IETF Logo Mail Archive

RE: I-D Action:draft-ietf-6man-exthdr-01.txt

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Wed, 05 January 2011 13:03 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 926F03A6E29 for <ipv6@core3.amsl.com>; Wed, 5 Jan 2011 05:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.283
X-Spam-Level:
X-Spam-Status: No, score=-5.283 tagged_above=-999 required=5 tests=[AWL=1.316, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aN4dREM4y-jJ for <ipv6@core3.amsl.com>; Wed, 5 Jan 2011 05:03:01 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 8FD4F3A6DDC for <ipv6@ietf.org>; Wed, 5 Jan 2011 05:03:01 -0800 (PST)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id p05D4udF004915 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 5 Jan 2011 07:05:00 -0600 (CST)
Received: from INBANSXCHHUB03.in.alcatel-lucent.com (inbansxchhub03.in.alcatel-lucent.com [135.250.12.80]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p05D4suK010057 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 5 Jan 2011 18:34:55 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.56]) by INBANSXCHHUB03.in.alcatel-lucent.com ([135.250.12.80]) with mapi; Wed, 5 Jan 2011 18:34:54 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Fernando Gont <fernando@gont.com.ar>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Wed, 05 Jan 2011 18:34:53 +0530
Subject: RE: I-D Action:draft-ietf-6man-exthdr-01.txt
Thread-Topic: I-D Action:draft-ietf-6man-exthdr-01.txt
Thread-Index: Acurj1A0Vq33CGsTQvqfIRC4OVKkmQBSQwWA
Message-ID: <7C362EEF9C7896468B36C9B79200D8350CFAF7FEF6@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <20101217234501.11691.81147.idtracker@localhost> <AANLkTi=Lr_4zOd=-DrAxic_t_o0MvyOoWPYmiktZZod2@mail.gmail.com> <63416880-97B6-4CE4-864A-1402DA977B5F@tony.li> <AA183326-2E70-4A23-83A7-9F96131ADFF4@tony.li> <4D113364.3050105@ericsson.com> <201101032040.p03KeE86005244@cichlid.raleigh.ibm.com> <4D223EC0.7020906@gmail.com> <4D2242E9.8040804@gont.com.ar>
In-Reply-To: <4D2242E9.8040804@gont.com.ar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.250.11.33
Cc: Thomas Narten <narten@us.ibm.com>, Suresh, "ipv6@ietf.org" <ipv6@ietf.org>, Krishnan <suresh.krishnan@ericsson.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2011 13:03:02 -0000

I see another application of this extension. Assume you are the end host that wants to prioritize certain packets or wants to implement Access control lists (ACLs). In the absence of this extension a router cannot apply ACLs as it will never know how to parse the packet in case it comes across an unknown extension header. It can, if it supports this extension. ALso note that the default action of an ACL may not necessarily be "deny all".

Cheers, Manav

> -----Original Message-----
> From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On 
> Behalf Of Fernando Gont
> Sent: Tuesday, January 04, 2011 3.13 AM
> To: Brian E Carpenter
> Cc: Thomas Narten; ipv6@ietf.org; Suresh Krishnan
> Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt
> 
> On 03/01/2011 06:25 p.m., Brian E Carpenter wrote:
> 
> > The basic motivation for the present draft is clear:
> > 
> >>    However,
> >>    some intermediate nodes such as firewalls, may need to 
> look at the
> >>    transport layer header fields in order to make a 
> decision to allow or
> >>    deny the packet.  
> > 
> > That is, help middleboxes to violate e2e transparency and, 
> furthermore,
> > allow unknown headers to cross those middleboxes. 
> 
> I don't think this I-D will make a difference.
> 
> From the POV of a firewall, unless it really wants a packet to
> pass-through, it will block it.
> 
> So, whether the Extension Header is unknown, or whether
> draft-ietf-6man-exthdr-01.txt is implemented and the Specific type is
> unknown will lead to the same result: the packet will be discarded.
> 
> This proposal would only be useful to firewalls that implement a
> "default allow", and that simply want to somehow ignore an unknown
> extension header and base their decision on the upper-layer protocol
> (only). -- But we all know that firewalls operate (or should 
> operate) in
> "default deny" rather than "default allow".
> 
> So IMHO this proposal won't be useful for such firewalls.
> 
> Thanks,
> -- 
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
> 
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email