Hello, In Section 5, bullet #1, I see:
RATIONALE: [RFC6564] specifies a uniform format for IPv6 Extension Headers, thus meaning that an IPv6 node can parse an IPv6 header chain even if it contains Extension Headers that are not currently supported by that node. Actually, it's NOT possible for a node to safely parse an IPv6 header chain containing Next Header values that it does not know, even with the uniform TLV format for IPv6 extension headers defined in RFC 6564. The reason for that is because unkown Next Header value could represent an upper-layer protocol rather than an extension header, so it's not safe to attempt to follow the header chain any further. The same issue affects draft-ietf-v6ops-ra-guard-implementation-07. Whatever solution applies to that document also applies to this one. Since ra-guard is in AUTH48 it's rather more urgent to get it fixed, so I suggest that those interested in this matter follow the discussion thread regarding that doc that I will start on the v6ops list shortly. Thanks and regards, Mike Heard On Mon, 21 Oct 2013, [email protected] wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Operational Security Capabilities for IP > Network Infrastructure Working Group of the IETF. > > Title : DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers > Author(s) : Fernando Gont > Will Liu > Gunter Van de Velde > Filename : draft-ietf-opsec-dhcpv6-shield-01.txt > Pages : 9 > Date : 2013-10-21 > > Abstract: > This document specifies a mechanism for protecting hosts connected to > a broadcast network against rogue DHCPv6 servers. The aforementioned > mechanism is based on DHCPv6 packet-filtering at the layer-2 device > at which the packets are received. The aforementioned mechanism has > been widely deployed in IPv4 networks ('DHCP snooping'), and hence it > is desirable that similar functionality be provided for IPv6 > networks. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-opsec-dhcpv6-shield-01 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-dhcpv6-shield-01 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
