This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ipv6-wg@ripe.net/
[ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)
- Previous message (by thread): [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)
- Next message (by thread): [ipv6-wg] The DFZ and supernetting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Fernando Gont
fgont at si6networks.com
Tue Sep 6 03:23:17 CEST 2011
Hi, Gunter, On 09/05/2011 05:12 AM, Gunter Van de Velde (gvandeve) wrote: > I gave you my feedback and some advice during the IETF in Quebec in a > 1-2-1 email. > My hopes are that you integrate the feedback. Yes. I'll revise the I-D as proposed. > The draft RA-Guard is correct and needs no fixing. Do you mean the RA-Guard RFC, or my RA-Guard evasion I-D? > I agree that my security section in the RA-Guard RFC > is a bit light on content. However the main thing is that > implementations for RA-Guard use traditional ACLs for achieving the goal > and then ofcours these implementations can be bypassed with well known > and documented ACL's bypass techniques. My I-D is not meant to trash any others' work -- sorry if it came across like that. (the next version of the I-D will be revised as you had suggested off-list) That said (and aside of the project of pursuing this work), I do think that RA-Guard skips important considerations that should be taken into account to implement the "RA-Guard concept" in a real device -- which IMHO are core to the mechanism, rather than just a security consideration. > You can keep rambling the kettle here, Not sure what this expression means (English as second language here) -- anyway I was just asking for feedback. > but keep the above in mind if you desire to proceed with this work. As noted, I'll do. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont at si6networks.com web: http://www.si6networks.com | Twitter: @SI6Networks
- Previous message (by thread): [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)
- Next message (by thread): [ipv6-wg] The DFZ and supernetting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]