Warren,

On Jul 14, 2013, at 9:34 AM, Warren Kumari <[email protected]> wrote:

> 
> On Jul 9, 2013, at 11:58 AM, Carlos Pignataro (cpignata) <[email protected]> 
> wrote:
> 
>> WG,
>> 
>> I just posted a new revision, intended to address all WGLC comments on this 
>> document.
> 
> <chair hat>
> 
> Thank you. 
> 
> We have discussed this and judge there to be consensus to progress this.

Thanks. All the WGLC comments were resolved with revision -04 posted on July 
11th.

Do you have a target for when the doc will be sent to the IESG?

-- Carlos.

> 
> We would also like to apologize for how long it took to complete this WGLC, 
> and thank the authors (and WG) for their patience. We have / will be making 
> some changes to streamline things, and hopefully prevent long delays in the 
> future.
> 
> 
> W
> </chair hat>
> 
>> 
>> You can find it at 
>> http://tools.ietf.org/html/draft-ietf-opsec-ip-options-filtering-03.
>> You can also find diffs from the previous version at 
>> http://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-ip-options-filtering-03
>> 
>> This new revision incorporates resolution to all comments, especially from 
>> Arturo and Merike, as well as the text below. It also incorporates a number 
>> of editorial (typographical, grammar) fixes. Hopefully we have not missed 
>> anything.
>> 
>> Please review.
>> 
>> Thanks!
>> 
>> -- Carlos.
>> 
>> On Jul 9, 2013, at 10:27 AM, RJ Atkinson <[email protected]> wrote:
>> 
>>> All,
>>> 
>>> Here is some candidate text to replace the indented text
>>> in Sections 4.12.2 & 4.13.2, leveraging Merike's suggested 
>>> introduction, and restoring (with minor edits) the previous 
>>> language:
>>> 
>>>     Some private IP networks consider IP router-based
>>>     per-interface selective filtering of packets based 
>>>     on (a) the presence of an IPSO option (including BSO 
>>>     and ESO) and (b) based on the contents of that IPSO 
>>>     option to be important for operational security reasons.
>>>     The recent IPv6 CALIPSO option specification discusses
>>>     this in additional detail, albeit in an IPv6 context. 
>>>     [RFC5570]
>>> 
>>>     Such private IP networks commonly are built using both
>>>     commercial and open-source products - for hosts, guards,
>>>     firewalls, switches, routers, etc.  Some commercial IP
>>>     routers support this option, as do some IP routers which 
>>>     are built on top of Multi-Level Secure (MLS) operating 
>>>     systems (e.g. on top of Trusted Solaris [Solaris2008] or 
>>>     Security-Enhanced Linux [SELinux2008]).
>>> 
>>>     For example, many Cisco routers that run Cisco IOS include 
>>>     support for selectively filtering packets that contain the
>>>     IP Security Options (IPSO) with per-interface granularity.  
>>>     This capability has been present in many Cisco routers 
>>>     since the early 1990s [Cisco-IPSO-Cmds].  Some government 
>>>     sector products reportedly also support the IP Security 
>>>     Options (IPSO), for example CANEWARE [RFC4949].  
>>> 
>>>     Support for the IPSO Basic Security Option also is 
>>>     included in the "IPsec Configuration Policy Information 
>>>     Model" [RFC3585] and in the "IPsec Security Policy 
>>>     Database Configuration MIB" [RFC4807].  Section 4.6.1
>>>     of the IP Security Domain of Interpretation [RFC2407]
>>>     includes support for labeled IPsec security associations
>>>     compatible with the IP Security Options.
>>> 
>>> I'm greatly obliged to Merike for her suggested text, 
>>> which is included in the proposed revised text above,
>>> and to Arturo for agreeing that an edited version of 
>>> the original text could be retained in this document.
>>> 
>>> 
>>> Yours,
>>> 
>>> Ran Atkinson
>>> 
>>> 
>>> _______________________________________________
>>> OPSEC mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/opsec
>> 
>> _______________________________________________
>> OPSEC mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/opsec
>> 
> 
> --
> "Build a man a fire, and he'll be warm for a day. Set a man on fire, and 
> he'll be warm for the rest of his life." -- Terry Pratchett
> 
> 
> _______________________________________________
> OPSEC mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/opsec

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec

Reply via email to