Hi Christian,
No, it was not intended to configure the LANs, just the CE.
I think that's clear in the document (abstract, intro), so if you feel that something else need to be included to make sure that is not misunderstood, please, let me know.
In Section 3.2 I've added this, let me know if you think is now clearer:
Note that this document is only configuring the IPv4aaS in the IPv6
Transition CE Router itself, and not forwarding such information to
devices attached to the LANs, so the WAN configuration, availability
of native IPv4 or IPv4aaS, is transparent for them.
Regarding the Security Section, following your points and Barbara suggestions I've this:
The IPv6 Transition CE Router must comply with the Security
Considerations as stated in [RFC7084], as well as those stated by
each transition mechanism implemented by the IPv6 Transition CE
Router.
As described in [RFC8026] and [RFC8415] Security Consideration
sections, there are generic DHCP security issues, which in the case
of this document means that malicious nodes may alter the priority of
the transition mechanisms.
Access network architecture for securing DHCP within the access
network is out of scope of this document. Securing DHCP in the LAN
is also not in scope. DHCP packets MUST NOT be forwarded between LAN
and WAN interfaces of an IPv6 Transition CE router.
Regards,
Jordi
-----Mensaje original-----
De: ietf <ietf-bounces@xxxxxxxx> en nombre de Christian Huitema <huitema@xxxxxxxxxxx>
Fecha: miércoles, 9 de enero de 2019, 7:14
Para: JORDI PALET MARTINEZ <jordi.palet@xxxxxxxxxxxxxx>, "STARK, BARBARA H" <bs7652@xxxxxxx>
CC: "v6ops@xxxxxxxx" <v6ops@xxxxxxxx>, "ietf@xxxxxxxx" <ietf@xxxxxxxx>, "secdir@xxxxxxxx" <secdir@xxxxxxxx>
Asunto: Re: [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12
On 1/8/2019 10:38 AM, JORDI PALET MARTINEZ wrote:
> The security concerns raised *initially* by Christian were related to the use of DHCP for configuring the WAN. At least that was what I understood. Then we continued discussing about the LAN, which I agree with you, is not a requirement on this document.
I may be very confused, because the way I read your draft I assumed that
the DHCPv6 S46 option was meant to inform the LAN-side devices of the
available and preferred transition services. From what you are telling
me, the S46 option is actually provided by the WAN side DHCPv6 server,
of which the CPE is a client. That would be the preferred way for an ISP
to configure the customer premise device.
If the DHCPv6 option is only used on the WAN side, then I agree with
Barbara and you that solutions like DHCP Guard or 802.1x are not
relevant. There is no need for the proposed paragraph starting with
"considering that" and ending with "scope of this document".
On the other hand, if I was that much confused, others will be too. I
might be useful to drop a line in section 3.2 explain in layman terms
how the S46 option is used.
-- Christian Huitema
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
