Last Call Review of draft-ietf-opsec-dhcpv6-shield-04
review-ietf-opsec-dhcpv6-shield-04-secdir-lc-tschofenig-2014-12-11-00
| Request | Review of | draft-ietf-opsec-dhcpv6-shield |
|---|---|---|
| Requested rev. | no specific revision (document currently at 08) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2014-12-01 | |
| Requested | 2014-11-20 | |
| Draft last updated | 2014-12-11 | |
| Completed reviews |
Genart Last Call review of -04 by Ben Campbell
(diff)
Secdir Last Call review of -04 by Hannes Tschofenig (diff) Opsdir Last Call review of -04 by Jürgen Schönwälder (diff) |
|
| Assignment | Reviewer | Hannes Tschofenig |
| State | Completed | |
| Review | review-ietf-opsec-dhcpv6-shield-04-secdir-lc-tschofenig-2014-12-11 | |
| Reviewed rev. | 04 (document currently at 08) | |
| Review result | Has Nits | |
| Review completed: | 2014-12-11 |
Review
review-ietf-opsec-dhcpv6-shield-04-secdir-lc-tschofenig-2014-12-11
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.
This document specifies packet filtering criterion so that DHCPv6-server
messages are discarded by the layer-2 device unless they are received
on a specific (previously configured) ports of the layer-2 device.
The document is well-written and I don't see any problems with the
write-up. While specifying packet filtering firewall rules is an
implementation / configuration dependent task that does not require
standardization as such this work follows earlier patterns, namely
the RA-Guard mechanism for the protection against rogue router
advertisements.
The only question I have whether the document type (currently set to
'Best Current Practice') is appropriate.
Ciao
Hannes
PS: Minor editorial nit:
"
Finally, we note that the security of a site employing DHCPv6 Shield
could be further improved by deploying [I-D.ietf-savi-dhcp], to
mitigate IPv6 address. spoofing attacks.
^^^
"
Attachment:
signature.asc
Description:
OpenPGP digital signature