ietf
[Top] [All Lists]

Re: Last Call: <draft-ietf-opsec-ip-options-filtering-05.txt> (Recommendations on filtering of IPv4 packets containing IPv4 options.) to Best Current Practice

2013-09-26 10:10:27
At 12:05 16-09-2013, The IESG wrote:
The IESG has received a request from the Operational Security
Capabilities for IP Network Infrastructure WG (opsec) to consider the
following document:
- 'Recommendations on filtering of IPv4 packets containing IPv4 options.'
  <draft-ietf-opsec-ip-options-filtering-05.txt> as Best Current Practice

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2013-09-30. Exceptionally, comments 
may be

I took a quick look at the draft.

In Section 4.3.5:

  "Routers, security gateways, and firewalls SHOULD implement an option-
   specific configuration knob ..."

The heading of that section is "Advice". It's better to have an explanation as advice instead of using a RFC 2119 "should".

  'The default setting for this knob SHOULD be "drop", and the
   default setting MUST be documented.'

I guess that the "SHOULD be drop" is obvious. Using a RFC 2119 "must" to state that the default setting must be document is excessive.

The above comment also applies to Section 4.5.5

In Section 4.8.5:

  "This option SHOULD be allowed only in controlled environments, where
   the option can be used safely.  [RFC6398] identifies some such
   environments.  In unsafe environments, packets containing this option
   SHOULD be dropped."

There could be one RFC 2119 "should" instead of two in the above.

  "A given router, security gateway, or firewall system has no way of
   knowing a priori whether this option is valid in its operational
   environment.  Therefore, routers, security gateways, and firewalls
   SHOULD, by default, ignore the Router Alert option.  Additionally,
   Routers, security gateways, and firewalls SHOULD have a configuration
   setting that governs their reaction in the presence of packets
   containing the Router Alert option.  This configuration setting
   SHOULD allow to honor and process the option, ignore the option, or
   drop packets containing this option.  The default configuration is to
   ignore the Router Alert option."

The last sentence mentions the default configuration. It looks clear to me. The first (quoted text) RFC 2119 "should" says that same thing.

Regards,
-sm


<Prev in Thread] Current Thread [Next in Thread>
  • Re: Last Call: <draft-ietf-opsec-ip-options-filtering-05.txt> (Recommendations on filtering of IPv4 packets containing IPv4 options.) to Best Current Practice, SM <=