KK, Gunter, Fernando & Will, I have reviewed the document and here are my comments (some cosmetic):
* section 1: "on a specified port of the layer-2 device" => "on specific port(s) of the layer-2 device" (plural form) * Section 1: "Only those ports to which a DHCPv6 server" => "Only those ports to which a DHCPv6 server or relay" (relays should be allowed as well) * Section 3: not sure whether it is relevant here, this is well-known and accepted terminology, I am always uneasy when information is duplicated as it is an open door for inconsistency * Section 3: should define what a 'DHCP shield device' is * Section 5: I do not agree with point 1) if the specific platform cannot handle a long ext header chain, it should be allowed to drop the packet (the MUST NOT should be SHOULD NOT or even a MAY — reversing the proposed policy). Of course, such platforms cannot claim compatibility with DHCP-shield * Section 5: "SHOULD be logged in an implementation-specific manner as security fault" => "security alert" or "security event" * Section 7: the whole I-D is only handling the physical/wired switched case while in the introduction it is stated to be 'broadcast network'. The security section and/or introduction should mention this. * Section 7: should also mention other DHCP related threats? Such as DoS attack against DHCP servers? Amplification/reflection attacks? Of course, the mitigation techniques are out of scope, but, I think that the threats should be mentioned * Add a reference to SAVI-DHCP ? Else, good document, pretty much like the well-known rogue DHCPv4 -éric From: Kiran Kumar Chittimaneni <[email protected]<mailto:[email protected]>> Date: dimanche 11 mai 2014 05:12 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [OPSEC] Progressing draft-ietf-opsec-dhcpv6-shield Dear Opsec WG, The WGLC for this draft technically ended last month with just one response received. Not enough to move forward. The co-chairs chatted about this and noted that there was a lot more support for this doc during earlier stages. Given that, we'd like to give the WG a bit more time to review this and extend the LC to the 24th of May. Ideally, we'd like to get at least two volunteers who could do a thorough review of this doc and post their comments to the list. The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/ <https://datatracker.ietf.org/doc/draft-ietf-opsec-ip-options-filtering/> Please read it now and report to the list whether you support publication or not. Insufficient responses will be taken as an indication of lack of interest and we'll stop from proceeding further. Regards, KK (as Opsec WG co-chair)
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
