Hi,
A few comments. I expect I will have more when the TBD sections are written.
I am not on the opsec list.
> This document complements [RFC4942] by listing all security issues
That is a remarkable claim ;-). I think you mean
This document complements [RFC4942] by listing all known security issues
> 3.1. External Security Considerations:
...
> o Accept certain ICMPv6 messages to allow proper operation of ND and
> PMTUD, see also [RFC4890]
This seems a very incomplete summary of the message of RFC 4890, which has
a full analysis and recommendations. In fact (IMHO) it should be a BCP,
since the correct behaviour is required for connectivity to work.
> o Filter specific extension headers, where possible
Please consider citing draft-carpenter-6man-ext-transmit, which discusses
what firewalls need to do about extension headers.
Also - why doesn't this section refer to RFC 4864, which is largely about
external security considerations?
> 5. Residential Users Security Considerations
...
> If the Residential Gateway has IPv6 connectivity, [RFC6204] defines
> the requirements of an IPv6 CPE
Please update to 6204bis.
Regards
Brian Carpenter
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
