[ipv6-wg] Last call on the replacement of ripe-501 "Requirementsfor IPv6 in ICT equipment"
Sander Steffann sander at steffann.nl
Tue Oct 25 16:38:27 CEST 2011
Hi Eric, > - for host: I am not sure whether IKE/IPsec should be mandatory, this is not always the case NOW and the IETF intends to move this requirement to SHOULD rather than MUST I agree that we should follow the IETF in this. > - for host: I would add 'support ingress traffic filters if ingress traffic filters exist for IPv4' +1 > - consumer grade switches: AFAIK, those cheap switches do not support IGMP snooping, so, why mandating MLD snooping? I agree. A switch that doesn't do IGMP snooping should not have to do MLD snooping... > - router and RFC 4213, only the dual-stack part should be supported (as none of us (?) loves tunnels), then the point after (IPsec for tunnels) becomes irrelevant as well as RFC 2473 > - router: I would regroup MLD related in one line RFC 4541 (only when switching is implemented as it has no sense for a pure layer-3) and RFC 3810 Ok > - router: do we want to have privacy extension for routers as well? Even as an option? > - router: I would move the /127 to the mandatory part > - router: can we mandate the uRPF function (anti-spoofing?) > > - firewall & co: I would not mandate (optional is ok of course) to inspect protocol-41 packets for tunnels (because what about teredo? Or any other covert channels) I think it is wise to inspect everything that they can inspect. Protecting against covert channels is orthogonal to proto-41 inspection IMHO. > - firewall & co: support of RFC 4213 should be mandatory for the dual-stack part, I cannot imagine having a firewall doing encapsulation (option ok of course) My Juniper SSG and SRX boxes do encapsulation... > - firewall: mandatory stateful inspection of application traffic transported above IPv6 is the same application is inspected over IPv4 +1 > - load balancers: I would put perhaps a gradation in the different 4-6 6-4 load-balancing > - load balancers: I fail to see why ISAKMP should be mandatory esp. when IPsec is optional :-) Ack. > Hope this helps even if a little late... Thanks for your feedback Eric :-) Sander
[ ipv6-wg Archives ]