Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
Benjamin Kaduk <kaduk@mit.edu> Mon, 26 November 2018 23:18 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97DE0130DFA; Mon, 26 Nov 2018 15:18:39 -0800 (PST)
X-Quarantine-ID: <YqB_bud1p4nV>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char 9C hex): Received: ...s kaduk@ATHENA.MIT.EDU)\n\t\234by outgoing.mit[...]
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqB_bud1p4nV; Mon, 26 Nov 2018 15:18:37 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E604126CB6; Mon, 26 Nov 2018 15:18:37 -0800 (PST)
X-AuditID: 1209190c-25fff700000049ea-7f-5bfc7f4b14e9
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 68.28.18922.B4F7CFB5; Mon, 26 Nov 2018 18:18:35 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.14.7/8.9.2) with ESMTP id wAQNIXhg007991; Mon, 26 Nov 2018 18:18:34 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) �by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id wAQNIR3n001207 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 26 Nov 2018 18:18:31 -0500
Date: Mon, 26 Nov 2018 17:18:26 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Fernando Gont <fgont@si6networks.com>
Cc: Christian Huitema <huitema@huitema.net>, tsv-art <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
Message-ID: <20181126231826.GD10033@kduck.kaduk.org>
References: <C4886ABA-3BBE-46AE-B2D9-9A6836D7A8BB@strayalpha.com> <2c28d4ac-87de-bcaf-54e8-4e745235c800@gmail.com> <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <0f56c25d-7ac7-e534-4e2c-cc09f5154e77@foobar.org> <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com> <6bd1ec94-f420-1f4c-9254-941814704dbb@gmail.com> <6be84ccf-9a72-2694-e19d-fa19043a0cb1@huitema.net> <c0e2edf7-762b-d521-e5a1-7751545371cb@si6networks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <c0e2edf7-762b-d521-e5a1-7751545371cb@si6networks.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprGKsWRmVeSWpSXmKPExsUixCmqrOtd/yfaYMtnbYu7ew6wWjxZ9YbN YnLjbHaLZxvns1h82HqXzWLWnkUsDmwet2acYvFYsuQnk8eHQz3sAcxRXDYpqTmZZalF+nYJ XBkvXx5mKrgmXnFmjnUDY59wFyMnh4SAicSJSRsYuxi5OIQE1jBJTNnzgBXC2cgo8fB8DzOE c5dJYsORi0wgLSwCqhIrr3aygNhsAioSDd2XmUFsEQFNibnPjzCBNDAL7GCUaF/9ghEkISwQ KfHh82q2LkYODl6gfW235SCGrmKR+HniLFgNr4CgxMmZT8CGMgtoSdz495IJpJ5ZQFpi+T8O kDCngLPE9nnf2EBsUQFlib19h9gnMArMQtI9C0n3LITuBYzMqxhlU3KrdHMTM3OKU5N1i5MT 8/JSi3QN9XIzS/RSU0o3MYIDW5JnB+OZN16HGAU4GJV4eCO+/o4WYk0sK67MPcQoycGkJMrr 8RcoxJeUn1KZkVicEV9UmpNafIhRgoNZSYTXdwlQjjclsbIqtSgfJiXNwaIkzvtb5HG0kEB6 YklqdmpqQWoRTFaGg0NJgvd97Z9oIcGi1PTUirTMnBKENBMHJ8hwHqDhp0FqeIsLEnOLM9Mh 8qcYjTluHPg/nZmjY92yOcxCLHn5ealS4rw7QUoFQEozSvPgpoGSk0T2/ppXjOJAzwnzfgGp 4gEmNrh5r4BWMQGtujYR5I/ikkSElFQDY9p6P9PLJpafn5fwKJ3N/tw9eaZ3jY7z6zPbL+/u evflt0vjTvWFul6ntWyc+Gyro225J1787mI7SfDEi+CMtaHB/fqv9LT0Kizq7vXL30+KunFh kwz3naU7llcvmzDt7IQwgUO3ltfqtMv/fSG7ICVBdNXk6928639/vPO3+I1K1/N85fnhEUos xRmJhlrMRcWJACM0m4spAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/roUH1IfIfT9l3rmPl2aO0HtihAY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 23:18:40 -0000
On Mon, Nov 26, 2018 at 04:21:06AM -0300, Fernando Gont wrote: > Christian. > > On 25/11/18 17:40, Christian Huitema wrote: > [.....] > > > Nick made that point, probably unintentionally, when he wrote that > > "transit operators would generally take the view that any data-plane > > packet which needs to be put through a slow path will be rate limited up > > to 100% loss". Last I checked, data plane processing is implemented in > > specialized components that are designed for speed. I am quite concerned > > that filtering recommendations made by the IETF will end up deeply > > embedded in the hardware of at least some routers, and that changing > > them in the future would be quite hard. That's pretty much the recipe > > for ossification. > > PLease take a look at the advice: it essentially argues "pass everything > that has been stadardizez and that will not cause you pain". And, again, How is this better than "pass everything that will not cause you pain"? Why should the transit care if something is standardized or just an experiment running over the internet? > this is in line with RFC7045. Compare that with what we have in the > real world (RFC7872), and you'll probably agree that if folks were to > implement this advice, it would be a *huge* improvement -- at the time > of this writing you cannot even use ipsec reliably on the Internet(!). One can agree that folks implementing this advice would be an improvement over the current state of affairs, without agreeing that the IETF should advocate against using our protocols as they were designed. > > > > The IPv6 header contains a > > "payload type" field, that may legitimately contain any of the payload > > types defined in the IANA registry of protocol numbers > > (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). > > Some of those payload types are flagged as IPv6 extension header types > > and listed in the corresponding registry > > (https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml). Discussing > > EH without discussing the other payload types seems bizarre. Do the > > reasons for blocking for the experimental payload type 253 also apply > > to, for example, the UDP Lite payload type? What about discussing ESP > > and not discussing L2TP or MANET? > > This document discusses EHs. THe considerations for filtering on upper > payloads are rather different, and normally depend on the upper protocol > details. (e.g. TCP ports). Perhaps I am confused, but IIUC this document discusses values placed in the IPv6 "Next Header" field, some of which are EHs and some of which are not. Values not recognized to the processing entity may be EHs or may be "next protocol"s, and if the value is not recognized there is no way to know which is the case. Ergo, filtering out unknown values that might be EHs is also filtering out unknown next-protocols, which seems really bad for the future flexibility of the internet. -Ben
- Tsvart last call review of draft-ietf-opsec-ipv6-… Michael Scharf
- Re: Tsvart last call review of draft-ietf-opsec-i… Joe Touch
- Re: Tsvart last call review of draft-ietf-opsec-i… Brian E Carpenter
- Re: Tsvart last call review of draft-ietf-opsec-i… Joe Touch
- Re: Tsvart last call review of draft-ietf-opsec-i… Fernando Gont
- Re: Tsvart last call review of draft-ietf-opsec-i… Fernando Gont
- Re: Tsvart last call review of draft-ietf-opsec-i… Joe Touch
- Re: Tsvart last call review of draft-ietf-opsec-i… Nick Hilliard
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christian Huitema
- Re: [Tsv-art] Tsvart last call review of draft-ie… Nick Hilliard
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christian Huitema
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: Tsvart last call review of draft-ietf-opsec-i… Fernando Gont
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: Tsvart last call review of draft-ietf-opsec-i… Joe Touch
- Re: Tsvart last call review of draft-ietf-opsec-i… Eric Rescorla
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Benjamin Kaduk
- Re: Tsvart last call review of draft-ietf-opsec-i… Mark Andrews
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christopher Morrow
- Re: Tsvart last call review of draft-ietf-opsec-i… C. M. Heard
- Re: Tsvart last call review of draft-ietf-opsec-i… Christopher Morrow
- Re: Tsvart last call review of draft-ietf-opsec-i… Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: Tsvart last call review of draft-ietf-opsec-i… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: Tsvart last call review of draft-ietf-opsec-i… Brian E Carpenter
- Re: Tsvart last call review of draft-ietf-opsec-i… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: Tsvart last call review of draft-ietf-opsec-i… Christopher Morrow
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Mark Andrews
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … David Farmer
- Re: [OPSEC] Tsvart last call review of draft-ietf… Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Randy Bush
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Stewart Bryant
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christian Huitema
- HbH flags [Tsvart last call review of draft-ietf-… Brian E Carpenter
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: HbH flags [Tsvart last call review of draft-i… Brian E Carpenter
- game over, EH [Tsvart last call review of draft-i… Brian E Carpenter
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- ECMP [Tsvart last call review of draft-ietf-opsec… Brian E Carpenter
- Re: HbH flags [Tsvart last call review of draft-i… Brian E Carpenter
- Re: game over, EH [Tsvart last call review of dra… Stephen Farrell
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Fernando Gont
- Re: game over, EH [Tsvart last call review of dra… Fernando Gont
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Fernando Gont
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- Re: HbH flags [Tsvart last call review of draft-i… Christopher Morrow
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- Re: HbH flags [Tsvart last call review of draft-i… Christopher Morrow
- Re: HbH flags [Tsvart last call review of draft-i… Christopher Morrow
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] HbH flags [Tsvart last call review of… Gert Doering
- Re: game over, EH [Tsvart last call review of dra… Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Brian Trammell (IETF)
- Re: game over, EH [Tsvart last call review of dra… Stewart Bryant
- Re: ECMP [Tsvart last call review of draft-ietf-o… Stewart Bryant
- Re: HbH flags [Tsvart last call review of draft-i… Ole Troan
- Re: ECMP [Tsvart last call review of draft-ietf-o… Stewart Bryant
- Re: ECMP [Tsvart last call review of draft-ietf-o… Ole Troan
- Re: game over, EH [Tsvart last call review of dra… Stewart Bryant
- Re: game over, EH [Tsvart last call review of dra… Gert Doering
- Re: HbH flags [Tsvart last call review of draft-i… Stewart Bryant
- Re: ECMP [Tsvart last call review of draft-ietf-o… Stewart Bryant
- Re: ECMP [Tsvart last call review of draft-ietf-o… Gert Doering
- Re: game over, EH [Tsvart last call review of dra… Stewart Bryant
- Re: ECMP [Tsvart last call review of draft-ietf-o… Ole Troan
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Spencer Dawkins at IETF
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- Re: HbH flags [Tsvart last call review of draft-i… Ole Troan
- Re: HbH flags [Tsvart last call review of draft-i… Stewart Bryant
- Re: HbH flags [Tsvart last call review of draft-i… Joe Touch
- Re: ECMP [Tsvart last call review of draft-ietf-o… Fernando Gont
- RE: [OPSEC] [Tsv-art] Tsvart last call review of … Smith, Donald
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: game over, EH [Tsvart last call review of dra… C. M. Heard
- Re: [OPSEC] game over, EH [Tsvart last call revie… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: game over, EH [Tsvart last call review of dra… C. M. Heard
- RE: [OPSEC] game over, EH [Tsvart last call revie… Smith, Donald
- Re: game over, EH [Tsvart last call review of dra… Gert Doering
- Re: game over, EH [Tsvart last call review of dra… Nico Williams
- Re: ECMP [Tsvart last call review of draft-ietf-o… Brian E Carpenter
- Re: ECMP [Tsvart last call review of draft-ietf-o… Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: ECMP [Tsvart last call review of draft-ietf-o… Brian E Carpenter
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Jared Mauch
- Re: ECMP [Tsvart last call review of draft-ietf-o… Fernando Gont
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Christopher Morrow
- Re: HbH flags [Tsvart last call review of draft-i… Christopher Morrow
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Joe Touch
- Re: HbH flags [Tsvart last call review of draft-i… Pete Resnick
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: HbH flags [Tsvart last call review of draft-i… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Joe Touch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Nico Williams
- OT: TCP session lifetime - Re: [Tsv-art] game ove… Jared Mauch
- Re: OT: TCP session lifetime - Re: [Tsv-art] game… Nico Williams
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: OT: TCP session lifetime - Re: [Tsv-art] game… Gert Doering
- Engaging constructively [HbH flags [Tsvart last c… Alissa Cooper
- Re: ECMP [Tsvart last call review of draft-ietf-o… Wes Hardaker
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Fernando Gont