On Fri, 2004-04-30 at 14:49, Pekka Savola wrote: > (co-chair hat on) > > As there was slight preference to having this as WG item, and it is > very important to gain consensus on the requirements for a tunnel > server solution, please publish the next revision under > draft-ietf-v6ops -label, making this a WG item. > > The WG participants are already urged to review and provide feedback > on the document. If you want to "catch" this revision cycle, please > send your comments by next Wednesday, 5th May. You have my 'vote' too for making this document a WG item. My comments: 4 mentions "(initial tryout)" is that in the wording of "try unauthenticated first, then authenticated" or is it meant for something else? 4 also mentions that the 'unauthenticated' mode can be aimed for tryout. Does this mean that using source IP is 'authenticated'? 4.2: The 'non-authenticated' part should be taken away here as it should also be available for authenticated modes. Eg user knows his user/pass for the ISP and then runs the tool(tm) or automatically, tool pops up and notices "I automatically found Example ISP, can you login"? 4.4: s/victim's uplink/victim's downlink/ or better 'link' as it can be done two way. Though I do not know of many protocols that will actually send a lot of traffic to a host without asking for a ack every now and then ;) Multicast is not that widely deployed unfortunatly though that would still ask for keepalives from the One base item of course: ingress filtering, to which I would also add that the Tunnel Servers should do egress filtering, limiting what the tunnel can send onto the internet unless there is an agreement with the ISP that it is allowed to send other prefixes. Note that this is currently a big problem in the IPv6 Internet, where a lot of ISP's allow any prefix to be sent onto the internet -> spoofing, not only 'transit'. Also in 4.4: s/IPv4 return routability checks/IPv6 return routability checks/ I like the 'clear text password is out' btw. IMHO MD5 suffices for most setups, SHA1 or up could be used instead, there thus should be a possiblity to select a authentication protocol. Greets, Jeroen
Attachment:
signature.asc
Description: This is a digitally signed message part