Greetings, I'm pretty happy with what I see in the new revision. It now treats extension headers and options on an equal footing, leaving the specification of protocol requirements (including configuration defaults) to standards-track documents and concentrating on advice for what configuration options operators should choose. The standards-track document for extension headers is RFC 7045, and the authors have submitted a draft to 6man to cover IPv6 options:
http://tools.ietf.org/html/draft-gont-6man-ipv6-opt-transmit Folks who are interested in draft-gont-opsec-ipv6-eh-filtering will doubtless want to look at that draft too. As far as I can see, the major substantive things that need to be done before draft-gont-opsec-ipv6-eh-filtering is ready for prime time are to fill in the TBDs. These mainly deal with specific security implications, but in the case of three hop-by-hop options (SMF_DPD, MPL, IP_DFF) there are some additional gaps. Here is the full list of gaps: EH: Mobility, HIP, Shim6 HbH (a): Jumbo Payload, RPL HbH (b) SMF_DPD, MPL, IP_DFF [also needs impact if blocked and advice] Dest: Tunnel Encapsulation Limit, Home Address, EID, ILNP Nonce, Line ID The three EHs mentioned above are basically upper-layer protocols with the ability to tunnel another ULP (though in the cases of Mobility and HIP this capability is for further study -- the specs require that they contain a Next Header type of No Next Header). The security considerations of the respective specs (RFCs 5201, 6275, and 5553) seem to provide the necessary information to craft specific security implication text. If I have time in the next couple of weeks I'll see if I can propose something, assuming that the authors (or other interested parties) do not beat me to it. I also noticed one nit: 3.3.2.4. Operational and Interoperability Impact if Blocked Blocking packets containing a RHT0 or RTH1 has no operational s/RTH1/RHT1/ //cmh On Tue, 26 Aug 2014, Fernando Gont wrote: > Folks, > > We have posted a revision > (http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-eh-filtering-02.txt) > of the aforementioned document, that addresses all the comments we have > received so far. > > Any further comments will be highly appreciated. > > Thanks! > > Best regards, > Fernando (and co-authors) > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-opsec-ipv6-eh-filtering-02.txt > Date: Tue, 26 Aug 2014 08:21:14 -0700 > From: [email protected] > To: Will(Shucheng) Liu <[email protected]>, Shucheng LIU (Will) > <[email protected]>, Fernando Gont <[email protected]>, Ron > Bonica <[email protected]>, Fernando Gont <[email protected]>, > Ronald P. Bonica <[email protected]> > > > A new version of I-D, draft-gont-opsec-ipv6-eh-filtering-02.txt > has been successfully submitted by Fernando Gont and posted to the > IETF repository. > > Name: draft-gont-opsec-ipv6-eh-filtering > Revision: 02 > Title: Recommendations on Filtering of IPv6 Packets Containing > IPv6 > Extension Headers > Document date: 2014-08-26 > Group: Individual Submission > Pages: 30 > URL: > http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-eh-filtering-02.txt > Status: > https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-eh-filtering/ > Htmlized: > http://tools.ietf.org/html/draft-gont-opsec-ipv6-eh-filtering-02 > Diff: > http://www.ietf.org/rfcdiff?url2=draft-gont-opsec-ipv6-eh-filtering-02 > > Abstract: > This document provides advice on the filtering of IPv6 packets based > on the IPv6 Extension Headers and the IPv6 options they contain. > Additionally, it discusses the operational and interoperability > implications of discarding packets based on the IPv6 Extension > Headers and IPv6 options they contain. > > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > > _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
