IETF Logo Mail Archive

Re: AUTH48 changes to draft-ietf-6man-rfc6434-bis-09

Tim Chown <Tim.Chown@jisc.ac.uk> Thu, 20 December 2018 10:22 UTC

Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4903130E35 for <ipv6@ietfa.amsl.com>; Thu, 20 Dec 2018 02:22:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBmWI_9DpeqX for <ipv6@ietfa.amsl.com>; Thu, 20 Dec 2018 02:22:35 -0800 (PST)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [207.82.80.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AED0130DF2 for <ipv6@ietf.org>; Thu, 20 Dec 2018 02:22:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=mimecast20170213; t=1545301353; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eNWX+2/oDHhqKJrgsLlq4LKWTCBATnMxx5s6H28r3VM=; b=UYCL6ewzngaWZFSCjsxuN6TUeSyscwi39PZhoiMuAMZfZY7tBfU83P0Oudti6Zm+z7v8vcPCfRXcf9CyaQwgduGtbfK1mdv/05tNjRODIbfjMG6OMuYUrsIgXyN+Rfq13f9MYaNLlcRDndM2KqAkmSMCnOUhIq+gavv4JRNJeUw=
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01lp2050.outbound.protection.outlook.com [104.47.1.50]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-114-IPiE2gOANtClj6aA9JuzPg-1; Thu, 20 Dec 2018 10:22:31 +0000
Received: from AM0PR07MB4177.eurprd07.prod.outlook.com (52.133.59.156) by AM0PR07MB4242.eurprd07.prod.outlook.com (52.133.60.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.9; Thu, 20 Dec 2018 10:22:29 +0000
Received: from AM0PR07MB4177.eurprd07.prod.outlook.com ([fe80::c186:ccd5:38d1:730f]) by AM0PR07MB4177.eurprd07.prod.outlook.com ([fe80::c186:ccd5:38d1:730f%4]) with mapi id 15.20.1446.018; Thu, 20 Dec 2018 10:22:29 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: Lorenzo Colitti <lorenzo@google.com>
CC: Suresh Krishnan <suresh.krishnan@gmail.com>, IETF IPv6 Mailing List <ipv6@ietf.org>, "draft-ietf-6man-rfc6434-bis@ietf.org" <draft-ietf-6man-rfc6434-bis@ietf.org>, 6man Chairs <6man-chairs@ietf.org>
Subject: Re: AUTH48 changes to draft-ietf-6man-rfc6434-bis-09
Thread-Topic: AUTH48 changes to draft-ietf-6man-rfc6434-bis-09
Thread-Index: AQHUmCwu7+0I1/VfIUe5UAFXaYt4KKWHK6MAgAA8aACAAAESAIAAAlyA
Date: Thu, 20 Dec 2018 10:22:29 +0000
Message-ID: <13A718A8-8274-49AA-8616-970EA8E2F446@jisc.ac.uk>
References: <8A9ACE0F-8EF7-48D7-AB1A-309D05A350CC@gmail.com> <CAKD1Yr0RGKMD4QM+DJLi1787e7WpEtNr98BZHUbXFCK5UtJKvg@mail.gmail.com> <FB206647-95EA-4B1D-BCCA-B9AE15B333CE@jisc.ac.uk> <CAKD1Yr2=54MBwjo09d9zeificoOy2CGmUstEBiiChO09PGrMZQ@mail.gmail.com>
In-Reply-To: <CAKD1Yr2=54MBwjo09d9zeificoOy2CGmUstEBiiChO09PGrMZQ@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.101.1)
x-originating-ip: [193.49.160.72]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM0PR07MB4242; 20:Cg4ETEtZ+oUCSOTle1lPm8rDB1OZA+vmMr6v0sUkb9fHg7XSGvP4O2opNuOcZylGntzQ+H12COzYN5Uli1PvR743az1MPDaKpEVzC/2ZWD+yqAglu5JsJJNHVcBD8jWr9qieOZQ9QwQ51Zk+XNPV9BlrlP1BqSNT+nZ36HdTOIo=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 1bfd30ca-2b3f-4016-07a9-08d666650bde
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:AM0PR07MB4242;
x-ms-traffictypediagnostic: AM0PR07MB4242:
x-microsoft-antispam-prvs: <AM0PR07MB4242527372CC5176855A16AAD6BF0@AM0PR07MB4242.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(3230021)(999002)(5005026)(6040522)(2401047)(8121501046)(3002001)(3231475)(944501520)(52105112)(10201501046)(93006095)(93001095)(149066)(150057)(6041310)(201703131423095)(201702281528075)(201702281529075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:AM0PR07MB4242; BCL:0; PCL:0; RULEID:; SRVR:AM0PR07MB4242;
x-forefront-prvs: 0892FA9A88
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(346002)(39850400004)(136003)(396003)(199004)(189003)(39060400002)(97736004)(105586002)(478600001)(229853002)(6486002)(83716004)(4326008)(33656002)(106356001)(6916009)(305945005)(6246003)(6436002)(476003)(2616005)(71190400001)(71200400001)(74482002)(486006)(72206003)(53936002)(6512007)(66574012)(446003)(99286004)(8936002)(86362001)(50226002)(2906002)(11346002)(68736007)(8676002)(81156014)(256004)(36756003)(57306001)(14444005)(14454004)(3846002)(6116002)(66066001)(102836004)(93886005)(786003)(81166006)(82746002)(6506007)(53546011)(25786009)(26005)(7736002)(54906003)(6346003)(316002)(5660300001)(186003)(76176011); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4242; H:AM0PR07MB4177.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-microsoft-antispam-message-info: W/gmWA7VDHpWy03nyhN12XLjYC45TWffaTq1afRSQ67/pFTGkVbtm3oqvab0X5BdoPwugKoPXP+qP0h0c9RphR+D7Xz7J9geT/0mGJ+WURrANi38zEG/7tP/X8vrsHysKrsHawGAB2H1WKA7EB6xZiDTm2NnxsLHQBQMFnZYthEX6q8VeCvaHNi6c8/ZBrt1ygXaI1fRi+xlbDnmh4IHVaxSoCNJCU25gFJwZGd8vXvU8VZOwsotokoVxBJS65suQWdGw/t0Wt2GKYqIcYrueco+cdtVBNhCOCg+Wsn+gvCn86Muu5CfyiRCA7DZPoIX
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <5A512DF663CCEC4E93ADD44943A15654@eurprd07.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bfd30ca-2b3f-4016-07a9-08d666650bde
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2018 10:22:29.5363 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4242
X-MC-Unique: IPiE2gOANtClj6aA9JuzPg-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/MbeJa-ocp13jygoXIf3c44ckpFU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2018 10:22:38 -0000

> On 20 Dec 2018, at 10:14, Lorenzo Colitti <lorenzo@google.com> wrote:
> 
> I'm saying there is no need to repeat that message in RFC6434. If we do repeat it, we should cite 6980.

OK, understood, but in 6434-bis we already say things like (for example):

" As per RFC 8200, when a node fragments an IPv6 datagram, it MUST
   include the entire IPv6 Header Chain in the first fragment."

or

"As recommended in [RFC8021], nodes MUST NOT generate atomic
   fragments"

So this is in a similar style.

Or should we prefix the text below with something like "To facilitate simple and
   effective countermeasures for Neighbor Discovery attacks...."

Or can you suggest alternative wording?

Tim

> On Thu, Dec 20, 2018 at 7:10 PM Tim Chown <Tim.Chown@jisc.ac.uk> wrote:
> > On 20 Dec 2018, at 06:34, Lorenzo Colitti <lorenzo@google.com> wrote:
> > 
> > On Thu, Dec 20, 2018 at 3:21 PM Suresh Krishnan <suresh.krishnan@gmail.com> wrote:
> >   There are two proposed (non-editorial) changes to be made to draft-ietf-6man-rfc6434-bis-09 during the AUTH48 period and I would like to check with the WG if anyone has objections to these changes. I personally think that these are reasonable changes to make.  If I do not hear any objections by end of day December 27th 2018 (AOE), I will approve these changes and send this along the RFC publication path.
> > 
> > Change 1) Text change in Section 5.4. 
> > 
> > Old:
> > Neighbor Discovery SHOULD be supported. RFC 4861 states:
> > 
> > New:
> > Neighbor Discovery MUST be supported with the noted exceptions below. 
> > RFC 4861 states:
> > 
> > Support. This clarifies that the only exceptions for ND are the ones written immediately below. That's pretty clearly the intent of the text already.
> >  
> > Change 2) New text in Section 5.4.
> > ...
> > As per RFC 6980, hosts MUST NOT employ IPv6 fragmentation for sending any of the following Neighbor Discovery and SEcure Neighbor Discovery messages: Neighbor Solicitation, Neighbor Advertisement, Router Solicitation, Router Advertisement, Redirect, or Certification Path Solicitation.
> > 
> > Why? This new text text places a hard limit on the number and size of the options that may be inserted in such a packet, and provides zero rationale. That's not good for text in a BCP. I don't see why it needs to be included. It's already written in RFC 6980.
> 
> Well, RFC 6980 is standards track (not informational) and was published 5 years ago.  The principal rationale is in the abstract.
> 
> Are you aware of implementations that are still fragmenting such ND messages?
> 
> Are you suggesting we should deprecate RFC 6980. Either we believe it is good practice and encourage its adoption, if some implementations do still ignore it, or we say we no longer believe its applicable.
> 
> Tim
>

v2.23.0 | Report a Bug | By Email