Hello Donald, As for Tim Chown's review, here is my belated reply...
Look for EV> Thank you for the review -éric -----Original Message----- From: "Smith, Donald" <donald.sm...@centurylink.com> Date: Monday, 2 July 2018 at 22:14 To: Tim Chown <tim.ch...@jisc.ac.uk>, "ops-...@ietf.org" <ops-...@ietf.org> Cc: "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6....@ietf.org" <draft-ietf-opsec-v6....@ietf.org> Subject: Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13 Routing security talks exclusively to OSFPv3 which isn't in common use externally today, BGP would be a better choice. EV> I made the reference to RFC 7454 more prominent in the text 2.1.1 This: There are many scanning techniques and more to come possible, hence, operators should never relly on the 'impossible to find because my address is random' paradigm. Should probably be this: There are many scanning techniques and possibly more to come, hence, operators should never rely on the 'impossible to find because my address is random' paradigm. Or adding Tom's suggestion: There are many scanning techniques and possibly more to come, hence, operators should never rely on the 'security by obscurity' paradigm. EV> indeed, the text has changed following Tim's suggestion Maybe it doesn't belong there but this appears to be a potential new smurf amplification vector. "Another way works only for local network, it consists in sending a ICMP ECHO_REQUEST to the link-local multicast address ff02::1 which is all IPv6 nodes on the network. All nodes should reply to this ECHO_REQUEST per [RFC4443]." EV> except that this is local only (packets to ff02::1 will not be forwarded by an IP router). SO, the attack is local only (but could be a real annoyance in same settings). But maybe that belongs in 4443 or some other draft? I feel some mention of anycast used for DDoS Reflection and Amplification (RA) should be included (again might be out of scope)? EV> I agree that RFC 4443 did not take this amplification attack into consideration. At least nowadays, large layer-2 (notably wifi) have disabled the link-local multicast. Added a new section 2.3.6 on this issue. Metric System < +000 > -000 Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring For Ages Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico Femto Atto donald.sm...@centurylink.com _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec