Hi Eric,
- for host: I am not sure whether IKE/IPsec should be mandatory, this is not always the case NOW and the IETF intends to move this requirement to SHOULD rather than MUST
I agree that we should follow the IETF in this.
- for host: I would add 'support ingress traffic filters if ingress traffic filters exist for IPv4'
+1
- consumer grade switches: AFAIK, those cheap switches do not support IGMP snooping, so, why mandating MLD snooping?
I agree. A switch that doesn't do IGMP snooping should not have to do MLD snooping...
- router and RFC 4213, only the dual-stack part should be supported (as none of us (?) loves tunnels), then the point after (IPsec for tunnels) becomes irrelevant as well as RFC 2473 - router: I would regroup MLD related in one line RFC 4541 (only when switching is implemented as it has no sense for a pure layer-3) and RFC 3810
Ok
- router: do we want to have privacy extension for routers as well? Even as an option? - router: I would move the /127 to the mandatory part - router: can we mandate the uRPF function (anti-spoofing?)
- firewall & co: I would not mandate (optional is ok of course) to inspect protocol-41 packets for tunnels (because what about teredo? Or any other covert channels)
I think it is wise to inspect everything that they can inspect. Protecting against covert channels is orthogonal to proto-41 inspection IMHO.
- firewall & co: support of RFC 4213 should be mandatory for the dual-stack part, I cannot imagine having a firewall doing encapsulation (option ok of course)
My Juniper SSG and SRX boxes do encapsulation...
- firewall: mandatory stateful inspection of application traffic transported above IPv6 is the same application is inspected over IPv4
+1
- load balancers: I would put perhaps a gradation in the different 4-6 6-4 load-balancing - load balancers: I fail to see why ISAKMP should be mandatory esp. when IPsec is optional :-)
Ack.
Hope this helps even if a little late...
Thanks for your feedback Eric :-) Sander