This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ipv6-wg@ripe.net/
[ipv6-wg] Last call on the replacement of ripe-501 "Requirementsfor IPv6 in ICT equipment"
- Previous message (by thread): [ipv6-wg] Last call on the replacement of ripe-501 "Requirementsfor IPv6 in ICT equipment"
- Next message (by thread): [ipv6-wg] Updated agenda for RIPE63
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sander Steffann
sander at steffann.nl
Tue Oct 25 16:38:27 CEST 2011
Hi Eric, > - for host: I am not sure whether IKE/IPsec should be mandatory, this is not always the case NOW and the IETF intends to move this requirement to SHOULD rather than MUST I agree that we should follow the IETF in this. > - for host: I would add 'support ingress traffic filters if ingress traffic filters exist for IPv4' +1 > - consumer grade switches: AFAIK, those cheap switches do not support IGMP snooping, so, why mandating MLD snooping? I agree. A switch that doesn't do IGMP snooping should not have to do MLD snooping... > - router and RFC 4213, only the dual-stack part should be supported (as none of us (?) loves tunnels), then the point after (IPsec for tunnels) becomes irrelevant as well as RFC 2473 > - router: I would regroup MLD related in one line RFC 4541 (only when switching is implemented as it has no sense for a pure layer-3) and RFC 3810 Ok > - router: do we want to have privacy extension for routers as well? Even as an option? > - router: I would move the /127 to the mandatory part > - router: can we mandate the uRPF function (anti-spoofing?) > > - firewall & co: I would not mandate (optional is ok of course) to inspect protocol-41 packets for tunnels (because what about teredo? Or any other covert channels) I think it is wise to inspect everything that they can inspect. Protecting against covert channels is orthogonal to proto-41 inspection IMHO. > - firewall & co: support of RFC 4213 should be mandatory for the dual-stack part, I cannot imagine having a firewall doing encapsulation (option ok of course) My Juniper SSG and SRX boxes do encapsulation... > - firewall: mandatory stateful inspection of application traffic transported above IPv6 is the same application is inspected over IPv4 +1 > - load balancers: I would put perhaps a gradation in the different 4-6 6-4 load-balancing > - load balancers: I fail to see why ISAKMP should be mandatory esp. when IPsec is optional :-) Ack. > Hope this helps even if a little late... Thanks for your feedback Eric :-) Sander
- Previous message (by thread): [ipv6-wg] Last call on the replacement of ripe-501 "Requirementsfor IPv6 in ICT equipment"
- Next message (by thread): [ipv6-wg] Updated agenda for RIPE63
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]