[ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)

Hi, Gunter,

On 09/05/2011 05:12 AM, Gunter Van de Velde (gvandeve) wrote:
> I gave you my feedback and some advice during the IETF in Quebec in a
> 1-2-1 email.
> My hopes are that you integrate the feedback.

Yes. I'll revise the I-D as proposed.



> The draft RA-Guard is correct and needs no fixing. 

Do you mean the RA-Guard RFC, or my RA-Guard evasion I-D?



> I agree that my security section in the RA-Guard RFC 
> is a bit light on content. However the main thing is that
> implementations for RA-Guard use traditional ACLs for achieving the goal
> and then ofcours these implementations can be bypassed with well known
> and documented ACL's bypass techniques.

My I-D is not meant to trash any others' work -- sorry if it came across
like that. (the next version of the I-D will be revised as you had
suggested off-list)

That said (and aside of the project of pursuing this work), I do think
that RA-Guard skips important considerations that should be taken into
account to implement the "RA-Guard concept" in a real device -- which
IMHO are core to the mechanism, rather than just a security consideration.


> You can keep rambling the kettle here, 

Not sure what this expression means (English as second language here) --
anyway I was just asking for feedback.


> but keep the above in mind if you desire to proceed with this work.

As noted, I'll do.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
web: http://www.si6networks.com  |  Twitter: @SI6Networks