Note taker: Eric Vyncke
Jabber scribe: Chris Grundemann

OPSEC WG
=========
Admin status
No meeting at IETF-91.
RFC 7359 (L3VPN traffic leakage in dual-stack), RFC 7404 (Using LLA only), RFC 7454 (BGP operations and security), in IESG processing (DHCPv6-shield), draft-ietf-opsec-ipv6-host-scanning is waiting for shepherd to progress.

IETF OPsec-v6, Eric Vyncke
The work is done at 99% and the authors are only beautifying the text. So, authors want to go WGLC. Fernando: document was good when he read it 1 year ago.

Recommendations on filtering IPv6 packets with extension header, Fernando Gont
This is the IPv6 version of RFC 7126 it summarizes the security and operational implication s of IPv6 extensions headers and IPv6 options. The goal is to provide operational advice on how to filter such IPv6 packets.
Changes: assumption that RFC 7045 is applied first, HbH add rate-limit or even drop as last option. The focus is not on default behavior but rather on operational configurations.
TODO: summary table, some sections are still placeholders waiting to be finalized. Fernando asked whether we need additions or new topics. Jen & Merike: should have two use cases at least transit provider/end user.

Defeating attacks which employ forget ICMP/ICMPv6 error messages, Fernando Gont
draft-gont-opsec-icmp-ingress-filtering
The discussion was mainly done in V6OPS mailing list. BCP38 does not address ICMP-based attacks (such as reducing the MTU) where the outside address (in ICMP ERROR message) is not spoofed (because ICMP error can be generated by routers on the path) but with a forged message inside.
Proposal: do uRPF or ACL inside the ICMP error messages. And 
Jen: too specific solution (no support for asymmetric routing, ...) and could cause more harm than good, BCP-38 protects the others from the source and this proposal is different (protecting the destination). Merike: afraid of requiring dpi everywhere. Jen: should fix host implementation because they should check the inside packet whether the original packets one of theirs. Fernando: not always possible with a long extension chain (no layer 4 in the packet). Fernando: Linux does not do this check beyond the address. Jen: damage of this could be worse than the cure. Eric: dropping control packets such as ICMP could be very damaging. Igor (Yahoo): could only apply (and perhaps) from access network not transit. Merike: should do multiple use cases on the mailing list.