[Bp_ipv6] RIPE-554: BCOP Document for IPv6 Equipment Purchase

Merike Kaeo merike at doubleshotsecurity.com
Wed Nov 9 18:50:36 EST 2016


Hello…

Some added notes…

> On Nov 9, 2016, at 6:51 AM, Izumi Okutani <izumi at nic.ad.jp> wrote:
> 
>> I somehow failed to spot that this documents are not included, specially RIPE-554 might make sense for governments (given that we started it because our government asked us to ;) :) :) )
> 
> Indeed and would make great addition for our document which cover about state of support by vendors (Section 4.2.6). There is also a part of the document which mentions a request for government to encourage vendor support. If people agree with this, we can also refer to ripe-554 as to what is needed.
> 
> Any other suggestions on how we refer to ripe-554 in our BPF document is welcome!
> 
> 
>> As I'm the primary author of both documents and if you want to mention them - I can help with some surrounding text for better understanding what is what.
> 
> Excellent Jan - thank you very much for volunteering.

I’ll help where RIPE-554 is concerned as well since I am a co-author.  And was very involved in many security related aspects which I do hope get some focus.

Which has me bringing up the point of filtering on extension headers. I apologize in advance for not looking at current version of document as to how this is covered but I am *very* concerned with the operational practice of dropping all IPv6 packets with ANY extension headers.  This means any packets that are fragmented will get dropped.  Which in turn causes issues and potential breakages for some protocols (specifically DNSSEC).  I know Geof Huston has discussed this in some of his talks and certanly there’s references to IETF work and work done by Jen Linkova.  I am hoping there is some language that gives guidance on vendors who should have capability to give granular configuration capability to drop some packets with Extension Headers but have some granularity associated with it.

Also, about 18 or so month ago the largest ISP in Estonia deployed IPv6 and Tarko Tikkan, the main engineer, wrote something up for RIPE NCC Labs:  https://labs.ripe.net/Members/tarko_tikan/ipv6-deployment-in-estonia <https://labs.ripe.net/Members/tarko_tikan/ipv6-deployment-in-estonia>

If that hasn’t yet been referenced, perhaps useful to do so.

I am currently in Amsterdam and tomorrow speaking at the O’Reilly Security conference but if any more input is needed I’ll be happy to take a look again on Friday or the weekend.

- merike

> 
> 
> Ideally, if there is a comparison of the requirements listed in  ripe-44 and identify areas where there needs to be more equipment support, that would be very nice.
> Anyone able to help?
> 
> 
> 
> Izumi
> 
> On 2016/11/09 22:53, Jan Zorz - Go6 wrote:
>> On 09/11/2016 13:23, Sumon Ahmed Sabir wrote:
>>> 
>>> Hi Everyone,
>>> 
>>> Just to share a good reference for IPv6 Compatibility requirement.
>>> 
>>> https://www.ripe.net/publications/docs/ripe-554
>>> 
>>> Can be a good reference for the government policy and also for any
>>> organization making future purchase decision.
>>> 
>>> Should come to our document as reference.
>>> 
>>> Another good one again from RIPE too.
>>> 
>>> IPv6 trouble shooting for residential ISP:
>>> 
>>> https://www.ripe.net/publications/docs/ripe-631
>> 
>> Sumon, thnx!
>> 
>> I somehow failed to spot that this documents are not included, specially RIPE-554 might make sense for governments (given that we started it because our government asked us to ;) :) :) )
>> 
>> As I'm the primary author of both documents and if you want to mention them - I can help with some surrounding text for better understanding what is what.
>> 
>> Cheers from Macedonia, Jan
>> 
>> _______________________________________________
>> Bp_ipv6 mailing list
>> Bp_ipv6 at intgovforum.org
>> http://intgovforum.org/mailman/listinfo/bp_ipv6_intgovforum.org
> 
> 
> _______________________________________________
> Bp_ipv6 mailing list
> Bp_ipv6 at intgovforum.org
> http://intgovforum.org/mailman/listinfo/bp_ipv6_intgovforum.org
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_ipv6_intgovforum.org/attachments/20161109/ccb61b68/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://intgovforum.org/pipermail/bp_ipv6_intgovforum.org/attachments/20161109/ccb61b68/attachment.sig>


More information about the Bp_ipv6 mailing list