Re: New I-D: Neighbor Discovery and IPv6 Extension Headers (draft-gont-6man-nd-extension-headers)

Sun, 05 Jun 2011 15:28:39 -0700 

Fernando,

        Some comments.

        Minor, typos, etc.

        I think you missed the reference to RFC 6105, this is the same problem 
with the reference than 
http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-00.txt

        May be it is just me and the excess of caffeine but the third paragraph 
of section 1 is a bit long and hard to understand. I would recommend some 
rephrasing. 

        Other:

        In section 2. I think it has to be a MUST instead of SHOULD.

        In section 3, I think you should add a paragraph saying that even with 
the filtering rules described in 
http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-00.txt there is a 
important cost in complexity and performance for devices performing those 
filters (l2-switches, IDS/IPS/FWS, etc.)

Regards,
-as



On 1 Jun 2011, at 00:59, Fernando Gont wrote:

> Folks,
> 
> I have just published a new Internet-Draft
> (draft-gont-6man-nd-extension-headers) entitled "Security Implications
> of the Use of IPv6 Extension Headers with IPv6 Neighbor Discovery".
> 
> The I-D is available at:
> http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-00.txt
> 
> The Abstract of the I-D is:
> ---- cut here ----
>   IPv6 Extension Headers with Neighbor Discovery messages can be
>   leveraged to circumvent simple local network protections, such as
>   "Router Advertisement Guard".  Since there is no legitimate use for
>   IPv6 Extension Headers in Neighbor Discovery messages, and such use
>   greatly complicates network monitoring and simple security
>   mitigations such as RA-Guard, this document proposes that hosts
>   silently ignore Neighbor Discovery messages that use IPv6 Extension
>   Headers.
> ---- cut here ----
> 
> Note: A closely related (and just published) I-D is
> draft-gont-v6ops-ra-guard-evasion-00, which is aimed at the v6ops wg
> (rather than 6man).
> 
> Any comments on any of these I-Ds will be very welcome.
> 
> Thanks!
> 
> Best regards,
> -- 
> Fernando Gont
> e-mail: [email protected] || [email protected]
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> [email protected]
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------


--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to