Folks, Just wanted to send a heads up regarding two IETF 6man wg polls that have just been started for adoption of these documents: * draft-gont-6man-oversized-header-chain-02 (Security and Interoperability Implications of Oversized IPv6 Header Chains) * draft-gont-6man-nd-extension-headers-03 (Security Implications of the Use of IPv6 Extension Headers with IPv6 Neighbor Discovery) draft-gont-6man-oversized-header-chain-02 requires that when packets are fragmented, the first fragment must contain the entire IPv6 header chain. This is important for a number of reasons: it allows for stateless filtering (both at firewalls and at RA-Guard-like devices), prevents stateless translators from breaking, etc. The poll for this document is available at: <http://www.ietf.org/mail-archive/web/ipv6/current/msg15989.html> draft-gont-6man-nd-extension-headers-03 forbids the use of fragmentation with Neighbor Discovery. This essentially enables Neighbor Discovery monitoring in IPv6, thus providing feature parity with IPv4 (think about arpwatch and the like) -- not to mention that it obviously mitigates fragmentation-based attacks against Neighbor Discovery and SEND. The poll for this document is available at: <http://www.ietf.org/mail-archive/web/ipv6/current/msg15990.html> IMO, these two I-Ds propose small spec updates which could result in concrete operational and security benefits. Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1