On 06/05/2011 12:10 AM, John Leslie wrote: >> I think we'd like to respond to them that that's great, >> and we'll be interested in their results, but can they >> *please* come back to us before saying something should >> be changed so's we can talk about it. > > I don't think that's quite right. We should welcome their studying > security issues; but I think we need to _strongly_ encourage them to > start from draft-ietf-6man-node-req-bis when it becomes an RFC -- since > it has _significant_ changes from RFC 4294 (and an ITU-T study based > on RFC4294 will be of rather limited value).
While I have not read the latest version of the aforementioned I-D, I don't think it address (nor should it) the security implications of IPv6. As a simply example, while there has been some work on the security implications of transition/co-existence technologies, I don't think there have been e.g. best practices published on e.g. how to filter them (in those environments in which the use of technologies such as Teredo is undesirable). Additionally, I don't think there has been much work on which tools could be used (and how) to perform network monitoring (e.g., use NDPMon to monitor ND-based attacks). > Clearly, ITU-T is entirely justified in publishing recommendations > of what level of security-related-trust to place in IPv6 packet > forwarding: but any protocol _changes_ are outside their bailiwick. Agreed. However (and with no clue about what ITU-T is planning to work on) I guess there's room for recommendations on what stuff to filter, specific features that should be enabled/disabled, etc. > (As an aside, IETF should resist most proposals for change until > IPv6 sees widespread deployment -- deploying to a moving target is > just TOO risky.) While I do see some value in this point (and I'm aware there are many that share this point of view), I think this argument does not necessarily apply to security. If a flaw is identified, and there's a concrete proposal to mitigate it, I don't think it would be a good idea to resist to *this* type of change/update. Thanks! Best regards, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
