Last Call Review of draft-ietf-opsec-dhcpv6-shield-04

Request Review of draft-ietf-opsec-dhcpv6-shield
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-12-01
Requested 2014-11-20
Authors Fernando Gont, Will LIU, Gunter Van de Velde
Draft last updated 2014-12-11
Completed reviews Genart Last Call review of -04 by Ben Campbell (diff)
Secdir Last Call review of -04 by Hannes Tschofenig (diff)
Opsdir Last Call review of -04 by Jürgen Schönwälder (diff)
Assignment Reviewer Hannes Tschofenig
State Completed
Review review-ietf-opsec-dhcpv6-shield-04-secdir-lc-tschofenig-2014-12-11
Reviewed rev. 04 (document currently at 08)
Review result Has Nits
Review completed: 2014-12-11


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This document specifies packet filtering criterion so that DHCPv6-server
messages are discarded by the layer-2 device unless they are received
on a specific (previously configured) ports of the layer-2 device.

The document is well-written and I don't see any problems with the
write-up. While specifying packet filtering firewall rules is an
implementation / configuration dependent task that does not require
standardization as such this work follows earlier patterns, namely
the RA-Guard mechanism for the protection against rogue router

The only question I have whether the document type (currently set to
'Best Current Practice') is appropriate.


PS: Minor editorial nit:

Finally, we note that the security of a site employing DHCPv6 Shield
   could be further improved by deploying [I-D.ietf-savi-dhcp], to
   mitigate IPv6 address. spoofing attacks.




 OpenPGP digital signature