Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-shield-06.txt

Mon, 02 Mar 2015 21:21:00 -0800 

Greetings,

Unless I missed something, it seems that a vital porrtion 
of the text of Section 5 was dropped in going from -05 to 
-06.  One possible fix would be to reinstate it as follows:

OLD:
   4.  In all other cases, DHCPv6-Shield MUST pass the packet as usual.
NEW:
   4.  When parsing the IPv6 header chain, if the packet is identified          
   
       to be a DHCPv6 packet meant for a DHCPv6 client, DHCPv6-Shield 
       MUST drop the packet, and ought to log the packet drop event in 
       an implementation-specific manner as a security alert.

   5.  In all other cases, DHCPv6-Shield MUST pass the packet as usual.
END.

Thanks,

Mike Heard

On Wed, 25 Feb 2015, [email protected] wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories.
>  This draft is a work item of the Operational Security Capabilities for IP 
> Network Infrastructure Working Group of the IETF.
> 
>         Title           : DHCPv6-Shield: Protecting Against Rogue DHCPv6 
> Servers
>         Authors         : Fernando Gont
>                           Will Liu
>                           Gunter Van de Velde
>       Filename        : draft-ietf-opsec-dhcpv6-shield-06.txt
>       Pages           : 10
>       Date            : 2015-02-25
> 
> Abstract:
>    This document specifies a mechanism for protecting hosts connected to
>    a switched network against rogue DHCPv6 servers.  It is based on
>    DHCPv6 packet-filtering at the layer-2 device at which the packets
>    are received.  A similar mechanism has been widely deployed in IPv4
>    networks ('DHCP snooping'), and hence it is desirable that similar
>    functionality be provided for IPv6 networks.  This document specifies
>    a Best Current Practice for the implementation of DHCPv6 Shield.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/
> 
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-ietf-opsec-dhcpv6-shield-06
> 
> A diff from the previous version is available at:
> http://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-dhcpv6-shield-06
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> 

_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec

Reply via email to