Last Call Review of draft-ietf-opsec-dhcpv6-shield-04
review-ietf-opsec-dhcpv6-shield-04-secdir-lc-tschofenig-2014-12-11-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This document specifies packet filtering criterion so that DHCPv6-server
messages are discarded by the layer-2 device unless they are received
on a specific (previously configured) ports of the layer-2 device.

The document is well-written and I don't see any problems with the
write-up. While specifying packet filtering firewall rules is an
implementation / configuration dependent task that does not require
standardization as such this work follows earlier patterns, namely
the RA-Guard mechanism for the protection against rogue router
advertisements.

The only question I have whether the document type (currently set to
'Best Current Practice') is appropriate.

Ciao
Hannes

PS: Minor editorial nit:

"
Finally, we note that the security of a site employing DHCPv6 Shield
   could be further improved by deploying [I-D.ietf-savi-dhcp], to
   mitigate IPv6 address. spoofing attacks.
                       ^^^
"



Attachment:


signature.asc




Description:

 OpenPGP digital signature