Re: Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
Fernando Gont <fgont@si6networks.com> Wed, 21 November 2018 20:52 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 336A612F295; Wed, 21 Nov 2018 12:52:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3a48eIkxf6aJ; Wed, 21 Nov 2018 12:51:57 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3865E127B4C; Wed, 21 Nov 2018 12:51:56 -0800 (PST)
Received: from [192.168.3.73] (unknown [186.137.76.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id B58A887746; Wed, 21 Nov 2018 21:51:49 +0100 (CET)
Subject: Re: Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
To: "R. Atkinson" <rja.lists@gmail.com>, ietf@ietf.org
Cc: opsec@ietf.org, iesg@ietf.org
References: <154264505944.5231.6349536976903745769.idtracker@ietfa.amsl.com> <0EB81EE5-C8C7-4B6A-9EF4-90B5049E5F88@gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Openpgp: preference=signencrypt
Autocrypt: addr=fgont@si6networks.com; prefer-encrypt=mutual; keydata= xsFNBE5so2gBEACzBQBLUy8nzgAzSZn6ViXT6TmZBFNYNqTpPRvTVtUqF6+tkI+IEd9N2E8p pXUXCd0W4dkxz6o7pagnK63m4QSueggvp881RVVHOF8oTSHOdnGxLfLeLNJFKE1FOutU3vod GK/wG/Fwzkv9MebdXpMlLV8nnJuAt66XGl/lU1JrNfrKO4SoYQi4TsB/waUQcygh7OR/PEO0 EttiU8kZUbZNv58WH+PAj/rdZCrgUSiGXiWUQQKShqKnJxLuAcTcg5YRwL8se/V6ciW0QR9i /sr52gSmLLbW5N3hAoO+nv1V/9SjJAUvzXu43k8sua/XlCXkqU7uLj41CRR72JeUZ4DQsYfP LfNPC98ZGTVxbWbFtLXxpzzDDT8i3uo7w1LJ2Ij/d5ezcARqw01HGljWWxnidUrjbTpxkJ9X EllcsH94mer728j/HKzC9OcTuz6WUBP3Crgl6Q47gY5ZIiF0lsmd9/wxbaq5NiJ+lGuBRZrD v0dQx9KmyI0/pH2AF8cW897/6ypvcyD/1/11CJcN+uAGIrklwJlVpRSbKbFtGC6In592lhu7 wnK8cgyP5cTU+vva9+g6P1wehi4bylXdlKc6mMphbtSA+T3WBNP557+mh3L62l4pGaEGidcZ DLYT2Ud18eAJmxU3HnM8P3iZZgeoK7oqgb53/eg96vkONXNIOwARAQABzSVGZXJuYW5kbyBH b250IDxmZ29udEBzaTZuZXR3b3Jrcy5jb20+wsGBBBMBAgArAhsjBQkSzAMABgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAUCTmylpQIZAQAKCRCuJQ1VHU50kv7wD/9fuNtTfxSLk3B3Hs3p ixTy8YXVjdkVwWlnJjFd7BOWmg7sI+LDhpjGfT6+ddOiwkumnvUZpObodj4ysH0i8c7P4C5t F9yu7WjklSlrB5Rth2CGChg5bKt541z2WHkFFxys9qBLmCSYDeKQkzLqhCjIUJizY2kOJ2GI MnSFDzJjhSFEh//oW830Y8fel1xnf/NVF+lBVtRMtMOfoWUqDjvP3sJ1G4zgkDCnF0CfncLx +hq2Mv26Uq9OTzvLH9aSQQ/f067BOkKAJKsfHdborX4E96ISTz57/4xECRSMr5dVsKVm4Y// uVIsb+L5z+a32FaiBZIAKDgnJO7Z8j6CV5e5yfuBTtX52Yi9HjYYqnYJGSDxYd6igD4bWu+7 xmJPHjkdqZgGV6dQIgiUfqkU+s5Cv350vK48CMaT/ZLo2BdsMhWsmaHmb+waePUMyq6E4E9x 9Js+EJb9ZiCfxS9exgieZQpet1L36IvhiwByvkQM009ywfa30JeMOltUtfLi5V06WQWsTzPL 5C+4cpkguSuAJVDTctjCA0moIeVDOpJ8WH9voQ4IeWapQnX35OIoj1jGJqqYdx65gc1ygbyx b8vw+pJ9E5GLse5TQnYifOWpXzX9053dtbwp/2OVhU4KLlzfCPCEsoTyfu9nIZxdI2PMwiL5 M85BfjX4NmwBLmPGoM7BTQRObKNoARAAqqXCkr250BchRDmi+05F5UQFgylUh10XTAJxBeaQ UNtdxZiZRm6jgomSrqeYtricM9t9K0qb4X2ZXmAMW8o8AYW3RrQHTjcBwMnAKzUIEXXWaLfG cid/ygmvWzIHgMDQKP+MUq1AGQrnvt/MRLvZLyczAV1RTXS58qNaxtaSpc3K/yrDozh/a4pu WcUsVvIkzyx43sqcwamDSBb6U8JFoZizuLXiARLLASgyHrrCedNIZdWSx0z0iHEpZIelA2ih AGLiSMtmtikVEyrJICgO81DkKNCbBbPg+7fi23V6M24+3syHk3IdQibTtBMxinIPyLFF0byJ aGm0fmjefhnmVJyCIl/FDkCHprVhTme57G2/WdoGnUvnT7mcwDRb8XY5nNRkOJsqqLPemKjz kx8mXdQbunXtX9bKyVgd1gIl+LLsxbdzRCch773UBVoortPdK3kMyLtZ4uMeDX3comjx+6VL bztUdJ1Zc9/njwVG8fgmQ+0Kj5+bzQfUY+MmX0HTXIx3B4R1I1a8QoOwi1N+iZNdewV5Zfq+ 29NlQLnVPjCRCKbaz9k6RJ2oIti55YUI6zSsL3lmlOXsRbXN5bRswFczkNSCJxJMlDiyAUIC WOay7ymzvgzPa+BY/mYn94vRaurDQ4/ljOfj6oqgfjts+dJev4Jj89vp8MQI3KJpZPEAEQEA AcLBZQQYAQIADwUCTmyjaAIbDAUJEswDAAAKCRCuJQ1VHU50km4xEACho45PZrUjY4Zl2opR DFNo5a6roTOPpgwO9PcBb3I5F8yX2Dnew+9OhgWXbBhAFq4DCx+9Gjs43Bn60qbZTDbLGJ/m 8N4PwEiq0e5MKceYcbetEdEUWhm5L6psU9ZZ82GR3UGxPXYe+oifEoJjOXQ39avf9S8p3yKP Diil0E79rn7LbJjMcgMLyjFg9SDoJ6pHLtniJoDhEAaSSgeV7Y745+gyMIdtQmrFHfqrFdjq D6G0HE+Z68ywc5KN67YxhvhBmSycs1ZSKAXv1zLDlXdmjHDHkU3xMcB+RkuiTba8yRFYwb/n j62CC4NhFTuIKOc4ta3dJsyXTGh/hO9UjWUnmAGfd0fnzTBZF8Qlnw/8ftx5lt4/O+eqY1EN RITScnPzXE/wMOlTtdkddQ+QN6xt6jyR2XtAIi7aAFHypIqA3lLI9hF9x+lj4UQ2yA9LqpoX 6URpPOd13JhAyDe47cwsP1u9Y+OBvQTVLSvw7Liu2b4KjqL4lx++VdBi7dXsjJ6kjIRjI6Lb WVpxe8LumMCuVDepTafBZ49gr7Fgc4F9ZSCo6ChgQNLn6WDzIkqFX+42KuHz90AHWhuW+KZR 1aJylERWeTcMCGUSBptd48KniWmD6kPKpzwoMkJtEXTuO2lVuborxzwuqOTNuYg9lWDl7zKt wPI9brGzquUHy4qRrA==
Message-ID: <bc011e16-b68c-fa78-e8c3-2defa239650f@si6networks.com>
Date: Wed, 21 Nov 2018 17:51:33 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <0EB81EE5-C8C7-4B6A-9EF4-90B5049E5F88@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/LVH9N86VIAbb3dyRYpT8YID9hdA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 20:52:00 -0000
Hello, Ran! Thanks so much for your comments! Inline.... On 20/11/18 13:27, R. Atkinson wrote: > All, > > I believe this document needs a few very important, > but hopefully not controversial edits before going ahead. > > (I had thought these concerns had been worked out previously, > per email exchanges on the opsec list (and privately) circa > 6 July 2018 with Fernando Gont. So I had expected to see a > -07 revision appear with the agreed fixes, but maybe something > fell through the cracks by accident. :-) It may have been my failure. If that was the case, please accept my apologies. > Comments below are organized by Document Section. > > I am open to wordsmithing. Candidate new text has been provided > for review (and ideally - to be adopted into a -07 revision). > > > > DOCUMENT TITLE: Recommendations on the Filtering of IPv6 Packets > Containing IP Extension Headers > > REQUEST: > > Could we somehow edit the title to make clear that these recommendations > are specifically focused on “Transit Routers” ? > > REASONS: > > The current document title is slightly misleading. It implies the recommendations > are entirely general, but actually (per the -06 Abstract) they are "advice on the > filtering of such IPv6 packets at transit routers for traffic *not* directed to them”. > Advice specific to a Transit Router might or might not apply to other IP router > deployments (e.g. inside an enterprise). I have no problem with updating the title as suggested. Chairs: May I go ahead and apply it? > SECTION "2.3 Conventions" > > EXISTING: > > Such configuration options may include the following possible settings: > > PROPOSED NEW: > > Such configuration options SHOULD include the following possible settings: Fine for me. > SECTION "3.4.1.5. Advice" > > EXISTING: > > For legacy nodes, the recommended configuration for the processing of > these packets depends on the features and capabilities of the underlying platform. > > PROPOSED NEW: > > For legacy nodes, the recommended configuration for the processing of > these packets depends on the features and capabilities of the underlying platform, > the configuration of the platform, and also the deployment environment > of the platform. > > REASONS: > > Which configuration for processing of HBH options is reasonable depends > not only on the features/capabilities, but also how the system has actually > been configured (e.g. it might have enabled some feature that BREAKS > proper operation if all packets with HBH headers are dropped) and also > what kind of deployment environment it is in. RSVP remains fairly > widely deployed and used today, although obviously it is not deployed > or used everywhere; RSVP would break. Similarly, in an MLS deployment > environment, transmitting packets containing the CALIPSO HBH is > critical (more later on this). Makes sense. Maybe we could add your paragraph on "REASONS" as a parenthetical (indented) note? > Section "4.3.9.5. Advice” > > EXISTING: > Intermediate systems that do not operate in Multi-Level Secure (MLS) > networking environments should discard packets that contain this > option. > > PROPOSED: > > "Recommendations for handling the CALIPSO option depend on the > deployment environment, rather than whether an intermediate system > happens to be deployed as a transit device (e.g., IPv6 transit router). > > Explicit configuration is the only method via which an intermediate system > can know whether or not that particular intermediate system has been > deployed within a Multi-Level Secure (MLS) environment. In many cases, > ordinary commercial intermediate systems (e.g., IPv6 routers & firewalls) > are the majority of the deployed intermediate systems inside an MLS > network environment. > > For Intermediate systems that DO NOT implement RFC-5570, there > SHOULD be a configuration option to EITHER (a) drop packets containing > the CALIPSO option OR (b) to ignore the presence of the CALIPSO option > and forward the packets normally. In non-MLS environments, such > intermediate systems SHOULD have this configuration option set to (a) > above. In MLS environments, such intermediate systems SHOULD > have this option set to (b) above. The default setting for this configuration > option SHOULD be set to (a) above, because MLS environments are much > less common than non-MLS environments. > > For Intermediate systems that DO implement RFC-5570, there SHOULD > be configuration options (a) and (b) from the preceding paragraph and > also a third configuration option (c) to process packets containing > a CALIPSO option as per RFC-5570. When deployed in non-MLS > environments, such intermediate systems SHOULD have this configuration > option set to (a) above. When deployed in MLS environments, such > intermediate systems SHOULD have this set to (c). The default setting > for this configuration option MAY be set to (a) above, because MLS > environments are much less common than non-MLS environments. Also makes sense. Unless somebody screams agains, I will apply the suggested edit. Thanks a lot for your continued help in improving documents! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… R. Atkinson
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Fernando Gont
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… R. Atkinson
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Brian E Carpenter
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Bob Hinden
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Ole Troan
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard
- Re: Last Call: <draft-ietf-opsec-ipv6-eh-filterin… C. M. Heard