Hi, Gunter, On 09/05/2011 05:12 AM, Gunter Van de Velde (gvandeve) wrote:
I gave you my feedback and some advice during the IETF in Quebec in a 1-2-1 email. My hopes are that you integrate the feedback.
Yes. I'll revise the I-D as proposed.
The draft RA-Guard is correct and needs no fixing.
Do you mean the RA-Guard RFC, or my RA-Guard evasion I-D?
I agree that my security section in the RA-Guard RFC is a bit light on content. However the main thing is that implementations for RA-Guard use traditional ACLs for achieving the goal and then ofcours these implementations can be bypassed with well known and documented ACL's bypass techniques.
My I-D is not meant to trash any others' work -- sorry if it came across like that. (the next version of the I-D will be revised as you had suggested off-list) That said (and aside of the project of pursuing this work), I do think that RA-Guard skips important considerations that should be taken into account to implement the "RA-Guard concept" in a real device -- which IMHO are core to the mechanism, rather than just a security consideration.
You can keep rambling the kettle here,
Not sure what this expression means (English as second language here) -- anyway I was just asking for feedback.
but keep the above in mind if you desire to proceed with this work.
As noted, I'll do. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com web: http://www.si6networks.com | Twitter: @SI6Networks