ops,
and to note the potential that deploying the RA Guard can
create a new DoS attack vector (e.g. on the RA Guard itself).
-- editing the RA Guard text to improve the crispness/clarity
of the implementation requirements & also eliminating the
situation where an RA Guard would drop a valid IPv6 packet
(example: RA Guard MUST parse the packet's whole IPv6 header chain,
thereby eliminating the situation where a correct RA Guard
implementation might not know whether a packet is valid or not)
For my part, I hope the 6MAN WG will approve the 2 specification
updates in the first item listed above, and undertake that soon.
(I don't expect the proposed updates will be controversial in 6MAN,
but often I am confused.)
I'm unclear whether text specific to the SEND situation might be
added or not, but it might well be sensible to add some text,
since SEND is cryptographically authenticated (so forged RAs
would be dropped by recipients as "authentication failed").
Yours,
Ran