Re: [auth48] AUTH48: RFC-to-be 9288 <draft-ietf-opsec-ipv6-eh-filtering-10> for your review
Fernando Gont <fgont@si6networks.com> Tue, 09 August 2022 11:10 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBC4BC15C531; Tue, 9 Aug 2022 04:10:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A87p2qLXIcTZ; Tue, 9 Aug 2022 04:10:50 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56AAEC15C52B; Tue, 9 Aug 2022 04:10:48 -0700 (PDT)
Received: from [IPV6:2001:67c:27e4:c::1001] (unknown [IPv6:2001:67c:27e4:c::1001]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id DD5BE2800EE; Tue, 9 Aug 2022 11:10:34 +0000 (UTC)
Content-Type: multipart/mixed; boundary="------------Q0csOrGfbApsRgRbZzdAQEco"
Message-ID: <9e2b5b04-f8d3-f542-692d-2ec07e89ccca@si6networks.com>
Date: Tue, 09 Aug 2022 08:10:32 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: rfc-editor@rfc-editor.org, liushucheng@huawei.com
Cc: opsec-ads@ietf.org, opsec-chairs@ietf.org, evyncke@cisco.com, Warren Kumari <warren@kumari.net>, auth48archive@rfc-editor.org, "fernando@gont.com.ar" <fernando@gont.com.ar>
References: <20220808235311.ED785194CBB0@rfcpa.amsl.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <20220808235311.ED785194CBB0@rfcpa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/OlsyiruUJZ4kd6K2-695cOrptA8>
Subject: Re: [auth48] AUTH48: RFC-to-be 9288 <draft-ietf-opsec-ipv6-eh-filtering-10> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 11:10:54 -0000
Hi, RFC-Ed, Attached you'll find my edits for the aforementioned upcoming RFC. You will find my comments and responses marked with "[fgont]" within the attached XML source. Some meta issues: 1) It seems that bullets have been removed from your edited version, but I believe the use of bullets is good when listing items (such as IPv6 options) 3) In several parts we used "RFC3692-Style experiments", since that's how these options and EHs are marked/specified in [RFC3692] and [RFC4727]. I've just realized that this your style guidelines recommend against this. OTOH, that how the corresponding options/headers are defined specified in the corresponding RFCs (RFC3692 and RFC4927). Thoughts? Thanks! Regards, Fernando On 8/8/22 20:53, rfc-editor@rfc-editor.org wrote: > Authors, > > While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. > > 1) <!-- [rfced] Please insert any keywords (beyond those that appear in > the title) for use on https://www.rfc-editor.org/search. > --> > > > 2) <!--[rfced] We see a number of author-inserted comments in the .xml file for this > document. We are unsure if these have been resolved. Please review and let us know > if these can be deleted or if they need to be addressed. > --> > > > 3) <!--[rfced] May we update this text as follows to add "IPv6" before > "option type"? Additionally, may we update instances of "IPv6 option > type" to "IPv6 Option Type" per use in RFC 7731? > > Original: > * Permit this IPv6 EH or IPv6 Option type. > > * Drop packets containing this IPv6 EH or option type. > > * Reject packets containing this IPv6 EH or option type (where the > packet drop is signaled with an ICMPv6 error message). > > * Rate-limit traffic containing this IPv6 EH or option type. > > * Ignore this IPv6 EH or option type (as if it was not present) and > process the packet according the rules for the remaining headers. > > Perhaps: > * Permit this IPv6 EH or IPv6 Option Type. > > * Drop packets containing this IPv6 EH or IPv6 Option Type. > > * Reject packets containing this IPv6 EH or IPv6 Option Type (where the > packet drop is signaled with an ICMPv6 error message). > > * Rate-limit traffic containing this IPv6 EH or IPv6 Option Type. > > * Ignore this IPv6 EH or IPv6 Option Type (as if it was not present), and > process the packet according the rules for the remaining headers. > --> > > > 4) <!-- [rfced] Please review whether any of the notes in this document > should be in the <aside> element. It is defined as "a container for > content that is semantically less important or tangential to the > content that surrounds it" (https://xml2rfc.tools.ietf.org/xml2rfc-doc.html#name-aside-2). > --> > > > 5) <!--[rfced] Should instances of "CALIPSO option" be updated to > "CALIPSO" to avoid redundancy (if expanded, "CALIPSO option" > would be read as "Common Architecture Label IPv6 Security Option > option". Please review and let us know if any updates are needed. > --> > > > 6) <!--[rfced] The following introductory sentence needs more context > (i.e., why is the Quick-Start functionality being disabled?). > Please let us know if the suggested text is agreeable or if you > prefer otherwise. > > Original: > 4.4.9.4. Operational and Interoperability Impact if Blocked > > The Quick-Start functionality would be disabled, and additional > delays in TCP's connection establishment (for example) could be > introduced. (Please see Section 4.7.2 of [RFC4782].) > > Perhaps: > 4.4.9.4. Operational and Interoperability Impact If Blocked > > If the Quick-Start functionality is blocked, it would be disabled, and > additional delays in the TCP's connection establishment, for example, > could be introduced; please see Section 4.7.2 of [RFC4782]. > --> > > > 7) <!--[rfced] For consistency, we updated "Hop-by-Hop Option headers" to "Hop-by-Hop Options headers" in the following. If that is not correct, please let us know. > > Original: > This option is specified in [RFC7731], and is meant to be included > only in Hop-by-Hop Option headers. > > Perhaps: > This option is specified in [RFC7731] and is meant to be included > only in Hop-by-Hop Options headers. > --> > > > 8) <!--[rfced] May we update the latter part of this sentence for clarity as follows? > > Original: > This option is employed by Identifier-Locator Network Protocol > for IPv6 (ILNPv6) for providing protection against off-path attacks > for packets when ILNPv6 is in use, and as a signal during initial > network-layer session creation that ILNPv6 is proposed for use with > this network-layer session, rather than classic IPv6. > > Perhaps: > This option is employed by the Identifier-Locator Network Protocol > for IPv6 (ILNPv6) to provide protection against off-path attacks > for packets when ILNPv6 is in use and as a signal during initial > network-layer session creation where ILNPv6 is proposed for use > rather than classic IPv6. > --> > > > 9) <!-- [rfced] Throughout the text, the following terminology appears to be used > inconsistently. Please review these occurrences and let us know if/how they > may be made consistent. > > - Hop-by-Hop Options header vs. Hop-by-Hop Options EH > [Note: are these terms different or the same?] > > - IPv6 packet vs. IPv6 Packet > - Routing Header Type vs. Routing Type > - IP Option vs. IP options (note: capitalized in RFC 6744) > - MPL Option vs. MPL option (note: capitalized in RFC 7731) > - RPL Option vs. RPL option (note: capitalized in RFC 9008)) > --> > > > 10) <!-- [rfced] Please review the "Inclusive Language" portion of the online > Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> > and let us know if any changes are needed. > --> > > > Thank you. > > RFC Editor/ap/kc > > > On Aug 8, 2022, at 4:47 PM, rfc-editor@rfc-editor.org wrote: > > *****IMPORTANT***** > > Updated 2022/08/08 > > RFC Author(s): > -------------- > > Instructions for Completing AUTH48 > > Your document has now entered AUTH48. Once it has been reviewed and > approved by you and all coauthors, it will be published as an RFC. > If an author is no longer available, there are several remedies > available as listed in the FAQ (https://www.rfc-editor.org/faq/). > > You and you coauthors are responsible for engaging other parties > (e.g., Contributors or Working Group) as necessary before providing > your approval. > > Planning your review > --------------------- > > Please review the following aspects of your document: > > * RFC Editor questions > > Please review and resolve any questions raised by the RFC Editor > that have been included in the XML file as comments marked as > follows: > > <!-- [rfced] ... --> > > These questions will also be sent in a subsequent email. > > * Changes submitted by coauthors > > Please ensure that you review any changes submitted by your > coauthors. We assume that if you do not speak up that you > agree to changes submitted by your coauthors. > > * Content > > Please review the full content of the document, as this cannot > change once the RFC is published. Please pay particular attention to: > - IANA considerations updates (if applicable) > - contact information > - references > > * Copyright notices and legends > > Please review the copyright notice and legends as defined in > RFC 5378 and the Trust Legal Provisions > (TLP – https://trustee.ietf.org/license-info/). > > * Semantic markup > > Please review the markup in the XML file to ensure that elements of > content are correctly tagged. For example, ensure that <sourcecode> > and <artwork> are set correctly. See details at > <https://authors.ietf.org/rfcxml-vocabulary>. > > * Formatted output > > Please review the PDF, HTML, and TXT files to ensure that the > formatted output, as generated from the markup in the XML file, is > reasonable. Please note that the TXT will have formatting > limitations compared to the PDF and HTML. > > > Submitting changes > ------------------ > > To submit changes, please reply to this email using ‘REPLY ALL’ as all > the parties CCed on this message need to see your changes. The parties > include: > > * your coauthors > > * rfc-editor@rfc-editor.org (the RPC team) > > * other document participants, depending on the stream (e.g., > IETF Stream participants are your working group chairs, the > responsible ADs, and the document shepherd). > > * auth48archive@rfc-editor.org, which is a new archival mailing list > to preserve AUTH48 conversations; it is not an active discussion > list: > > * More info: > https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc > > * The archive itself: > https://mailarchive.ietf.org/arch/browse/auth48archive/ > > * Note: If only absolutely necessary, you may temporarily opt out > of the archiving of messages (e.g., to discuss a sensitive matter). > If needed, please add a note at the top of the message that you > have dropped the address. When the discussion is concluded, > auth48archive@rfc-editor.org will be re-added to the CC list and > its addition will be noted at the top of the message. > > You may submit your changes in one of two ways: > > An update to the provided XML file > — OR — > An explicit list of changes in this format > > Section # (or indicate Global) > > OLD: > old text > > NEW: > new text > > You do not need to reply with both an updated XML file and an explicit > list of changes, as either form is sufficient. > > We will ask a stream manager to review and approve any changes that seem > beyond editorial in nature, e.g., addition of new text, deletion of text, > and technical changes. Information about stream managers can be found in > the FAQ. Editorial changes do not require approval from a stream manager. > > > Approving for publication > -------------------------- > > To approve your RFC for publication, please reply to this email stating > that you approve this RFC for publication. Please use ‘REPLY ALL’, > as all the parties CCed on this message need to see your approval. > > > Files > ----- > > The files are available here: > https://www.rfc-editor.org/authors/rfc9288.xml > https://www.rfc-editor.org/authors/rfc9288.html > https://www.rfc-editor.org/authors/rfc9288.pdf > https://www.rfc-editor.org/authors/rfc9288.txt > > Diff file of the text: > https://www.rfc-editor.org/authors/rfc9288-diff.html > https://www.rfc-editor.org/authors/rfc9288-rfcdiff.html (side by side) > > Diff of the XML: > https://www.rfc-editor.org/authors/rfc9288-xmldiff1.html > > The following files are provided to facilitate creation of your own > diff files of the XML. > > Initial XMLv3 created using XMLv2 as input: > https://www.rfc-editor.org/authors/rfc9288.original.v2v3.xml > > XMLv3 file that is a best effort to capture v3-related format updates > only: > https://www.rfc-editor.org/authors/rfc9288.form.xml > > > Tracking progress > ----------------- > > The details of the AUTH48 status of your document are here: > https://www.rfc-editor.org/auth48/rfc9288 > > Please let us know if you have any questions. > > Thank you for your cooperation, > > RFC Editor > > -------------------------------------- > RFC9288 (draft-ietf-opsec-ipv6-eh-filtering-10) > > Title : Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers at Transit Routers > Author(s) : F. Gont, W. LIU > WG Chair(s) : Jen Linkova, Ron Bonica > Area Director(s) : Warren Kumari, Robert Wilton > > > -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
- [auth48] AUTH48: RFC-to-be 9288 <draft-ietf-opsec… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9288 <draft-ietf-o… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9288 <draft-ietf-o… Fernando Gont
- [auth48] [AD] Re: AUTH48: RFC-to-be 9288 <draft-i… Alanna Paloma
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9288 <dra… Fernando Gont
- Re: [auth48] [AD] AUTH48: RFC-to-be 9288 <draft-i… Alanna Paloma
- Re: [auth48] [AD] AUTH48: RFC-to-be 9288 <draft-i… Warren Kumari
- Re: [auth48] [AD] AUTH48: RFC-to-be 9288 <draft-i… Fernando Gont
- Re: [auth48] [AD] AUTH48: RFC-to-be 9288 <draft-i… Liushucheng (Will LIU, Strategy & Industry Development)
- Re: [auth48] AUTH48: RFC-to-be 9288 <draft-ietf-o… Alanna Paloma