IETF Logo Mail Archive

Re: Detailed review of draft-ietf-6man-ext-transmit-02

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 14 August 2013 04:29 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E383921F9A27 for <ipv6@ietfa.amsl.com>; Tue, 13 Aug 2013 21:29:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMjpcgZW7iih for <ipv6@ietfa.amsl.com>; Tue, 13 Aug 2013 21:29:11 -0700 (PDT)
Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id EF56C21F826B for <6man@ietf.org>; Tue, 13 Aug 2013 21:29:10 -0700 (PDT)
Received: by mail-pa0-f44.google.com with SMTP id fz6so6891178pac.31 for <6man@ietf.org>; Tue, 13 Aug 2013 21:29:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=AIFiSpWmiz/1kYd+rOKgXMEwSqfGu9ez4t74ppi/e3M=; b=h8A9LDrWvJRH2L+CrWjhgGbuSr+lPvbQ2yNM3n3cLCXUbr6IBtFgQ8g8iT3GpEzPV+ QHbFwspZEH6kX3aa45grivKVERNrftCgQ7IQ1aCHUqsj3FY/LF6DxN+qdytnYP3mWHvw NVeBsyaY5Tsg5c1xU26HxYxwzAfVmEEuRiJuYwkz8dxN3J44MhOhwjKFiYtRCB69bh8K Zxwdcqh7uoEW6iXajf0cIwb3EbUvtdaXUl8/aGuNwkOYnUVh1p1ZX+eNoIaFphPhc+DL cfaM2GB3uJkuy8ljv6q8iH+xbLwypout6EF3YNEkVcD3CDwE2FK8h+KBRsgegDvfiefZ vI6A==
X-Received: by 10.68.131.3 with SMTP id oi3mr7888957pbb.35.1376454549550; Tue, 13 Aug 2013 21:29:09 -0700 (PDT)
Received: from [10.1.9.168] ([203.167.141.74]) by mx.google.com with ESMTPSA id ot4sm50487662pac.17.2013.08.13.21.29.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 13 Aug 2013 21:29:08 -0700 (PDT)
Message-ID: <520B0794.3010003@gmail.com>
Date: Wed, 14 Aug 2013 16:29:08 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>
Subject: Re: Detailed review of draft-ietf-6man-ext-transmit-02
References: <520AA510.8050409@si6networks.com>
In-Reply-To: <520AA510.8050409@si6networks.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-6man-ext-transmit@tools.ietf.org, "6man@ietf.org" <6man@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 04:29:12 -0000

Fernando,

Thanks for the careful review. Most of your comments lead to fairly obvious
fixes, which we'll apply in the next version. Just a few points below which
may need discussion:

On 14/08/2013 09:28, Fernando Gont wrote:
...
> * Section 1:
>> Unfortunately, experience has showed that as a result,
>>    the network is not transparent to IPv6 extension headers.
> 
> I'd probably rephrase this sentence. A firewall's goal is, for instance,
> to police packets. So that lack of "transparency" is actually a goal
> they have (whether we like it or not).

True, but it's unfortunate from the point of view of the design of IPv6.
Speaking for myself only, I think the sentence is accurate - see the
next point.

...
> * Section 2.1:
>>    Any forwarding node along an IPv6 packet's path, which forwards the
>>    packet for any reason, SHOULD do so regardless of any extension
>>    headers that are present, as required by RFC 2460.
> 
> I find this particular requirement a bit troublesome. Truth is that many
> devices violate this requirement, and will always will.

Yes, but the IPv6 design really does require this. I think the
SHOULD is right, because RFC 2119 says that it means "there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course." That is
a perfectly reasonable choice for the person managing a firewall
to make, but it doesn't change the IPv6 design assumption.

> 
> OTOH, the rest of the document is perfectly fine in this respect -- it
> acknowledges that some devices will look at the extension headers, and
> provides advice on what to do (e.g., "you should have an explicit policy
> regarding what to do with extension headers").
> 
> I guess I could live with a SHOULD (at least, it's not a "MUST") --
> however, in the light of reality, I'd probably relax this requirement.

...

> * Section 4:
>>    This list excludes both type 59, No Next Header, [RFC2460], which is
>>    not an extension header as such, and type 139, HIP, [RFC5201], which
>>    is experimental.
> 
> If RFC5201 specifies an extension header, why shouldn't it be listed in
> the registry? (Disclaimer: I haven't even looked at RFC5201... so I
> might be missing something).

This is a bit tricky. If HIP was a standards-track protocol it would
be easy, but since it's experimental, it really doesn't seem realistic
to hint that firewalls should allow it by default. Maybe we should
change the IANA registry to include the experimental ones, but with
a special tag? (Extension headers 253 and 254 are also tricky, because
they are experimental values defined by a standards track RFC. Go figure!)

    Brian

v2.23.0 | Report a Bug | By Email