Appreciate the review and initial comments....some replies embedded below...
On Oct 6, 2012, at 6:49 AM, Brian E Carpenter wrote: > Hi, > > A few comments. I expect I will have more when the TBD sections are written. > I am not on the opsec list. > >> This document complements [RFC4942] by listing all security issues > > That is a remarkable claim ;-). I think you mean > > This document complements [RFC4942] by listing all known security issues Yes, some word smithing still required everywhere since the intent is to give enough input to operators to ensure this document gives definitive guidelines but also points to the RFCs that detail all the specifics. We will edit this section. > >> 3.1. External Security Considerations: > ... >> o Accept certain ICMPv6 messages to allow proper operation of ND and >> PMTUD, see also [RFC4890] > > This seems a very incomplete summary of the message of RFC 4890, which has > a full analysis and recommendations. In fact (IMHO) it should be a BCP, > since the correct behaviour is required for connectivity to work. Will add some wording here as well to be a bit more complete. > >> o Filter specific extension headers, where possible > > Please consider citing draft-carpenter-6man-ext-transmit, which discusses > what firewalls need to do about extension headers. > > Also - why doesn't this section refer to RFC 4864, which is largely about > external security considerations? Probably simply an oversight which I'm happy you have pointed out. Will look into this. > >> 5. Residential Users Security Considerations > ... >> If the Residential Gateway has IPv6 connectivity, [RFC6204] defines >> the requirements of an IPv6 CPE > > Please update to 6204bis. Yes. - merike > > Regards > Brian Carpenter > > > > _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
