Heads up: IETF 6man poll for adoption of RA-Guard/firewalling/monitoring-related I-Ds


Just wanted to send a heads up regarding two IETF 6man wg polls that
have just been started for adoption of these documents:

* draft-gont-6man-oversized-header-chain-02 (Security and
Interoperability Implications of Oversized IPv6 Header Chains)

* draft-gont-6man-nd-extension-headers-03 (Security Implications of the
Use of IPv6 Extension Headers with IPv6 Neighbor Discovery)

draft-gont-6man-oversized-header-chain-02 requires that when packets are
fragmented, the first fragment must contain the entire IPv6 header
chain. This is important for a number of reasons: it allows for
stateless filtering (both at firewalls and at RA-Guard-like devices),
prevents stateless translators from breaking, etc. The poll for this
document is available at:

draft-gont-6man-nd-extension-headers-03 forbids the use of fragmentation
with Neighbor Discovery. This essentially enables Neighbor Discovery
monitoring in IPv6, thus providing feature parity with IPv4 (think about
arpwatch and the like) -- not to mention that it obviously mitigates
fragmentation-based attacks against Neighbor Discovery and SEND. The
poll for this document is available at:

IMO, these two I-Ds propose small spec updates which could result in
concrete operational and security benefits.


Best regards,