[ Chairs: Thanks to Paul Hoffman for taking notes ] OPSEC WG IETF 88 minutes Text from slides not reproduced here Meeting administrivia Happened Using Only Link-Local Addressing Inside an IPv6 Network - Michael Behringer draft-ietf-opsec-lla-only-04 Now not recommendations, but instead "use this if" Made a large number of changes, maybe ready Joel Jaeggli: didn't like the document but can live with it Still missing: operator experience and motivation as an appendix Warren: asks Joel if there should be another WG LC Wes George: needs to do another pass if all his comments were addressed Still a little light on details on comparison to not carrying link addresses in IGP Also light on ways this can break, wants more detail This is now brittle Wants more simple pros and cons Michael: but algorithms can break too Wes: this is sufficiently uncommon vs. code that is well-exercised Michael pushed back a bit about whether this is specific to this problem Wes: brittleness in diagnostics Jen Linkova: a question about using LL sources for links that are off-link Wants to know what is next Warren want more feedback, and wants to check for more feedback Four more people volunteered to do reviews within a few weeks Security Assessment of Neighbor Discovery (ND) for IPv6 - Fernando Gont draft-ietf-opsec-ipv6-nd-security-00 Goal is do sanity checks on some aspects of ND Eric (?): What is the threat model for router advertisements with lifetime > 0? May want to have some mitigations, but sanit checks are also good You want to check for misconfiguration that will help an attacker Tim Chown: If want to disable an RA, there is a trick to do that Warren: What if all the routers have a lifetime of zero, should you Jen: Sets lifetimes to zero in purpose Fernado: There are a few edge cases Jen: wants to move the traffic away from the router Really wants no traffic to that router Fernando: This isn't in the draft yet Jen: wants to be able to keep that ability Jen: Difference between this and RFC 4861 Fernando: These are additional checks, and have references Gunter Van de Velde: Needs to be more specific about what is new in the draft Tim: Might be using zero when renumbering Wes: Some places sound prescritive Could be BCP or Informational Maybe break it into two drafts Tim: Need to be specific threats UNH has many test suites, maybe there is overlaps Warren: Do you also say "you can provide a knob on what they can do"? KK Chittimaneni: Thought there was scope for two drafts? A few hums, more towards keeping it as one Warren: More people should review the draft Balanced Security for IPv6 CPE -Guillaume Leclanche draft-ietf-v6ops-balanced-ipv6-security-00 Lee Howard: A big theme should be which ports are blocked How do you know there have been no known issues Wes: CPE drafts are good, but it is easy to kill the boxes They're underpowered Should be documented somewhere