Erik Thanks for your time on this I-D.
I will Merike (who wrote this section) reply, but, speaking for myself the goal is NOT to recommend ULA + NPTv6 :-O -éric On 31/10/17 12:27, "Erik Kline" <[email protected]> wrote: I still have objections to section 2.1.2. Let's take just this one paragraph to start with: """ ULAs are intended for scenarios where IP addresses will not have global scope so they should not appear in the global BGP routing table. The implicit expectation from the RFC is that all ULAs will be randomly created as /48s. Any use of ULAs that are not created as a /48 violates RFC4193 [RFC4193]. """ The most obvious problems include: [1] ULA addresses have global scope but are not guaranteed to be globally routable. The first sentence as written does not clearly convey this subtlety. [2] The second sentence is not correct. Pseudo-random assignment is a MUST for locally-assigned global IDs, for one. [3] The last sentence misses the point: it's the probabilistic guarantee of uniqueness that's critical, not just the "/48-ness". One thing that could be called out later in this section is the potential accidental ULA address leakage via ICMPv6 responses. The rest of the section still reads to me like an oblique recommendation for ULAs with NPTv6, frankly. I guess I should expect to discuss this more in Singapore. On 31 October 2017 at 07:09, Eric Vyncke (evyncke) <[email protected]> wrote: > It is an update to take into account the review of Mikael Abrahamsson and Tobias Fiebig. > > See you in Singapore if you participate in the OPSEC WG meeting on Monday (agenda published BTW) > > -éric > > On 30/10/17 22:32, "OPSEC on behalf of [email protected]" <[email protected] on behalf of [email protected]> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure WG of the IETF. > > Title : Operational Security Considerations for IPv6 Networks > Authors : Eric Vyncke > Kiran K. Chittimaneni > Merike Kaeo > Filename : draft-ietf-opsec-v6-12.txt > Pages : 48 > Date : 2017-10-30 > > Abstract: > Knowledge and experience on how to operate IPv4 securely is > available: whether it is the Internet or an enterprise internal > network. However, IPv6 presents some new security challenges. RFC > 4942 describes the security issues in the protocol but network > managers also need a more practical, operations-minded document to > enumerate advantages and/or disadvantages of certain choices. > > This document analyzes the operational security issues in all places > of a network (enterprises, service providers and residential users) > and proposes technical and procedural mitigations techniques. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsec-v6/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-opsec-v6-12 > https://datatracker.ietf.org/doc/html/draft-ietf-opsec-v6-12 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-v6-12 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OPSEC mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsec > > > _______________________________________________ > OPSEC mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
