RE: icmpv6-v3 comments
Pekka Savola <pekkas@netcore.fi> Mon, 22 March 2004 12:54 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA20880 for <ipv6-archive@odin.ietf.org>; Mon, 22 Mar 2004 07:54:24 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B5OwF-0004C2-JE for ipv6-archive@odin.ietf.org; Mon, 22 Mar 2004 07:53:55 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2MCrtsJ016112 for ipv6-archive@odin.ietf.org; Mon, 22 Mar 2004 07:53:55 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B5OwF-0004Bl-C3 for ipv6-web-archive@optimus.ietf.org; Mon, 22 Mar 2004 07:53:55 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA20851 for <ipv6-web-archive@ietf.org>; Mon, 22 Mar 2004 07:53:53 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B5OwD-0004Bo-00 for ipv6-web-archive@ietf.org; Mon, 22 Mar 2004 07:53:53 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B5Our-0003yN-00 for ipv6-web-archive@ietf.org; Mon, 22 Mar 2004 07:52:30 -0500
Received: from [65.246.255.50] (helo=mx2.foretec.com) by ietf-mx with esmtp (Exim 4.12) id 1B5OuX-0003tA-00 for ipv6-web-archive@ietf.org; Mon, 22 Mar 2004 07:52:09 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by mx2.foretec.com with esmtp (Exim 4.24) id 1B5Ory-0003Nh-Go for ipv6-web-archive@ietf.org; Mon, 22 Mar 2004 07:49:31 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B5Ord-0003aq-6s; Mon, 22 Mar 2004 07:49:09 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B5Oqt-0003aV-0D for ipv6@optimus.ietf.org; Mon, 22 Mar 2004 07:48:23 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA20694 for <ipv6@ietf.org>; Mon, 22 Mar 2004 07:48:21 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B5Oqs-0003eL-00 for ipv6@ietf.org; Mon, 22 Mar 2004 07:48:22 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B5Opt-0003Z4-00 for ipv6@ietf.org; Mon, 22 Mar 2004 07:47:22 -0500
Received: from netcore.fi ([193.94.160.1]) by ietf-mx with esmtp (Exim 4.12) id 1B5Oov-0003QO-00 for ipv6@ietf.org; Mon, 22 Mar 2004 07:46:22 -0500
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id i2MCjjc14770; Mon, 22 Mar 2004 14:45:45 +0200
Date: Mon, 22 Mar 2004 14:45:45 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: Mukesh.Gupta@nokia.com
cc: ipv6@ietf.org
Subject: RE: icmpv6-v3 comments
In-Reply-To: <8D260779A766FB4A9C1739A476F84FA4015473F9@daebe009.americas.nokia.com>
Message-ID: <Pine.LNX.4.44.0403221431070.14547-100000@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=1.2 required=5.0 tests=AWL,OPT_HEADER autolearn=no version=2.60
On Sun, 21 Mar 2004 Mukesh.Gupta@nokia.com wrote: > > Process issue: Draft Standard may not refer normatively to > > specifications of lower standardization status. See > > draft-ymbk-downref-01.txt for a bit of discussion. That is, > > IPv6-ADDR, PMTU and IPsec documents are unsuitable for normative > > references. So, some wiggling around will be needed.. > > Well, the draft draft-ymbk-downref-01.txt says > ==== > In the case of protocols, a reference is normative if it refers to > packet formats or other protocol mechanisms that are needed to fully > implement the protocol in the current specification. For example, if > a protocol relies on IPsec to provide security, one cannot fully > implement the protocol without the specification for IPsec also being > available; hence, the reference would be normative. > ==== > > As ICMPv6 proposes to use IPsec for security, according to the above > paragraph, IPsec documents should be normative. So how do we resolve > this ? Well, if we conclude that those are required, maybe we have to use draft-ietf-ipsec-rfc2402bis instead -- that's already been at IESG evaluation so might not end up blocking the document. PMTUD and Addr-arch would probably have to go on Informational section, unless we conclude that they're too strong to be used here. > > (c) If the message is a response to a message sent to an address > > that does not belong to the node, the Source Address should be > > that unicast address belonging to the node that will be most > > helpful in diagnosing the error. For example, if the message is > > a response to a packet forwarding action that cannot complete > > successfully, the Source Address should be a unicast address > > belonging to the interface on which the packet forwarding > > failed. > > > > ==> not sure if this has been implemented, so the usability > > of this generic rule seems questionable. > > Are you proposing to remove this ? Yes. (But if people think mentioning some optional behaviour like this is a good idea, maybe it could be reworded/removed in the appendix as well.) > I think, all the implementations use the IP address of the egress > interface for the ICMP packet as the source address of the packet. That is my perception as well. > The above paragraph suggests to use the IP address of the interface > on which the packet was supposed to be forwarded. Now if we are > unable to forward the packet, how would we know which interface it > was supposed to go out on :-/ So which IP address should be used > in that case ! That's a real procedural problem, and maybe one of the main reasons why this was omitted. In some cases, I think getting the IP address would be possible, but in general it would be rather challenging.. > > If the reason for the failure to deliver can not be mapped > > to any of > > the specific codes listed above, the Code field is set to 3. The > > example of such cases are inability to resolve the IPv6 destination > > address into a corresponding link address, or a > > link-specific problem > > of some sort. > > > > ==> reasons with codes 4, 5, and 6 are below this sentence. > > Maybe those paragraphs should be moved up, earlier in this > > section, or the language here reworded? > > Actually, I wanted to keep the description of the codes in the numerical > order. If this description sounds confusing, could you suggest how to > re-word it such that it is clearer without moving the descriptions of > 4, 5 and 6 before this ? Maybe reword: If the reason for the failure to deliver can not be mapped to any of the specific codes listed above, the Code field is set to 3. to: If the reason for the failure to deliver can not be mapped to any of other codes, the Code field is set to 3. ? > > If the reason for the failure to deliver is that packet with this > > source address is not allowed due to ingress or egress filtering > > policies, the Code field is set to 5. > > > > If the reason for the failure to deliver is that the route to the > > destination is a reject route, the Code field is set to 6. This may > > occur if the router has been configured to reject all the traffic for > > a specific prefix. > > > > ==> as has already been mentioned, these two rules are in fact a > > more specific, more informative subsets of code 1 -- > > administratively prohibited. I persnally don't see much of an > > objection for adding these codes, but it would IMHO make useful to > > spell this out explicitly here. > > Would it help to add the following text: > ==== > Codes 5 and 6 are more informative subsets of code 1. Thus code 1 > MAY be used in place of code 5 and 6. > ==== Fine with me, at least. (I guess there could be some resistance to the second sentence, but if so, it could always be removed.) > > It SHOULD be possible for the system administrator to configure a > > node to ignore any ICMP messages that are not authenticated using > > either the Authentication Header or Encapsulating Security Payload. > > Such a switch SHOULD default to allowing unauthenticated messages. > > > > ==> has this even been implemented anywhere? could maybe be > > deleted? This is completely unpractical, e.g., just consider > > PMTU packets -- there is no way you'll ever be able to set > > up security associations with everyone in the Internet to be > > able to accept the packets :) > > I completely agree with you that this is unpractical but it does > make sense to a completely paranoid administrator. Whoever turns > this option ON might not be interested in using PMTU. I don't > see any harm in keeping it. We can make it a MAY from SHOULD. > > What say ?? OK -- I'm fine with putting it in as MAY, with some additional text to describe its inherent problems, e.g. like: Note that setting up Security Associations to deal with all the required ICMP packets is a very difficult, if not even impossible, task (e.g., consider the PMTUD packets) so typically this is does not seem to be practical. > > [PMTU] McCann, J., S. Deering, J. Mogul, "Path MTU Discovery > > for IP version 6", RFC1981, August 1996. > > > > [IPv6-SA] Kent, S., R. Atkinson, "Security Architecture for the > > Internet Protocol", RFC1825, November 1998. > > > > ==> These, and IPsec RFCs are PS's at the moment -- can't refer. > > IPsec ones are being revised though, if that helps any. > > As I referred from the draft-ymbk-downref-01.txt, IPsec RFCs should > be normative. So what should we do now ? > > Also should we refer to the old IPsec RFCs or we should refer to the > updated ones ? If we want to refer to updated ones, how do we refer > to them because they are still drafts. See above. Referring to drafts is OK as long as they don't create a blockage when this work moves forward. As the docs are already at IESG and this is not, this is (hopefully!) not a problem. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- icmpv6-v3 comments Pekka Savola
- RE: icmpv6-v3 comments Mukesh.Gupta
- RE: icmpv6-v3 comments Pekka Savola
- RE: icmpv6-v3 comments Mukesh.Gupta
- RE: icmpv6-v3 comments Pekka Savola
- RE: icmpv6-v3 comments Mukesh.Gupta