Hi David, and thanks for your review. Inline: > As such, the whole document is a security consideration. The > vulnerability appears well-documented, and the guidelines for handling > the deprecated RH0 are clear. > Good. > I have a few comments > 1) RH0 really is something we do not want to see used, right? Should > this RH be obsoleted rather than deprecated? > The new RFC cannot obsolete the RFC where RH0 was defined, because the latter contains also parts that we do not intend to remove :-) i.e., base IPv6 spec. > 2) Per BCP61, MUST is for implementers, and SHOULD is for > users/deployers. There is a MUST NOT in section 4.2 that is a > deployment decision, so this should be a SHOULD NOT. At the same time, > there is a "must" in section 4.2 that is an implementation > requirement, so this should be a MUST. > Hmm. There was fair amount of discussion about this in the WG. The problem is that wholesale filtering of protocol 43 breaks other things, including Mobile IPv6. This is why the document explicitly says that type specific filtering is required. There was a desire to make this very clear. But then again, who is the IETF to say what filtering MUST be performed? If someone wants to block all of TCP, they should be able to do it... We'll talk about this point in the next IESG telechat. > 3) Section three uses "must" where MUST would seem appropriate > This is a quote from another RFC, and as such we should not change it. Jari _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf