Hi, <SAVI WG co-chair hat on> >From my point of view, this document doesn't compete with SAVI works (i.e., SAVI goals are to prevent IP address spoofing, using address assignment/management protocols signaling).
Now, with DHCP SAVI (cf. https://datatracker.ietf.org/doc/draft-ietf-savi-dhcp/), we have the same feature, but with less details (i.e., process to identify a DHCPv6 message is not described in DHCP SAVI). As I already told during OPSEC meetings, DHCP Shield may be necessary in environment where DHCP SAVI is not deployed. Moreover, DHCP SAVI may use the process described in this document when performing DHCP signaling filtering. <SAVI WG co-chair hat off> <IETF guy hat on> Unlike RA Guard, which only provides a mitigation (i.e., if you want a strong security, SEND is the right solution), there is a real need for DHCP Shield because, IMHO, there is no strong security for DHCP signaling today (PSK based security, currently specified, is not usable from a scalability point of view and CGA based security needs that DHCP clients must know the DHCP servers' IP unicast addresses). So, I support the adoption of this document as WG document. <IETF guy hat off> Best regards. JMC. 2012/11/27 Gunter Van de Velde (gvandeve) <[email protected]>: > Hi folks, > > > > During IETF85 meeting this draft was found useful as WG document by the > OPSEC WG. > > > > This is a call for WG adoption of this work. Please voice your comments in > OPSEC WG email alias. > > > > Latest document: > http://datatracker.ietf.org/doc/draft-gont-opsec-dhcpv6-shield/ > > > > Kind Regards, > > OPSEC chairs > > > _______________________________________________ > OPSEC mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsec > _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
