Hi, Ray, Thanks so much for your feedback! Please find my comments in-line...
On 11/18/2014 08:17 AM, Ray Hunter wrote: >> ------------------------------------------------------------------------ > I have read this draft and think it is useful. I also realise that this > is very late in the day to make comments, but I have a number of issues. > > Substantive comment: > /Before being deployed for production, the DHCPv6-Shield device MUST > be explicitly configured with respect to which layer-2 ports are > allowed to send DHCPv6 packets to DHCPv6 clients (i.e. DHCPv6-server > messages)./ > > IMHO DHCPv6-Shield is an optional service. Suggest /Unless explicitly > configured with one or more ports to which DHCPv6 servers or relays are > attached, the DHCPv6-Shield service SHOULD NOT filter any packets./ FWIW, I personally have no issues with modifying the I-D as indicated. It looks like you're essentially arguing that "by default, DHCPv6-Shieled should be off", whereas the current text essentially means "Do not deploy this unless you've explicitly configured DHCPv6-Shield". At the end of the day, it looks like both phrases essentially have the same end result -- i.e., you could argue that if DHCPv6-shield is not filtering any packets, then it is not enabled/not deployed. Thoughts? > I also think the terminology of "send" and "receive" is used in a rather > confusing and inconsistent manner. Suggest using receive from the > perspective of the switch performing the filtering. > > s/Only those layer-2 ports explicitly configured for such purpose will > be allowed to send DHCPv6 packets to DHCPv6 clients/Only those layer-2 > ports explicitly configured for such purpose will be allowed to receive > DHCPv6 packets for forwarding to other ports where DHCPv6 clients may be > connected/ Maybe also s/receive/accept/? -- because you do receive them anyway (even if you later drop them) > [the L2 switch management process itself will also likely not see the > DHCPv6 packet if it is performing ingress filtering, and DHCPv6 servers > could theoretically send packets to each other] > > /on those ports that are not allowed to send DHCPv6 packets to DHCPv6 > clients/ > > Text is confusing. Is the switch blocking ALL DHCPv6 traffic, or ONLY > packet originated from a DHCPv6 server? The text should read "DHCPv6-server packets". -- Will fix this in the next rev. > Suggest /on those ports that are not allowed to receive packets > originated from a DHCPv6 server/ > > Also /as not being DHCPv6-server packets/ > > suggest > > /packets not originated from a DHCPv6-server/ Not sure what you mean here.... > s/ We note that if an attacker sends a fragmented DHCPv6 packet on a > port not allowed to send such packets/We note that if an attacker > originates a fragmented DHCPv6 packet that arrives on a switch port not > allowed to receive such packets/ s/receive/accept/? > There are also a number of textual errors. > > s/connected to a switched network/connected to a layer-2 switched network/ > > s/The basic concept behind DHCPv6-Shield is that a layer-2 device > filters DHCPv6 messages meant to DHCPv6 clients (henceforth > "DHCPv6-server messages"), according to a number of different > criteria./The basic concept behind DHCPv6-Shield is that a layer-2 > device > filters DHCPv6 messages sent to DHCPv6 clients (henceforth > "DHCPv6-server messages"), according to a number of different > criteria./ Will do. > s/are received on a specific ports/are received on specific ports/ Will fix this. > s/ Before the DCHPv6-Shield device is deployed, the administrator > specifies the layer-2 port(s) on which DHCPv6-server messages are to > be allowed/ Before the DCHPv6-Shield device is deployed, the > administrator > specifies the layer-2 port(s) on which messages originated from a > DHCPv6-server are expected to be received/ Maybe "vBefore the DCHPv6-Shield device is deployed, the administrator specifies the layer-2 port(s) on which DHCPv6-server messages should be accepted" instead? > s/(e.g., DoS)/(e.g. DoS)/ > > s/ If deployed in layer-2 domain with several cascading switches/ If > deployed in a layer-2 domain with several cascaded switches/ Will fix this. Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
