Hi Tal, Thanks for the follow-up. You’re right — upon re-reading the current -11 text, points (1) and (2) are already addressed:
1. Boundary enforcement expectations: see Section 7.1.1 (“Trusted Domains and Filtering” overview) and the concrete drop conditions in Section 7.1.3 (“Address Range Filtering”), which summarize the filtering behavior at ingress and at SRv6-enabled nodes. 2. Extension header / operational handling: Section 7.1.2 (“SRH Filtering”) explicitly discusses filtering of IPv6 packets with extension headers (including the RFC9288 reference), and Section 8.1 (“Middle Box Filtering Issues”) further covers middlebox/security-device behavior and related operational implications. Regarding point (3): I agree it is not a separate subsection — it was meant as an editorial suggestion to keep mitigations anchored to concrete operational controls (filters/policy rules) rather than only descriptive text. Given that Section 7.1.3 already provides concrete, actionable filtering conditions, I’m satisfied and don’t think additional changes are required. If anything, a purely editorial one-liner could mention that these filtering behaviors are typically realized via ACL/policy filters, but that’s optional. Thanks again, Meir Goldman FAZON Foundation [email protected]<mailto:[email protected]> https://fazon.org<https://fazon.org/> ________________________________ От: Tal Mizrahi <[email protected]> Отправлено: 3 марта 2026 г. 12:25 Кому: Meir Goldman <[email protected]> Копия: [email protected] <[email protected]> Тема: Re: [spring] WGLC comment on draft-ietf-spring-srv6-security (operationally enforceable mitigations) Hi Meir, Thanks for generating these comments. In my opinion, points 1 and 2 that you mentioned are already addressed in the current version of the document. Can you please reconsider whether these points were mentioned by mistake? Regarding point 3, I am not aware that it is applicable to any of the existing sections. Can you please point to a specific subsection? Thanks, Tal. On Fri, Feb 13, 2026 at 11:13 AM Meir Goldman <[email protected]> wrote: > > The draft is valuable as a security considerations document, but I suggest > emphasizing operationally enforceable guidance: > > 1) Clearly state boundary enforcement expectations (who is allowed to inject > SRH/segments; what must be filtered/dropped at domain edges). > 2) Add explicit guidance on extension header / fragmentation handling so > mitigations remain effective in real deployments. > 3) Where possible, tie mitigations to concrete controls (ACLs/policy > filters/strict validation of SRH and segment lists) rather than only > descriptive text. > > Regards, > > Meir Goldman > FAZON Foundation > [email protected] > https://fazon.org > _______________________________________________ > spring mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ spring mailing list -- [email protected] To unsubscribe send an email to [email protected]
