IETF Logo Mail Archive

Re: I-D Action:draft-ietf-6man-exthdr-01.txt

Fernando Gont <fernando@gont.com.ar> Tue, 04 January 2011 17:16 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D9193A6C75 for <ipv6@core3.amsl.com>; Tue, 4 Jan 2011 09:16:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.536
X-Spam-Level:
X-Spam-Status: No, score=-3.536 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3nKbOz5oy4D9 for <ipv6@core3.amsl.com>; Tue, 4 Jan 2011 09:16:18 -0800 (PST)
Received: from mail-gy0-f194.google.com (mail-gy0-f194.google.com [209.85.160.194]) by core3.amsl.com (Postfix) with ESMTP id B13643A6BE0 for <ipv6@ietf.org>; Tue, 4 Jan 2011 09:16:18 -0800 (PST)
Received: by gyf1 with SMTP id 1so3336992gyf.1 for <ipv6@ietf.org>; Tue, 04 Jan 2011 09:18:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=7CVq/h0XWgqQ0iic1DCnzJcF90FKCxOtn7CMRqhNqyA=; b=PJzrh5LMzi6ApVJwt26a88fQD+HnoUedEER5VlYlI9KPUkIdno7ZbQAmWqJlmsSRHl 5XYkVM5mMEcj0hvchP55cec6gJmHthStQgFdXf5HPq2KOmpgj0HDJSg0lKZecBES7FhR vd33gFC7axovGJbH0q1Xky21mNs5pRslFpOiA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=c4wuQ+Dlymc6ZPAslmJQmM5x4qySIwuM799peCcaPy+f6kvBo3JZgbN9m+jSlyQ+MT hIK/RpH92UlvtYIMkz9Tz81BvMkliBWLQapVVrw0yhPo/eMBBxbkPX9aqgp9VhIsDVkF ql1dNR56ExnADC8KNUKOO0q2z2TB/YKifg12Q=
Received: by 10.147.33.10 with SMTP id l10mr30777000yaj.29.1294161505621; Tue, 04 Jan 2011 09:18:25 -0800 (PST)
Received: from [192.168.0.120] (61-128-17-190.fibertel.com.ar [190.17.128.61]) by mx.google.com with ESMTPS id f73sm13159574yhc.4.2011.01.04.09.18.07 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 04 Jan 2011 09:18:24 -0800 (PST)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4D23563E.7000108@gont.com.ar>
Date: Tue, 04 Jan 2011 14:17:50 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: Thomas Narten <narten@us.ibm.com>
Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt
References: <20101217234501.11691.81147.idtracker@localhost> <AANLkTi=Lr_4zOd=-DrAxic_t_o0MvyOoWPYmiktZZod2@mail.gmail.com> <63416880-97B6-4CE4-864A-1402DA977B5F@tony.li> <AA183326-2E70-4A23-83A7-9F96131ADFF4@tony.li> <4D113364.3050105@ericsson.com> <201101032040.p03KeE86005244@cichlid.raleigh.ibm.com> <4D223EC0.7020906@gmail.com> <4D2242E9.8040804@gont.com.ar> <201101041429.p04ET81p006364@cichlid.raleigh.ibm.com>
In-Reply-To: <201101041429.p04ET81p006364@cichlid.raleigh.ibm.com>
X-Enigmail-Version: 1.1.1
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>, Suresh Krishnan <suresh.krishnan@ericsson.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2011 17:16:19 -0000

Hi, Thomas,

On 04/01/2011 11:29 a.m., Thomas Narten wrote:
>> From the POV of a firewall, unless it really wants a packet to
>> pass-through, it will block it.
> 
> I think this is the crux of the problem. firewalls, by default,
> discard stuff. They don't like the idea of allowing unknown or
> "uncommon" things through.  Defining new options and expecting
> firewalls to give them a blank check to go through I suspect is
> wishful thinking.
> 
> And look at this from the perspective of someone who wants to deploy a
> new option. If 80% of the firewalls allow the new option through, will
> this be good enough for deployment? Doubtful. What about 98%
> cooperation from firewalls? Again, quite possibly not.

I fully agree with you.



> Unless this document is widely implemented in practice, it's far from
> clear it is useful. 

Whether it's widely deployed is, IMHO, irrelevant. Two cases:

* The I-D is not deployed (firewalls can't go past new extension
headers). -- but the very presence of the unknown headers is what causes
the fw to block the packets.
* The I-D is deployed. The presence of an "uncommon" extension header
causes the fw to block the packet (even when it could, *if* it wanted go
past the "uncommon" extension header).

As you correctly stated it, the crux of the problem is that this
document assumes that firewalls are willing to allow stuff that they
don't understand. -- but they aren't. They are meant to only allow stuff
that is needed.

Thanks,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email