[ipv6hackers] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

Fernando Gont fernando at gont.com.ar
Sat Feb 4 23:45:57 -03 2023 

Hi, Andy!

Nice to hear from you! (and thanks for the prompt response!) -- In-line...


On 4/2/23 12:04, Andrew Walding wrote:
> Hi Fernando,
> There is a typo in Section 4.1 I think (sunch instead of such).
> .
> A couple of general comments.
> I think this is a good subject and one that probably needs guidance as this
> document suggests.  That said, I have the following thoughts:
> 
>     - I will start by being a bit picky.  I think the wording describing the
>     issues is spread too vaguely and needs to be more specific as to the
>     addressing issues.  For example in your email you say compared to IPv4
>     where you are usually dealing with "an" address from a private or public
>     network, but in IPv6 a given host could have multiple addresses in multiple
>     prefixes/networks then compounded with the various address types of IPv6,
>     yet this is muddled in the document itself.  I mean that is the point in
>     the end - you cannot deal with IPv6 the same way you deal with IPv4 in this
>     security scenario.

Could you elaborate a bit?


>     - Now let me be general in this second point.  I think there is a
>     big piece missing in this document, and that is what are the correct ways
>     of thinking when it comes to these scenarios with IPv6.  you certainly hint
>     at them, and for those who have implemented IPv6 in firewalls, we get where
>     you are going, but the problem is you really never get to the end game in
>     this draft.  Perhaps that was your intent, so that future drafts would add
>     the necessary detail.

Do you mean, e.g., that the draft should e.g. provide advice such as "do 
not block a single /128, bur rather consider blocking a /64 at a 
minimum", and the like? or something else?

Thanks!

Cheers,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar
PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01

More information about the Ipv6hackers mailing list