Re: Next steps on Extension Header Insertion
Fernando Gont <fgont@si6networks.com> Mon, 07 November 2016 04:23 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40D58129609 for <ipv6@ietfa.amsl.com>; Sun, 6 Nov 2016 20:23:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.309
X-Spam-Level:
X-Spam-Status: No, score=-0.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9HNMZwO1X3E for <ipv6@ietfa.amsl.com>; Sun, 6 Nov 2016 20:23:23 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47434128B38 for <ipv6@ietf.org>; Sun, 6 Nov 2016 20:23:23 -0800 (PST)
Received: from [172.16.39.40] (unknown [113.161.61.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 7C363829F2; Mon, 7 Nov 2016 05:22:38 +0100 (CET)
Subject: Re: Next steps on Extension Header Insertion
To: otroan@employees.org, Sander Steffann <sander@steffann.nl>
References: <B291E9E6-A803-423F-BFA5-87A74DCFB784@gmail.com> <dfe00826-1bcd-80ae-e6dc-7763c506cbe4@si6networks.com> <9CA73891-B4FA-47DF-82E1-A4867DBC6A3F@steffann.nl> <3C56AA77-18E4-4254-BB6A-A447CE115392@employees.org> <CAG6TeAtJdUua3saSGz0SX7DW6hwf74yAexpnfYoP1bg6v1eywA@mail.gmail.com> <17984D1D-1A3C-4AA5-B2EC-BE5C645A272C@steffann.nl> <369FB219-9979-43CE-B83D-D7C422FC7711@employees.org> <53FE6D80-040F-42DA-BA51-F3A40ABF248F@steffann.nl> <5FA646CC-DD40-4D20-A6C5-AF1D5D90E563@employees.org> <7010E4D5-2A0E-4358-AD76-9996004ED642@steffann.nl> <1060577F-B0CF-48BE-B6FA-862DAAC515F1@employees.org>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <3e5acb1f-4fb9-5c52-ee45-5371699a61cd@si6networks.com>
Date: Sun, 06 Nov 2016 22:22:35 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <1060577F-B0CF-48BE-B6FA-862DAAC515F1@employees.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/QZa2L4bvi-mNzPWqTeaYtQTf00Q>
Cc: 6man WG <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2016 04:23:25 -0000
On 11/03/2016 10:39 AM, otroan@employees.org wrote: >>> PS: As an operator would you be happy if I sent packets with NH=59, SA=:: with an integrity check covering all fields apart from the HLIM field, and everything else beyond the IPv6 header (40 bytes) was encrypted? >> >> Hmmmmm. Interesting question. As a network operator I'd probably drop that packet because of BCP38. As a security engineer I would be scratching my head and wondering what was going on. But effectively the payload wouldn't be that different from ESP... > > If you dropped it because you looked beyond the 40 bytes IPv6 header that does violate the IPv6 specification. > You can argue even looking violates the specification. I think you're missing two different things. Dropping such packet is a matter of policy. Where modifying packets on the fly can introduce problems difficult (if at all possible) to troubleshot, for no evident reason. >From draft-gont-opsawg-firewalls-analysis-02: ---- cut here ---- 3.3. Firewalls and The End-to-End Principle One common complaint about firewalls in general is that they violate the End-to-End Principle [Saltzer]. The End-to-End Principle is often incorrectly stated as requiring that "application specific functions ought to reside in the end nodes of a network rather than in intermediary nodes, provided they can be implemented 'completely and correctly' in the end nodes" or that "there should be no state in the network." What it actually says is heavily nuanced, and is a line of reasoning applicable when considering any two communication layers. [Saltzer] "presents a design principle that helps guide placement of functions among the modules of a distributed computer system. The principle, called the end-to-end argument, suggests that functions placed at low levels of a system may be redundant or of little value when compared with the cost of providing them at that low level." In other words, the End-to-End Argument is not a prohibition against lower layer retries of transmissions, which can be important in certain LAN technologies, nor of the maintenance of state, nor of consistent policies imposed for security reasons. It is, however, a plea for simplicity. Any behavior of a lower communication layer, whether found in the same system as the higher layer (and especially application) functionality or in a different one, that from the perspective of a higher layer introduces inconsistency, complexity, or coupling, extracts a cost. That cost may be in user satisfaction, difficulty of management or fault diagnosis, difficulty of future innovation, reduced performance, or something else. Such costs need to be clearly and honestly weighed against the benefits expected, and used only if the benefit outweighs the cost. From that perspective, introduction of a policy that prevents communication under an understood set of circumstances, whether it is to prevent access to pornographic sites or to prevent traffic that can be characterized as an attack, does not fail the End-to-End Argument; there are any number of possible sites on the network that are inaccessible at any given time, and the presence of such a policy is easily explained and understood. What does fail the End-to-End Argument is behavior that is intermittent, difficult to explain, or unpredictable. If a site can be reached sometimes and not at other times, or can be reached using this host or application but not another, one will wonder why that is the case, and may not even know where to look for the issue. ---- cut here ---- -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Next steps on Extension Header Insertion Bob Hinden
- Syntax glitch [Re: Next steps on Extension Header… Brian E Carpenter
- Re: Syntax glitch [Re: Next steps on Extension He… Bob Hinden
- Re: Syntax glitch [Re: Next steps on Extension He… Mark Smith
- Re: Syntax glitch [Re: Next steps on Extension He… otroan
- Re: Next steps on Extension Header Insertion 神明達哉
- Re: Next steps on Extension Header Insertion Bob Hinden
- Re: Next steps on Extension Header Insertion 神明達哉
- Re: Next steps on Extension Header Insertion Fred Baker
- Re: Next steps on Extension Header Insertion Fernando Gont
- Re: Next steps on Extension Header Insertion 神明達哉
- Re: Next steps on Extension Header Insertion Sander Steffann
- Re: Next steps on Extension Header Insertion Jan Zorz - Go6
- Re: Next steps on Extension Header Insertion otroan
- Re: Next steps on Extension Header Insertion Mark Smith
- Re: Next steps on Extension Header Insertion otroan
- Reminder, poll on header insertion closes soon Bob Hinden
- Re: Next steps on Extension Header Insertion Fernando Gont
- RE: Next steps on Extension Header Insertion mohamed.boucadair
- Re: Next steps on Extension Header Insertion otroan
- Re: Next steps on Extension Header Insertion Tim Chown
- Re: Next steps on Extension Header Insertion otroan
- Re: Next steps on Extension Header Insertion Sander Steffann
- Re: Next steps on Extension Header Insertion otroan
- Re: Next steps on Extension Header Insertion Sander Steffann
- Re: Next steps on Extension Header Insertion Jan Zorz - Go6
- Re: Next steps on Extension Header Insertion otroan
- Re: Next steps on Extension Header Insertion Sander Steffann
- Re: Next steps on Extension Header Insertion otroan
- Re: Next steps on Extension Header Insertion Sander Steffann
- Re: Next steps on Extension Header Insertion Mark Smith
- Re: Next steps on Extension Header Insertion Brian E Carpenter
- Re: Next steps on Extension Header Insertion Brian E Carpenter
- Re: Next steps on Extension Header Insertion Mark Smith
- Re: Next steps on Extension Header Insertion Tim Chown
- Re: Next steps on Extension Header Insertion Stefano Previdi (sprevidi)
- Re: Next steps on Extension Header Insertion Fernando Gont
- Re: Next steps on Extension Header Insertion Fernando Gont
- Re: Next steps on Extension Header Insertion Stefano Previdi (sprevidi)
- Re: Next steps on Extension Header Insertion Mark Smith
- Re: Next steps on Extension Header Insertion Stefano Previdi (sprevidi)
- Re: Next steps on Extension Header Insertion Brian E Carpenter
- Re: Next steps on Extension Header Insertion otroan
- Re: Next steps on Extension Header Insertion Stefano Previdi (sprevidi)
- Re: Next steps on Extension Header Insertion Stefano Previdi (sprevidi)
- Re: Next steps on Extension Header Insertion 神明達哉
- Re: Next steps on Extension Header Insertion Brian E Carpenter
- Re: Next steps on Extension Header Insertion Stefano Previdi (sprevidi)
- Re: Next steps on Extension Header Insertion Tim Chown