Re: [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Christian,

No, it was not intended to configure the LANs, just the CE.

I think that's clear in the document (abstract, intro), so if you feel that something else need to be included to make sure that is not misunderstood, please, let me know.

In Section 3.2 I've added this, let me know if you think is now clearer:

   Note that this document is only configuring the IPv4aaS in the IPv6
   Transition CE Router itself, and not forwarding such information to
   devices attached to the LANs, so the WAN configuration, availability
   of native IPv4 or IPv4aaS, is transparent for them.

Regarding the Security Section, following your points and Barbara suggestions I've this:


   The IPv6 Transition CE Router must comply with the Security
   Considerations as stated in [RFC7084], as well as those stated by
   each transition mechanism implemented by the IPv6 Transition CE
   Router.

   As described in [RFC8026] and [RFC8415] Security Consideration
   sections, there are generic DHCP security issues, which in the case
   of this document means that malicious nodes may alter the priority of
   the transition mechanisms.

   Access network architecture for securing DHCP within the access
   network is out of scope of this document.  Securing DHCP in the LAN
   is also not in scope.  DHCP packets MUST NOT be forwarded between LAN
   and WAN interfaces of an IPv6 Transition CE router.

Regards,
Jordi
 
 

-----Mensaje original-----
De: ietf <ietf-bounces@xxxxxxxx> en nombre de Christian Huitema <huitema@xxxxxxxxxxx>
Fecha: miércoles, 9 de enero de 2019, 7:14
Para: JORDI PALET MARTINEZ <jordi.palet@xxxxxxxxxxxxxx>, "STARK, BARBARA H" <bs7652@xxxxxxx>
CC: "v6ops@xxxxxxxx" <v6ops@xxxxxxxx>, "ietf@xxxxxxxx" <ietf@xxxxxxxx>, "secdir@xxxxxxxx" <secdir@xxxxxxxx>
Asunto: Re: [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12

    
    On 1/8/2019 10:38 AM, JORDI PALET MARTINEZ wrote:
    > The security concerns raised *initially* by Christian were related to the use of DHCP for configuring the WAN. At least that was what I understood. Then we continued discussing about the LAN, which I agree with you, is not a requirement on this document.
    
    I may be very confused, because the way I read your draft I assumed that
    the DHCPv6 S46 option was meant to inform the LAN-side devices of the
    available and preferred transition services. From what you are telling
    me, the S46 option is actually provided by the WAN side DHCPv6 server,
    of which the CPE is a client. That would be the preferred way for an ISP
    to configure the customer premise device.
    
    If the DHCPv6 option is only used on the WAN side, then I agree with
    Barbara and you that solutions like DHCP Guard or 802.1x are not
    relevant. There is no need for the proposed paragraph starting with
    "considering that" and ending with "scope of this document".
    
    On the other hand, if I was that much confused, others will be too. I
    might be useful to drop a line in section 3.2 explain in layman terms
    how the S46 option is used.
    
    -- Christian Huitema
    
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.







[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux