IETF Logo Mail Archive

Re: I-D Action:draft-ietf-6man-exthdr-01.txt

"Joel M. Halpern" <jmh@joelhalpern.com> Tue, 04 January 2011 17:24 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E4103A6BE0 for <ipv6@core3.amsl.com>; Tue, 4 Jan 2011 09:24:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.524
X-Spam-Level:
X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fn9+aYKLhWTH for <ipv6@core3.amsl.com>; Tue, 4 Jan 2011 09:24:28 -0800 (PST)
Received: from hgblob.mail.tigertech.net (hgblob.mail.tigertech.net [64.62.209.71]) by core3.amsl.com (Postfix) with ESMTP id 5C4E03A6CE0 for <ipv6@ietf.org>; Tue, 4 Jan 2011 09:24:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hgblob.tigertech.net (Postfix) with ESMTP id B60D43245E97; Tue, 4 Jan 2011 09:26:35 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at hgblob.tigertech.net
Received: from [10.10.10.101] (pool-71-161-50-147.clppva.btas.verizon.net [71.161.50.147]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by hgblob.tigertech.net (Postfix) with ESMTPSA id D2A483245057; Tue, 4 Jan 2011 09:26:34 -0800 (PST)
Message-ID: <4D235845.6040409@joelhalpern.com>
Date: Tue, 04 Jan 2011 12:26:29 -0500
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt
References: <20101217234501.11691.81147.idtracker@localhost> <AANLkTi=Lr_4zOd=-DrAxic_t_o0MvyOoWPYmiktZZod2@mail.gmail.com> <63416880-97B6-4CE4-864A-1402DA977B5F@tony.li> <AA183326-2E70-4A23-83A7-9F96131ADFF4@tony.li> <4D113364.3050105@ericsson.com> <201101032040.p03KeE86005244@cichlid.raleigh.ibm.com> <4D223EC0.7020906@gmail.com> <4D2242E9.8040804@gont.com.ar> <201101041429.p04ET81p006364@cichlid.raleigh.ibm.com> <4D23563E.7000108@gont.com.ar>
In-Reply-To: <4D23563E.7000108@gont.com.ar>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2011 17:24:29 -0000

Then what about if we forget firewalls for the moment?

A lot of routers look for the TCP/UDP Port numbers for LAG/ECMP computation.
Many of them can cope with having a destination options extension, and 
therefore that is clearly the better way to handle such information. 
And anything we do should make that strong preference clear.

Nothing we can do can change the way routers with silicon already 
deployed handle unknown extension headers.

Given that, one option is to just say that new extension headers should 
not be used.

If we think that there will be some new extension headers, that we want 
to support, designed for the general Internet, then it would seem to 
make sense to try to get new behavior defined, supported, and then used, 
that will allow for such extensions.  In that case, requiring and 
documenting the requirement for new extension headers to use TLV 
encoding would seem to have applicability and utility.

Yours,
Joel

On 1/4/2011 12:17 PM, Fernando Gont wrote:
> Hi, Thomas,
>
> On 04/01/2011 11:29 a.m., Thomas Narten wrote:
>>>  From the POV of a firewall, unless it really wants a packet to
>>> pass-through, it will block it.
>>
>> I think this is the crux of the problem. firewalls, by default,
>> discard stuff. They don't like the idea of allowing unknown or
>> "uncommon" things through.  Defining new options and expecting
>> firewalls to give them a blank check to go through I suspect is
>> wishful thinking.
>>
>> And look at this from the perspective of someone who wants to deploy a
>> new option. If 80% of the firewalls allow the new option through, will
>> this be good enough for deployment? Doubtful. What about 98%
>> cooperation from firewalls? Again, quite possibly not.
>
> I fully agree with you.
>
>
>
>> Unless this document is widely implemented in practice, it's far from
>> clear it is useful.
>
> Whether it's widely deployed is, IMHO, irrelevant. Two cases:
>
> * The I-D is not deployed (firewalls can't go past new extension
> headers). -- but the very presence of the unknown headers is what causes
> the fw to block the packets.
> * The I-D is deployed. The presence of an "uncommon" extension header
> causes the fw to block the packet (even when it could, *if* it wanted go
> past the "uncommon" extension header).
>
> As you correctly stated it, the crux of the problem is that this
> document assumes that firewalls are willing to allow stuff that they
> don't understand. -- but they aren't. They are meant to only allow stuff
> that is needed.
>
> Thanks,

v2.23.0 | Report a Bug | By Email