IETF Logo Mail Archive

Re: [OPSEC] [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Gert Doering <gert@space.net> Wed, 05 December 2018 18:09 UTC

Return-Path: <gert@space.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AAF8130F06 for <ietf@ietfa.amsl.com>; Wed, 5 Dec 2018 10:09:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxNC6ZD98zdS for <ietf@ietfa.amsl.com>; Wed, 5 Dec 2018 10:08:57 -0800 (PST)
Received: from mobil.space.net (mobil.space.net [195.30.115.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DA4E130F34 for <ietf@ietf.org>; Wed, 5 Dec 2018 10:08:57 -0800 (PST)
X-Original-To: ietf@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id 5E4C041C38 for <ietf@ietf.org>; Wed, 5 Dec 2018 19:08:55 +0100 (CET)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id 3CFA341135; Wed, 5 Dec 2018 19:08:55 +0100 (CET)
Received: by moebius4.space.net (Postfix, from userid 1007) id 2DACAC1A2; Wed, 5 Dec 2018 19:08:55 +0100 (CET)
Date: Wed, 05 Dec 2018 19:08:55 +0100
From: Gert Doering <gert@space.net>
To: Ole Troan <otroan@employees.org>
Cc: Gert Doering <gert@space.net>, Joe Touch <touch@strayalpha.com>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, Mark Andrews <marka@isc.org>, David Farmer <farmer@umn.edu>, OPSEC <opsec@ietf.org>, tsv-art <tsv-art@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>
Subject: Re: [OPSEC] [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
Message-ID: <20181205180855.GR1543@Space.Net>
References: <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <20181205122142.GJ1543@Space.Net> <F17C4944-09EC-4AAC-84A0-B660E36AAE89@strayalpha.com> <20181205133821.GL1543@Space.Net> <B6280E0C-6B20-43C1-BB34-170FB06F1EF7@strayalpha.com> <20181205135723.GN1543@Space.Net> <54C715AE-8931-4FA9-AA01-2311EB0055F0@employees.org> <20181205164558.GQ1543@Space.Net> <CCFEFC5B-53AE-4079-B64A-A72A71274FAD@employees.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="yxUjl2uTvAeSG6i1"
Content-Disposition: inline
In-Reply-To: <CCFEFC5B-53AE-4079-B64A-A72A71274FAD@employees.org>
X-NCC-RegID: de.space
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/OVf73Doxolhwre5406IQGKtU4h4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 18:09:07 -0000

Hi,

On Wed, Dec 05, 2018 at 06:57:28PM +0100, Ole Troan wrote:
> You are creating the ???perceived??? security problem yourself, by requiring processing deeper into the packet than is required.
> Just comply with RFC8200. As long as a router is not configured to process any HBH options, it can ignore the header.
> You seem to think HBH still means ???punt to software???. If it ever meant that.
> 
> There???s no need for rate-limiting for not processing HBH obviously.

I *must* be able to look at the protocol field of packets coming in on
our borders (see detailed description on our rate-limiting rules in 
another mail of today).  If there are EHs in the way so our routers' 
hardware cannot decide if this is a TCP or UDP packet, these packets 
go down the drain.

And I'm fairly sure you understand that operational reality, so I'm not
sure what point you are making.

(It's not just HBH.  EHs are fundamentally incompatible with today's
reality)

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

v2.23.0 | Report a Bug | By Email