Re: Gen-ART LC Review of draft-ietf-opsec-dhcpv6-shield-04

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for your response. Here's some additional comments. I removed sections that didn't seem to need further discussion.


> On Dec 2, 2014, at 5:03 AM, Fernando Gont <fgont@xxxxxxxxxxxxxxx> wrote:

[...]

>> Major issues:
>> 
>> (Note: This is not so much a "major issue" as a meta-concern that
>> doesn't fit well in the major/minor/nit structure.)
>> 
>> I have questions about the intended status. The draft lists BCP. It's
>> not clear to me if we intend to say that it's a "best practice" to
>> implement DHCPv6 filtering, or that, if you do implement it, it's a
>> best practice to do it like this. Given the strength of a BCP, I
>> think it's worth clarifying that.
> 
> BCP of implementing it, if you do.
> 
> How about adding this text to the intro:
> 
> "This document specifies a Best Current Practice for the implementation
> of DHCPv6 Shield (DHCPv6)"
> 

That would help, thanks!

> 
> 
>> Minor issues:
>> 
>> -- abstract, last sentence:
>> 
>> I didn't find this assertion in the body itself. It would be nice to
>> see support for it (perhaps with citations).
> 
> I guess one could provide references to some vendor's manuals? Is that
> what you have in mind? (although I'd prefer not to do so).

The citations part was more of a nice to have. But it would be worth putting some words around that in the body, even if there's nothing to reference.

> 
> 
> 
>> -- section 4:
>> 
>> Am I correct in understanding that this is opt in only? You would
>> disallow a rule of the form of "allow on any port except [list]"?
> 
> Not sure what you mean.
> 
> The idea is that if you want to enable dhcpv6 shield, you need to
> specify on which port(s) the dhcpv6 server(s) is/are connected.

Would a rule of the form "Allow DHCPv6 on all ports except port X" be allowed?


> 
> 
> 
>> Nits/editorial comments:
>> 
>> -- section 1, 2nd paragraph:
>> 
>> This is the first mention of "DHCP-Shield" I found, not counting the
>> doc name and headers. It would be helpful to have an early mention
>> that "DHCP-Shield" is the name of the thing that this draft defines.
>> 
>> -- section 1, 3rd paragraph:
>> 
>> It would be helpful to define what a "DHCP-Shield device" is, prior
>> to talking about deploying and configuring them.
> 
> How about adding (in Section 1) the following text:
> 
>    This document specifies DHCPv6 Shield: a set of filtering
>    rules meant to mitigate attacks that employ DHCPv6-server
>    packets. Throughout this document we refer to a device
>    implementing the DHCPv6 Shield filtering rules as the "DHCPv6
>    Shield device"
> 
> ?

Yes, thanks.


> 
> 
>> -- section 3, paragraph ending with  with "... used as follows
>> [RFC7112]:"
>> 
>> I'm a bit confused by the citation. Are these defined "as follows",
>> or in 7112?
>> 

You did not respond to this one. I note that my next few comments might no longer apply if the 7112 reference is clarified. Is the point to say that 7112 contains the following definitions, which are repeated here for the sake of convenience?


>> -- section 3, "Extension Header"
>> 
>> -- these are IPv6 extension headers, right?
> 
> Yes. Should we explicitly say so?

I think it would help. The 7112 reference bit might fix it, but as written the first explicit mention of IPv6 in the section is the IPv6 Header Chain subsection.

> 
> 
> 
>> -- section 3, "IPv6 Header chain"
>> 
>> Is there a relevant citation for this?
> 
> Other than RFC7112?

See 2nd comment back.

> 
> 
> 
>> Also, while this section talks about some aspects of header chains,
>> it never actually defines the term.
> 
> Which one?

The term "header chain".  That is, something of the form of "The IPv6 header chain is a linked-list of IPv6 headers. It contains ...".

> 
> 
> 
> 
>> -- section 3, "Upper-Layer Header"
>> 
>> Again, this section talks about the term without defining it.
>> 
>> -- section 5, list entry "1": "... the IPv6 entire header chain ..."
> 
> Not sure what you mean: Section 3 is all about defining the terms. Am I
> missing something?

Again, the definition doesn't actually define the term. For example, "An upper-layer header is a header belonging to an upper-layer protocol"


[...]

> 
> 
>> -- section 3, rational for item 1: "An implementation that has such
>> an implementation-specific limit MUST NOT claim compliance with this
>> specification."
>> 
>> That's an odd use of 2119 language; I assume this to be true anytime
>> an implementation violates a MUST/MUST NOT assertion.
> 
> You're right. Should we just change this to lowercase, or do you think
> we should remove the whole sentence?

Either would be okay. I guess it comes down to whether you think this requirement (parsing the entire chain) needs to be called out more strongly than any other MUST level requirement. 

> 
> 
> 
>> -- section 3, rational for list item 3:
>> 
>> It would be helpful if this rational said why dropping unrecognized
>> next header values is needed for the purpose, not just the fact that
>> 7045 allows it to be dropped.
> 
> How about adding this at the end of the RATIONALE:
> 
> "An unrecognized Next Header value could possibly identify an IPv6
> Extension Header, and thus be leveraged to conceal a DHCPv6-server packet".
> 
> 

That helps, thanks.

> 
>> -- section 3, list item 4:
>> 
>> Am I correct in assuming that there might be other (non-dhcp) reasons
>> a device might still drop packets that otherwise pass the
>> dhcpv6-shield tests?
> 
> Yes. Why?
> 
> FWIW, the filtering rules in this document just talk about whether a
> packet should be blocked or not based on these rules.

I guess it depends on whether "MUST pass the packet" means pass it for further processing (which could include other filtering rules), or pass it onto the wire. I see your point that the draft intends the former, but I think some implementers might read it as the latter.

> 
> 
> 
>> -- section 3, paragraph after list item 4:
>> 
>> The comment that dropped packets SHOULD be logged is redundant with
>> the same statement in the numbered rules.
> 
> How about changing this:
> 
>   If a packet is dropped due to this filtering policy, then the packet
>   drop event SHOULD be logged in an implementation-specific manner as a
>   security fault.  The logging mechanism SHOULD include a drop counter
>   dedicated to DHCPv6-Shield packet drops.
> 
> to:
> 
>   The above rules require that if a packet is dropped due to this
>   filtering policy, the packet drop event be logged in an
>   implementation-specific manner as a security fault.  The logging
>   mechanism SHOULD include a drop counter
>   dedicated to DHCPv6-Shield packet drops.
> 
> ?

Works for me.

[...]

Thanks!

/Ben





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]