IETF Logo Mail Archive

Re: I-D Action:draft-ietf-6man-exthdr-01.txt

"Hing-Kam (Kam) Lam" <hingkam16@gmail.com> Sat, 15 January 2011 22:55 UTC

Return-Path: <hingkam16@gmail.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E2633A6BA8 for <ipv6@core3.amsl.com>; Sat, 15 Jan 2011 14:55:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.292
X-Spam-Level:
X-Spam-Status: No, score=-3.292 tagged_above=-999 required=5 tests=[AWL=0.307, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oE27zoeIoUWe for <ipv6@core3.amsl.com>; Sat, 15 Jan 2011 14:55:13 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by core3.amsl.com (Postfix) with ESMTP id 07E4F3A6B9B for <ipv6@ietf.org>; Sat, 15 Jan 2011 14:55:12 -0800 (PST)
Received: by iyi42 with SMTP id 42so3878121iyi.31 for <ipv6@ietf.org>; Sat, 15 Jan 2011 14:57:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=W+3mHqf+w3DgGt+HjkBdiqAoDy3pj6URyBkRNhACrbk=; b=f+aVtfps6kiUMaPe9JE/+eLtLg7SM9wtfDqMD/USJByN8sXi4+0Vv8o/p915Z6rqDf ghvuLdXFYpZhoPSd2i7ilBzEDxIpPWjhp5WzMsbobiS+rWws6DbWl7c/jIuC5O5pNsi4 /7N7i1y0oVqr3FlAfmSrEbDBCG/Hf/D6Yu7ao=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=N4PS14LTuNPTX5S6UmUmu7WiSgPwomBg4lTtv08CTdEJ+/dOBB/+wS/03dbPR1j64W tMwYagR718WVXGKgBXE6jainOpU8WnMCjWfF5syoiO9MCV/758GxaIUkAToVh0XY0qaB vAZU8EfrIqRqss0YqSxBmrgchhGy17UYuujIg=
MIME-Version: 1.0
Received: by 10.231.10.193 with SMTP id q1mr2463925ibq.53.1295132261163; Sat, 15 Jan 2011 14:57:41 -0800 (PST)
Received: by 10.231.14.141 with HTTP; Sat, 15 Jan 2011 14:57:41 -0800 (PST)
In-Reply-To: <4D224550.5080808@joelhalpern.com>
References: <20101217234501.11691.81147.idtracker@localhost> <AANLkTi=Lr_4zOd=-DrAxic_t_o0MvyOoWPYmiktZZod2@mail.gmail.com> <63416880-97B6-4CE4-864A-1402DA977B5F@tony.li> <AA183326-2E70-4A23-83A7-9F96131ADFF4@tony.li> <4D113364.3050105@ericsson.com> <201101032040.p03KeE86005244@cichlid.raleigh.ibm.com> <4D223EC0.7020906@gmail.com> <4D2242E9.8040804@gont.com.ar> <4D224550.5080808@joelhalpern.com>
Date: Sun, 16 Jan 2011 04:27:41 +0530
Message-ID: <AANLkTin9kEgc7DjG+xO7syu6hY63FwNc_D5MqrFxR9tP@mail.gmail.com>
Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt
From: "Hing-Kam (Kam) Lam" <hingkam16@gmail.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jan 2011 22:55:14 -0000

> If we take the view that a firewall will block anything it does not know,
> without question or limit, then
> 1) We have no way to extend our basic protocols that will pass through
> firewalls (we have to tunnel / encapsulate)

I agree.

> 2) you are correct that this document does not help.

Disagree. If the Hdr Options is 00, then it will pass through.

>
> Also, if we assume that no one will ever define any new extension headers,
> then this work does not matter.
>
> (If we want that prohibition to be the case, we should say so, and remove
> the hook for new extension headers that was left in 2460.)
>
> On the other hand, if we think that there will be new extension headers, and
> we think that firewalls block things if they can not find enough information
> to allow them through, then it can be helpful if the firewalls (and other
> devices) can parse pass these new extensions without knowing them.
>  (Remember, these are for end-point consumption only.)

Yes.

>
> It seems to me a disservice to simultaneously let people use new extension
> headers and not give them a way to use them that can be parsed past by the
> common devices that could easily want to do such parsing.

Yes.

>
> My own preference would probably be to say that all end-to-end IP
> information should be in the destination options.  But if we do not want to
> go there, then we should own up to the implications thereof.  (In
> particular, there might be corner cases that can't use destination options.
>  We should tell people to use destination options first.  And tell them what
> to do if they can't.)

This then could be added in the subsequent versions of this draft.

Kam

>
> Yours,
> Joel
>
> On 1/3/2011 4:43 PM, Fernando Gont wrote:
>>
>> On 03/01/2011 06:25 p.m., Brian E Carpenter wrote:
>>
>>> The basic motivation for the present draft is clear:
>>>
>>>>    However,
>>>>    some intermediate nodes such as firewalls, may need to look at the
>>>>    transport layer header fields in order to make a decision to allow or
>>>>    deny the packet.
>>>
>>> That is, help middleboxes to violate e2e transparency and, furthermore,
>>> allow unknown headers to cross those middleboxes.
>>
>> I don't think this I-D will make a difference.
>>
>>> From the POV of a firewall, unless it really wants a packet to
>>
>> pass-through, it will block it.
>>
>> So, whether the Extension Header is unknown, or whether
>> draft-ietf-6man-exthdr-01.txt is implemented and the Specific type is
>> unknown will lead to the same result: the packet will be discarded.
>>
>> This proposal would only be useful to firewalls that implement a
>> "default allow", and that simply want to somehow ignore an unknown
>> extension header and base their decision on the upper-layer protocol
>> (only). -- But we all know that firewalls operate (or should operate) in
>> "default deny" rather than "default allow".
>>
>> So IMHO this proposal won't be useful for such firewalls.
>>
>> Thanks,
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email