Greetings, This was an interesting topic and write up. I have a few comments related to writing structure and readability.
Original: While some operators "officially" drop packets that contain IPv6 EHs, it is possible that some of the measured packet drops be the result of improper configuration defaults, or inappropriate advice in this area. Suggestion: While some operators "officially" drop packets that contain IPv6 EHs; it is possible that some of the measured packet drops be the result of improper configuration defaults, or inappropriate advice in this area. Original: The advice in this document is aimed only at transit routers that may need to enforce a filtering policy based on the EHs and IPv6 options a packet may contain, following a "deny-list" approach, and hence is likely to be much more permissive that a filtering policy to be employed at e.g. the edge of an enterprise network. Suggestion: The advice in this document is aimed only at transit routers that may need to enforce a filtering policy based on the EHs and IPv6 options a packet may contain, following a "deny-list" approach, and hence is likely to be much more permissive than a filtering policy to be employed at, e.g., the edge of an enterprise network. Original: Section 4.2, first paragraph, second sentence Essentially, packets that contain IPv6 options might need to be processed by an IPv6 router's general-purpose CPU,and hence could present a DDoS risk to that router's general-purpose CPU (and thus to the router itself). Suggestion: Essentially, packets that contain IPv6 options that might need to be processed by an IPv6 router's general-purpose CPU and could present a DDoS risk to that router's general-purpose CPU. Comments: 1 - Within the last sentence of the third paragraph within the "Introduction" sections. There is a comment about "inappropriate and missing guidelines". Who dictates or decides what is inappropriate? 2 - First bullet point in Section 2.3, change "recognise" to "recognize" 3 - Within the last paragraph of section 2.3, part of the comment ".... it is generally desirable that the sender be signaled of the packet drop...." While the idea is valid, it might be a good idea to note that such a signal might attract malicious attention or threat-actors. 4 - Section 3.4.4.4. It might be best to specify what type of IPSEC deployment is involved, host-to-host, site-to-site, site-to-host? 5 - Section 3.4.5.5. Advise, hasn't AH been depreciated as an insecure methodology versus ESP? Thank you for your kind attention, Michael Dougherty On 1/19/21, 4:48 PM, "[email protected]" <[email protected]> wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure WG of the IETF. Title : Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers at Transit Routers Authors : Fernando Gont Will(Shucheng) Liu Filename : draft-ietf-opsec-ipv6-eh-filtering-07.txt Pages : 37 Date : 2021-01-19 Abstract: This document analyzes the security implications of IPv6 Extension Headers and associated IPv6 options. Additionally, it discusses the operational and interoperability implications of discarding packets based on the IPv6 Extension Headers and IPv6 options they contain. Finally, it provides advice on the filtering of such IPv6 packets at transit routers for traffic *not* directed to them, for those cases where such filtering is deemed as necessary. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-ipv6-eh-filtering/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-opsec-ipv6-eh-filtering-07 https://datatracker.ietf.org/doc/html/draft-ietf-opsec-ipv6-eh-filtering-07 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-ipv6-eh-filtering-07 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
