[LACNIC/Seguridad] Fwd: Heads up: IETF 6man poll for adoption of RA-Guard/firewalling/monitoring-related I-Ds

Luke Guild lguild en belizetelemedia.net
Mie Jun 13 12:44:16 BRT 2012 

Can you please stop sending me emails.
I have unsubscribed from the mailing list already.
Thank you.

Once again.
Please stop sending me mails.

Luke Guild


-----Original Message-----
From: seguridad-bounces en lacnic.net [mailto:seguridad-bounces en lacnic.net] On Behalf Of Fernando Gont
Sent: Wednesday, June 13, 2012 8:04 AM
To: Lista para discusión de seguridad en redes y sistemas informaticos de la región; lactf en lac.ipv6tf.org
Cc: lacnog en lacnog.org
Subject: [LACNIC/Seguridad] Fwd: Heads up: IETF 6man poll for adoption of RA-Guard/firewalling/monitoring-related I-Ds

FYI.

Hablar ahora, o fumarla para siempre. :-)

Saludos, y gracias!
Fernando




-------- Original Message --------
Subject: Heads up: IETF 6man poll for adoption of RA-Guard/firewalling/monitoring-related I-Ds
Date: Wed, 13 Jun 2012 11:02:13 -0300
From: Fernando Gont <fernando en gont.com.ar>
To: NANOG <nanog en nanog.org>

Folks,

Just wanted to send a heads up regarding two IETF 6man wg polls that have just been started for adoption of these documents:

* draft-gont-6man-oversized-header-chain-02 (Security and Interoperability Implications of Oversized IPv6 Header Chains)

* draft-gont-6man-nd-extension-headers-03 (Security Implications of the Use of IPv6 Extension Headers with IPv6 Neighbor Discovery)

draft-gont-6man-oversized-header-chain-02 requires that when packets are fragmented, the first fragment must contain the entire IPv6 header chain. This is important for a number of reasons: it allows for stateless filtering (both at firewalls and at RA-Guard-like devices), prevents stateless translators from breaking, etc. The poll for this document is available at:
<http://www.ietf.org/mail-archive/web/ipv6/current/msg15989.html>

draft-gont-6man-nd-extension-headers-03 forbids the use of fragmentation with Neighbor Discovery. This essentially enables Neighbor Discovery monitoring in IPv6, thus providing feature parity with IPv4 (think about arpwatch and the like) -- not to mention that it obviously mitigates fragmentation-based attacks against Neighbor Discovery and SEND. The poll for this document is available at:
<http://www.ietf.org/mail-archive/web/ipv6/current/msg15990.html>

IMO, these two I-Ds propose small spec updates which could result in concrete operational and security benefits.

Thanks!

Best regards,
--
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1



_______________________________________________
Seguridad mailing list
Seguridad en lacnic.net
https://mail.lacnic.net/mailman/listinfo/seguridad

Más información sobre la lista de distribución Seguridad