Greetings, The text in Section 3 seems to have dropped the step saying that if the packet is identified to be a DHCPv6 packet meant for a DHCPv6 client then a DHCPv6-Shield implementation MUST drop the packet. That omission defeats the entire purpose of the draft and renders it unsuitable for publication.
As noted in http://www.ietf.org/mail-archive/web/opsec/current/msg01870.html, this problem was introduced in the -06 version of the draft. Could the authors PLEASE fix this, or else point out where in -07 this step is spelled out? //cmh On Fri, 15 May 2015, [email protected] wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Operational Security Capabilities for IP > Network Infrastructure Working Group of the IETF. > > Title : DHCPv6-Shield: Protecting Against Rogue DHCPv6 > Servers > Authors : Fernando Gont > Will Liu > Gunter Van de Velde > Filename : draft-ietf-opsec-dhcpv6-shield-07.txt > Pages : 11 > Date : 2015-05-15 > > Abstract: > This document specifies a mechanism for protecting hosts connected to > a switched network against rogue DHCPv6 servers. It is based on > DHCPv6 packet-filtering at the layer-2 device at which the packets > are received. A similar mechanism has been widely deployed in IPv4 > networks ('DHCP snooping'), and hence it is desirable that similar > functionality be provided for IPv6 networks. This document specifies > a Best Current Practice for the implementation of DHCPv6 Shield. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-opsec-dhcpv6-shield-07 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-dhcpv6-shield-07 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
