Hi, Ben, It looks like I never responded to this one. -- My apologies for that. Please find my comments in-line... On 12/11/2014 06:56 PM, Ben Campbell wrote: >>> Minor issues: >>> >>> -- abstract, last sentence: >>> >>> I didn't find this assertion in the body itself. It would be nice >>> to see support for it (perhaps with citations). >> >> I guess one could provide references to some vendor's manuals? Is >> that what you have in mind? (although I'd prefer not to do so). > > The citations part was more of a nice to have. But it would be worth > putting some words around that in the body, even if there's nothing > to reference. ANy suggestions on this one? >>> -- section 4: >>> >>> Am I correct in understanding that this is opt in only? You >>> would disallow a rule of the form of "allow on any port except >>> [list]"? >> >> Not sure what you mean. >> >> The idea is that if you want to enable dhcpv6 shield, you need to >> specify on which port(s) the dhcpv6 server(s) is/are connected. > > Would a rule of the form "Allow DHCPv6 on all ports except port X" be > allowed? Yes. That's another way of saying: "Enable DHCPv6-Shield. Allow DHCPv6 on ports 1-7" -- when a device has ports 1-8. i.e., DHCPv6-Shield is, when enabled, a "default deny" -- and you need to specify on which port(s) DHCPv6 should be allowed. >>> -- section 1, 3rd paragraph: >>> >>> It would be helpful to define what a "DHCP-Shield device" is, >>> prior to talking about deploying and configuring them. >> >> How about adding (in Section 1) the following text: >> >> This document specifies DHCPv6 Shield: a set of filtering rules >> meant to mitigate attacks that employ DHCPv6-server packets. >> Throughout this document we refer to a device implementing the >> DHCPv6 Shield filtering rules as the "DHCPv6 Shield device" >> >> ? > > Yes, thanks. FWIW, we ended up adding all these definitions to the "Terminology" section. >>> -- section 3, paragraph ending with with "... used as follows >>> [RFC7112]:" >>> >>> I'm a bit confused by the citation. Are these defined "as >>> follows", or in 7112? >>> > > You did not respond to this one. I note that my next few comments > might no longer apply if the 7112 reference is clarified. Is the > point to say that 7112 contains the following definitions, which are > repeated here for the sake of convenience? Yes, that's the point. And we've updated the text to say "..used as defined in [RFC7112]". >>> Also, while this section talks about some aspects of header >>> chains, it never actually defines the term. >> >> Which one? > > The term "header chain". That is, something of the form of "The IPv6 > header chain is a linked-list of IPv6 headers. It contains ...". We never use "header chain" alone, but rather "IPv6 header chain". >>> -- section 3, "Upper-Layer Header" >>> >>> Again, this section talks about the term without defining it. >>> >>> -- section 5, list entry "1": "... the IPv6 entire header chain >>> ..." >> >> Not sure what you mean: Section 3 is all about defining the terms. >> Am I missing something? > > Again, the definition doesn't actually define the term. For example, > "An upper-layer header is a header belonging to an upper-layer > protocol" mm.. but that wouldn't be correct. The current definition seems to be more correct than that. Not sure what is missing... Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492