Closing the loop on this Gen-ART review. Thanks again Suresh for reviewing.
Thumb typed by Carlos Pignataro. Excuze typofraphicak errows Begin forwarded message: From: Suresh Krishnan <[email protected]<mailto:[email protected]>> Date: November 18, 2013 at 4:12:19 PM EST To: "Carlos Pignataro (cpignata)" <[email protected]<mailto:[email protected]>>, RJ Atkinson <[email protected]<mailto:[email protected]>> Cc: Fernando Gont <[email protected]<mailto:[email protected]>> Subject: Re: Gen-ART Telechat review of draft-ietf-opsec-ip-options-filtering-05.txt Hi Carlos/Ran, This text looks good to me. Thanks for taking care of this quickly. Regards Suresh On 11/18/2013 10:21 AM, Carlos Pignataro (cpignata) wrote: Looks good, thank you Ran. I will incorporate this in our live copy. Suresh, any concerns? Thanks, -- Carlos. On Nov 18, 2013, at 10:07 AM, RJ Atkinson <[email protected]<mailto:[email protected]>> wrote: On 18 Nov 2013, at 09:41 , Carlos Pignataro (cpignata) wrote: Here's the complete proposal for the complete Section 4.12.5 (and equivalent for 4.13.5). Does this work? Please let me know and I can incorporate: A lightly edited version follows -- edited mainly to reduce redundant/ duplicative text and to retain phrasing "because the IP packet contains this option" that was added in an earlier round of review. --- 4.12.5. Advice A given IP router, security gateway, or firewall has no way to know a priori what environment it has been deployed into. Even closed IP deployments generally use exactly the same commercial routers, security gateways, and firewalls that are used in the public Internet. Since operational problems result in environments where this option is needed if either the option is dropped or IP packets containing this option are dropped, but no harm results if the option is carried in environments where it is not needed, the default configuration SHOULD NOT (a) modify or remove this IP option or (b) drop an IP packet because the IP packet contains this option. A given IP router, security gateway, or firewall MAY be configured to drop this option or to drop IP packets containing this option in an environment known to not use this option. For auditing reasons, Routers, security gateways, and firewalls SHOULD be capable of logging the numbers of packets containing the BSO on a= per-interface basis. Also, Routers, security gateways, and firewalls SHOULD be capable of dropping packets based on the BSO presence as well as the BSO values. --- Similar text, edited to reflect "ESO" rather than "BSO", should replace the existing advice about the IPSO ESO. Cheers, Ran
_______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
