Re: Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
Nick Hilliard <nick@foobar.org> Sat, 24 November 2018 20:30 UTC
Return-Path: <nick@foobar.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38644130DEE; Sat, 24 Nov 2018 12:30:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrTUYiUUtXYe; Sat, 24 Nov 2018 12:29:59 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F5A130DE8; Sat, 24 Nov 2018 12:29:58 -0800 (PST)
X-Envelope-To: opsec@ietf.org
Received: from crumpet.local (089-101-070074.ntlworld.ie [89.101.70.74] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id wAOKTuQx093730 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 24 Nov 2018 20:29:56 GMT (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-070074.ntlworld.ie [89.101.70.74] (may be forged) claimed to be crumpet.local
Subject: Re: Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: "C. M. Heard" <heard@pobox.com>, OPSEC <opsec@ietf.org>, IETF <ietf@ietf.org>
References: <CACL_3VExxwN6z-WHbp3dcdLNV1JMVf=sgMVzh-k0shNJFeADbQ@mail.gmail.com> <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com> <CACL_3VFSHqU-D+NJu=k2-p4tbjZukT7i7WEoX+5kdUtdHB4Rjw@mail.gmail.com> <CACL_3VGk0CsHObEgSwLdCp8agOWrjccB94-aynEz3Bv0w+EU+w@mail.gmail.com> <475fe28a-aafe-d3b0-e665-fe97dd1439b8@foobar.org> <CACL_3VGHWW8fCDo8Q9br2fwXn5zBi+kN_5a1sOTX7m7QaU8iyg@mail.gmail.com> <3dc898de-6a18-4106-52fd-36cb8f60b19b@gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <f2784abe-d5b5-a556-3cfa-63481a7a8929@foobar.org>
Date: Sat, 24 Nov 2018 20:29:55 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.5
MIME-Version: 1.0
In-Reply-To: <3dc898de-6a18-4106-52fd-36cb8f60b19b@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/8KmNRk7U8gHEaOdOdNBBBC7fYmc>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 20:30:01 -0000
Brian E Carpenter wrote on 24/11/2018 20:17: > Operators make their own > decisions, so I think that is what the draft should say. Something like: > > 3.5.5. Advice > > Operators should determine according to their own circumstances > whether to discard packets containing unknown IPv6 EHs. > > And at the same time, delete the 2nd and 3rd sentences of this: > > 3.5.3. Specific Security Implications > > For obvious reasons, it is impossible to determine specific security > implications of unknown IPv6 EHs. However, from security standpoint, > a device should discard IPv6 extension headers for which the security > implications cannot be determined. We note that this policy is > allowed by [RFC7045]. This looks like a sensible approach. > I don't expect these changes to have much impact in the real world, > however. Indeed. The real world is more complex than can be easily encapsulated in a draft like this, and it changes more quickly than rfcs. Nick
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… R. Atkinson
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Fernando Gont
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… R. Atkinson
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Brian E Carpenter
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Bob Hinden
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Ole Troan
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard