IETF Logo Mail Archive

Re: I-D Action:draft-ietf-6man-exthdr-01.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 03 January 2011 21:23 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E42123A6C42 for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 13:23:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.421
X-Spam-Level:
X-Spam-Status: No, score=-103.421 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rp7J2sVPeTyL for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 13:23:22 -0800 (PST)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by core3.amsl.com (Postfix) with ESMTP id C5C413A6C41 for <ipv6@ietf.org>; Mon, 3 Jan 2011 13:23:21 -0800 (PST)
Received: by eyd10 with SMTP id 10so5878443eyd.31 for <ipv6@ietf.org>; Mon, 03 Jan 2011 13:25:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=tM/VsmoIxMhqwkuqV8juyeoXjxhP9Xw5D9P7kKdysDA=; b=a3TNJv5bcpFtFzH70NnUW+xfz7IlaCKPCxt4MtFIQHbuNb7wZQWxlpyUGpFmZr0wvm 9UaJYnas7Ri1CClypaO/uTVn6pvgwSD8Dez1DUn/39Ij/r5ih9BJzZlX5DDp0rpjAW33 aa/A0SdKFW1r+Kbz6l+0RI08CyawjinttYuTQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=Lf5APlZipVddF/PJE1KDS/gd3MV+vkhNaW9DprzBejoYqLcplf9f4qewPgHQ6KZlGH j3MjLNUCRlfQYbaqw+MGua1CrUcAXCFaKMpz+ryxEMGRTS4uM+P5SgXrvDeVZMwS2/ZE 2TkkqlZqU+///lAyoe3xfsdIQMjStFeLh74lU=
Received: by 10.213.26.74 with SMTP id d10mr17360110ebc.61.1294089928306; Mon, 03 Jan 2011 13:25:28 -0800 (PST)
Received: from [10.1.1.4] ([121.98.190.33]) by mx.google.com with ESMTPS id x54sm15109515eeh.17.2011.01.03.13.25.24 (version=SSLv3 cipher=RC4-MD5); Mon, 03 Jan 2011 13:25:27 -0800 (PST)
Message-ID: <4D223EC0.7020906@gmail.com>
Date: Tue, 04 Jan 2011 10:25:20 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Thomas Narten <narten@us.ibm.com>
Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt
References: <20101217234501.11691.81147.idtracker@localhost> <AANLkTi=Lr_4zOd=-DrAxic_t_o0MvyOoWPYmiktZZod2@mail.gmail.com> <63416880-97B6-4CE4-864A-1402DA977B5F@tony.li> <AA183326-2E70-4A23-83A7-9F96131ADFF4@tony.li> <4D113364.3050105@ericsson.com> <201101032040.p03KeE86005244@cichlid.raleigh.ibm.com>
In-Reply-To: <201101032040.p03KeE86005244@cichlid.raleigh.ibm.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, Suresh Krishnan <suresh.krishnan@ericsson.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jan 2011 21:23:23 -0000

> 2) The routing header is essentially deprecated, and we probably won't
> define any more.

The proposal for RH4, i.e. draft-ietf-6man-rpl-routing-header,
is active.

However, isn't the real question whether we want to change the
implied intention that adding a new extension header should be
hard? Section 4 of RFC 2460 makes this intention pretty clear:
unknown extension headers should lead to packet discard and
ICMP Parameter Problem, so this is intended for consenting adults
only. Skipping over unknown extension headers was definitely
not intended to work.

The basic motivation for the present draft is clear:

>    However,
>    some intermediate nodes such as firewalls, may need to look at the
>    transport layer header fields in order to make a decision to allow or
>    deny the packet.  

That is, help middleboxes to violate e2e transparency and, furthermore,
allow unknown headers to cross those middleboxes. If I was a paranoid
security person, I would definitely not be happy with this. On the
contrary - if I saw an unknown IP header in a packet, I would want
to discard it. A legacy firewall wouldn't recognize the Next Header
value for draft-ietf-6man-exthdr, so would discard the packet. If my
firewall had been updated, and saw a draft-ietf-6man-exthdr, header,
it would need to look at the embedded "Specific Type" and then decide
whether to discard it. Just a bit more deep packet inspection.

So the one thing this proposal will *not* do is allow new extension headers
to cross the Internet transparently. All it might do is cause the firewalls
to dig one layer deeper before discarding the packet.

Regards
   Brian

v2.23.0 | Report a Bug | By Email