Re: I-D Action:draft-ietf-6man-exthdr-01.txt
Fernando Gont <fernando@gont.com.ar> Tue, 04 January 2011 05:22 UTC
Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 068283A6A5E for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 21:22:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.539
X-Spam-Level:
X-Spam-Status: No, score=-1.539 tagged_above=-999 required=5 tests=[AWL=-0.738, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, RCVD_IN_NJABL_PROXY=1.643, RCVD_IN_SORBS_HTTP=0.001, RCVD_IN_SORBS_MISC=0.353, RCVD_IN_SORBS_SOCKS=0.801]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPCXNKUOcaiI for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 21:22:15 -0800 (PST)
Received: from mail-gw0-f66.google.com (mail-gw0-f66.google.com [74.125.83.66]) by core3.amsl.com (Postfix) with ESMTP id 1D8973A6A77 for <ipv6@ietf.org>; Mon, 3 Jan 2011 21:22:15 -0800 (PST)
Received: by gwj18 with SMTP id 18so3320305gwj.1 for <ipv6@ietf.org>; Mon, 03 Jan 2011 21:24:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=LPelRhNhMq7VPkxozI+VdO47YiykUsd/Va7Mj+vOpuo=; b=oUIwmbIrvth+mb7DsDb8g8L5OnWNmKAdZbh/OjfZ/h8loQR5zsHscUGRfQ0fU3yj5q 5Lguu5Va7n4yz2TCpMFCDO6Pw9YCHcuKmVZ0teQbxRv0Uc8yjmWs3ymA7XyR6Ltp7W7C 7U468o6v9HydDqnajiYmKF140DZN4YwcPs9Fc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=j8xbDnCDarXKjkaxIqoHCjws1dsXlEf9TIteeEVT+WkbHd2HgxZFWNRnrrWENdgKE+ 3w1x4w6PPiWUjjBKXXXV1LN1NOsbqNrki1ExODNswXmohWrgvYMHuvpfaxGq8e4U/eUM WApuIdmHnmEIl2rFwso/IIYRbtranJ4YKTUf4=
Received: by 10.150.49.10 with SMTP id w10mr20261072ybw.231.1294118661866; Mon, 03 Jan 2011 21:24:21 -0800 (PST)
Received: from [192.168.123.101] ([190.48.198.63]) by mx.google.com with ESMTPS id 46sm12842143yhl.12.2011.01.03.21.24.18 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 03 Jan 2011 21:24:20 -0800 (PST)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4D22AEFD.8010903@gont.com.ar>
Date: Tue, 04 Jan 2011 02:24:13 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt
References: <20101217234501.11691.81147.idtracker@localhost> <AANLkTi=Lr_4zOd=-DrAxic_t_o0MvyOoWPYmiktZZod2@mail.gmail.com> <63416880-97B6-4CE4-864A-1402DA977B5F@tony.li> <AA183326-2E70-4A23-83A7-9F96131ADFF4@tony.li> <4D113364.3050105@ericsson.com> <201101032040.p03KeE86005244@cichlid.raleigh.ibm.com> <4D223EC0.7020906@gmail.com> <4D2242E9.8040804@gont.com.ar> <4D224550.5080808@joelhalpern.com>
In-Reply-To: <4D224550.5080808@joelhalpern.com>
X-Enigmail-Version: 1.1.1
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2011 05:22:16 -0000
Hi, Joel, On 03/01/2011 06:53 p.m., Joel M. Halpern wrote: > If we take the view that a firewall will block anything it does not > know, without question or limit, then > 1) We have no way to extend our basic protocols that will pass through > firewalls (we have to tunnel / encapsulate) > 2) you are correct that this document does not help. I think we're talking about different issues here. The goal of this document is to "help" firewalls such that they can get to the transport protocol (*assuming* that the firewalls do not care about extension headers). -- and my point is that you don't need to do this. -- if the extension header is unknown, the firewall should not allow the packet through (i.e., default deny). The fact that the firewall cannot *parse* the header is a secondary issue. -- And all this has little or nothing to do with our ability to extend our protocols. Now, you may argue that a "default" deny limits our ability to extend our protocols. Strictly speaking, it doesn't -- it limits our ability to *deploy* them. But then, there's no reason (security-wise) for which an admin should allow a protocol to be deployed in his network without his prior consent. Yep... usability vs. security.... > Also, if we assume that no one will ever define any new extension > headers, then this work does not matter. Even then, why not just mandate that new extension headers (if they ever need to be defined) should be TLV? -- why do we need the extra header, etc.? > On the other hand, if we think that there will be new extension headers, > and we think that firewalls block things if they can not find enough > information to allow them through, then it can be helpful if the > firewalls (and other devices) can parse pass these new extensions > without knowing them. Just mandating that future extension headers have a syntax of TLV would suffice. Anyway, the rationale is that a firewall will allow stuff that it *needs* to allow. -- Why should a firewall allow an extension header that has not been deemed as necessary? >(Remember, these are for end-point consumption only.) NIDS, firewalls, and other middle-boxes consume these things.. even when they are not meant for them.... > It seems to me a disservice to simultaneously let people use new > extension headers and not give them a way to use them that can be parsed > past by the common devices that could easily want to do such parsing. Just mandate TLV, and that's it -- actually, not sure why this is not part of RFC 2460 alreay... > My own preference would probably be to say that all end-to-end IP > information should be in the destination options. But if we do not want > to go there, then we should own up to the implications thereof. (In > particular, there might be corner cases that can't use destination > options. Such as? Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- I-D Action:draft-ietf-6man-exthdr-01.txt Internet-Drafts
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Hing-Kam (Kam) Lam
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Tony Li
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Tony Li
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Suresh Krishnan
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Tony Li
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Suresh Krishnan
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Tony Li
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Thomas Narten
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Brian E Carpenter
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Fernando Gont
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Joel M. Halpern
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Rosomakho, Yaroslav
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Fernando Gont
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Thomas Narten
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Thomas Narten
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt RJ Atkinson
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Steven Blake
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Fernando Gont
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Joel M. Halpern
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Rémi Després
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt RJ Atkinson
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt Suresh Krishnan
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt Suresh Krishnan
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt Suresh Krishnan
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt Suresh Krishnan
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt Suresh Krishnan
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt Suresh Krishnan
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Joel M. Halpern
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt Bhatia, Manav (Manav)
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt Bhatia, Manav (Manav)
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt RJ Atkinson
- RE: I-D Action:draft-ietf-6man-exthdr-01.txt RJ Atkinson
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Brian E Carpenter
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt RJ Atkinson
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Rémi Després
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Rémi Després
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt james woodyatt
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Hing-Kam (Kam) Lam
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Hing-Kam (Kam) Lam
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Hing-Kam (Kam) Lam
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Hing-Kam (Kam) Lam
- Re: I-D Action:draft-ietf-6man-exthdr-01.txt Brian E Carpenter
- draft-ietf-6man-exthdr-01 - Support for adoption Rémi Després