Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
"C. M. Heard" <heard@pobox.com> Tue, 27 November 2018 15:01 UTC
Return-Path: <heard@pobox.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08AFC130EC2; Tue, 27 Nov 2018 07:01:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com; domainkeys=pass (1024-bit key) header.from=heard@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T3HPoxJ6GPkp; Tue, 27 Nov 2018 07:01:26 -0800 (PST)
Received: from pb-smtp1.pobox.com (pb-smtp1.pobox.com [64.147.108.70]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 714B3130E34; Tue, 27 Nov 2018 07:01:25 -0800 (PST)
Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 9FDD011F506; Tue, 27 Nov 2018 10:01:22 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type:content-transfer-encoding; s=sasl; bh=RexcyrCg9rgv amshVVrv3aXQ4bA=; b=chV2xenPUOBmzLGyQYcx/VxrSd3ZfiUBaE37MKHqpUMC cVl+YhUe4NAW37MqNr1kESCLM6b4jj6Gcuq+XRDy1joigfSIJnN3QsHAAyEjQ/Zq 1CGbEEkx1z/Q6jthn4n1gODI3ypKa68jY+CaqOG8NgjoMDzRxFc7ZjsR+rw1niE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type:content-transfer-encoding; q=dns; s=sasl; b=G5PVG1 zLoOekK1105TM0OrB8847FQrAdAZg7BV+z5PXTSjfXvpjuBD78at6MaxKgEKmlmE EXlzkD+SL8+6HER7Q28M6liEIJp5VMg0WxZgLQ1jz/MAQJKCNyHdE6BsjiYT4VIE epHvEpCvkH93dmuNDJaDpj1JHzUv2jDX8ozSg=
Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 8948111F505; Tue, 27 Nov 2018 10:01:22 -0500 (EST)
Received: from mail-it1-f169.google.com (unknown [209.85.166.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 04C7A11F501; Tue, 27 Nov 2018 10:01:22 -0500 (EST)
Received: by mail-it1-f169.google.com with SMTP id g85so34615609ita.3; Tue, 27 Nov 2018 07:01:22 -0800 (PST)
X-Gm-Message-State: AGRZ1gJMtiVlBn23A+iwL93Ix6HLvStAQqJg+T/aRkYnpichFNOjO2wv v8TTaQuxr4oknWwAu6FSBAHb/QPbuwIyRkbbsPE=
X-Google-Smtp-Source: AFSGD/WWCURm2tjM0bm2mtOGNVcv+D2XpgsfxJ6evs+PKsZVOIgELlIC7dRgWEwuyDCGGVvLCQG1ajFPeudBcMAY8rQ=
X-Received: by 2002:a24:ee83:: with SMTP id b125mr29126454iti.151.1543330881511; Tue, 27 Nov 2018 07:01:21 -0800 (PST)
MIME-Version: 1.0
References: <CACL_3VExxwN6z-WHbp3dcdLNV1JMVf=sgMVzh-k0shNJFeADbQ@mail.gmail.com> <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com> <CACL_3VFSHqU-D+NJu=k2-p4tbjZukT7i7WEoX+5kdUtdHB4Rjw@mail.gmail.com> <CACL_3VGk0CsHObEgSwLdCp8agOWrjccB94-aynEz3Bv0w+EU+w@mail.gmail.com> <475fe28a-aafe-d3b0-e665-fe97dd1439b8@foobar.org> <CACL_3VGHWW8fCDo8Q9br2fwXn5zBi+kN_5a1sOTX7m7QaU8iyg@mail.gmail.com> <3dc898de-6a18-4106-52fd-36cb8f60b19b@gmail.com> <f2784abe-d5b5-a556-3cfa-63481a7a8929@foobar.org> <CACL_3VGqhc-gFhbGJNm9XjZRXHpv9yZ3e4CurmT2P-VpQuVi3w@mail.gmail.com> <40f9b0b3-f9fd-fc09-dad1-3e575df791a3@si6networks.com> <CACL_3VHnUZwcG2=QbJ8HZf6nqiYv8qXxK8cOkuBmdX3QsKfPNg@mail.gmail.com> <12480906-A488-477E-BAE9-B7E22FD34060@gmail.com> <65e96716-48d3-a26c-905a-a5e47deea683@si6networks.com> <16F94EAB-CE40-4A4A-BAB3-4DDAC44980B0@employees.org> <28d771c1-4530-fb48-1b2d-9809c8900574@foobar.org>
In-Reply-To: <28d771c1-4530-fb48-1b2d-9809c8900574@foobar.org>
From: "C. M. Heard" <heard@pobox.com>
Date: Tue, 27 Nov 2018 07:01:08 -0800
X-Gmail-Original-Message-ID: <CACL_3VEQ_XNrr-S2GHDWu40bm5YaK120m-cUT+G19=RRJg+kUw@mail.gmail.com>
Message-ID: <CACL_3VEQ_XNrr-S2GHDWu40bm5YaK120m-cUT+G19=RRJg+kUw@mail.gmail.com>
Subject: Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
To: Nick Hilliard <nick@foobar.org>
Cc: Ole Troan <otroan@employees.org>, Fernando Gont <fgont@si6networks.com>, OPSEC <opsec@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, IETF <ietf@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Pobox-Relay-ID: 4D7316B0-F255-11E8-87DD-063AD72159A7-06080547!pb-smtp1.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/A4pvE6dtYRysTtQwXnhUuDkY7wA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 15:01:39 -0000
On Tue, Nov 27, 2018 at 2:12 AM Nick Hilliard <nick@foobar.org> wrote: > > Ole Troan wrote on 27/11/2018 08:28: > > A very unfortunate consequence of this work, is that the IETF appears > > to send a message that routers in the Internet is now expected to > > parse deep into packets and perform filtering actions. That’s a big > > change of the Internet architecture, and our view of layering. > > quite the opposite: parsing deep inside packets has been a prerequisite > of ipv6 EHs from the beginning Just to be historically accurate, looking past the Hop-by-Hop Options header (which is required to occur first) was not part of the IPv6 architecture at the beginning (RFC 2460 and predecessors). > and a serious row-back from this position > was previously standardised in rfc7112. Which was acknowledgment of the reality that intermediate devices do for many reasons inspect headers up to and including the upper layer protocol header. Mike Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… R. Atkinson
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Fernando Gont
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… R. Atkinson
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Brian E Carpenter
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Bob Hinden
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Ole Troan
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard