[153806] in North American Network Operators' Group
Heads up: IETF 6man poll for adoption of
daemon@ATHENA.MIT.EDU (Fernando Gont)
Wed Jun 13 10:03:15 2012
Date: Wed, 13 Jun 2012 11:02:13 -0300
From: Fernando Gont <fernando@gont.com.ar>
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Folks,
Just wanted to send a heads up regarding two IETF 6man wg polls that
have just been started for adoption of these documents:
* draft-gont-6man-oversized-header-chain-02 (Security and
Interoperability Implications of Oversized IPv6 Header Chains)
* draft-gont-6man-nd-extension-headers-03 (Security Implications of the
Use of IPv6 Extension Headers with IPv6 Neighbor Discovery)
draft-gont-6man-oversized-header-chain-02 requires that when packets are
fragmented, the first fragment must contain the entire IPv6 header
chain. This is important for a number of reasons: it allows for
stateless filtering (both at firewalls and at RA-Guard-like devices),
prevents stateless translators from breaking, etc. The poll for this
document is available at:
<http://www.ietf.org/mail-archive/web/ipv6/current/msg15989.html>
draft-gont-6man-nd-extension-headers-03 forbids the use of fragmentation
with Neighbor Discovery. This essentially enables Neighbor Discovery
monitoring in IPv6, thus providing feature parity with IPv4 (think about
arpwatch and the like) -- not to mention that it obviously mitigates
fragmentation-based attacks against Neighbor Discovery and SEND. The
poll for this document is available at:
<http://www.ietf.org/mail-archive/web/ipv6/current/msg15990.html>
IMO, these two I-Ds propose small spec updates which could result in
concrete operational and security benefits.
Thanks!
Best regards,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
