A few initial comments. Draft is not quite ready. Section 2.1.3: 6164 does not _recommend_ /127 it _permits_ /127 on p2p links. The ping pong attack is mitigated in RFC4443. I am not convinced there is justification that this document should recommend /127 for "security reasons".
Section 2.1.4: The description of the IID needs to be updated with the latest recommendations in 4291bis etc. The IID is no longer recommend to be created by MAC address for example. It might also be worth clarifying that the operator can only control a host's choice of IID / privacy by disabling SLAAC altogether. Section 2.1.6: "DNS is often used for malware activities"... That just doesn't read well. I presume you aren't proposing to disable DNS? ;-) Section 2.2: I am not sure that extension headers are one of the most critical differentiators between IPv4 and IPv6. IPv4 had variable length options... Section 2.2.2: This section should be updated to reflect the new text in 2460bis. The reference to hbh-header-handling is no longer needed. Section 2.2.3 s/Fragment Extension Header/Fragment header Same for Hop by Hop options header. Please get the names of the headers correct. Section 2.3.2: Consider Secure DHCPv6? Section 2.3.3: I don't think those individual drafts are "actively" discussing methods to rate limit RA anymore. Wirth update / rewrite with summary from those discussions. Section 2.7.2 Remove the historic tunnel mechanisms? ISATAP, Teredo, 6to4? Section 2.7.2.7: DS-lite is not a translation mechanism. Section 2.7.2.8 s/tunnel and encapsulation/encapsulation and translation/ Section 2.7.3.1: Why in an IPv6 document? Section 3.1: In general update references. e.g. ipv6-eh-filtering is outdated. I question referencing opsec-ipv6-eh-filtering. It has wrong and outdated advice. E.g. on section of HBH header. The advice in ipv6-eh-filtering is essentially to ossify the network. Section 5: Reference to balanced-ipv6-security... I don't think it is worth referencing an expired draft. Why not summarise the points in a paragraph? Ole > On 18 Apr 2017, at 09:18, Gunter Van De Velde <[email protected]> > wrote: > > Dear 6man, v6ops, > > Due to the IPv6 focus of "draft-ietf-opsec-v6" the OPSEC WGLC for this > document may be of interest to both 6man as v6ops. > > Please send your feedback to OPSEC email list, where discussion around this > document should take place. > > Kind Regards, > G/ > >> Begin forwarded message: >> >> From: Gunter Van De Velde <[email protected]> >> Subject: [OPSEC] WGLC for draft-ietf-opsec-v6 >> Date: 12 April 2017 at 09:39:28 GMT+2 >> To: [email protected] >> >> This is to open a two week WGLC for >> https://tools.ietf.org/html/draft-ietf-opsec-v6. >> If you have not read it, please do so now. You may send nits to the author, >> but substantive discussion should go to the list. >> >> I will close the call on 26 April 2017 >> >> G/ >> Sent from iCloud >> _______________________________________________ >> OPSEC mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/opsec > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
