Hi, Simon, Thanks so much for your feedback! Please find my comments inline....
On 12/17/2012 10:28 PM, Simon Eng wrote: > Hi, > > If I am not wrong, the 3 key parts for > draft-ietf-opsec-ipv6-implications-on-ipv4-nets-01 are: > > Section 1 Introduction/Problem Statement > Section 2 Filtering Native IPv6 > Section 3 Filtering Transition > > Hence, from Wes's suggestion, DNS filtering should be added (maybe > Section 3??). Wes's suggestions seems to be to do DNS AAAA filtering *when* you do native/transition traffic filtering... > Another scenario to consider for DNS is a malicious host > on the IPv4 network acting as an IPv6 Router-cum-DNS64 => spoof DNS AAAA > replies so that dual-stack hosts will route IPv6 traffic to malicious > host => Man-In-Middle attack?? Yep. This should probaly be added to the intro -- if it's not already there.... > In Section 2, only DHCPv6 & RA are mentioned. I'd like to suggest > filtering of ICMPv6 too. You mean ICMPv6 errors, or what? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
