IETF Logo Mail Archive

Re: I-D Action:draft-ietf-6man-exthdr-01.txt

"Rosomakho, Yaroslav" <yaroslav@arbor.net> Tue, 04 January 2011 00:46 UTC

Return-Path: <yaroslav@arbor.net>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 127F03A677C for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 16:46:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBZSlUFN2wgg for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 16:46:07 -0800 (PST)
Received: from gateout02.mbox.net (gateout02.mbox.net [165.212.64.22]) by core3.amsl.com (Postfix) with ESMTP id EA7823A66B4 for <ipv6@ietf.org>; Mon, 3 Jan 2011 16:46:06 -0800 (PST)
Received: from gateout02.mbox.net (gwo2-lo [127.0.0.1]) by gateout02.mbox.net (Postfix) with ESMTP id A6F7A4BCA61 for <ipv6@ietf.org>; Tue, 4 Jan 2011 00:48:13 +0000 (GMT)
X-USANET-Received: from gateout02.mbox.net [127.0.0.1] by gateout02.mbox.net via mtad (C8.MAIN.3.71F) with ESMTP id 740PaDaWm9024Mo2; Tue, 04 Jan 2011 00:48:12 -0000
Received: from s1hub4.EXCHPROD.USA.NET [165.212.120.254] by gateout02.mbox.net via smtad (C8.MAIN.3.68M) with ESMTPS id XID457PaDaWm5652Xo2; Tue, 04 Jan 2011 00:48:12 -0000
X-USANET-Source: 165.212.120.254 IN yaroslav@arbor.net s1hub4.EXCHPROD.USA.NET
X-USANET-MsgId: XID457PaDaWm5652Xo2
Received: from MBX14.EXCHPROD.USA.NET ([10.120.221.141]) by s1hub4.EXCHPROD.USA.NET ([10.120.220.34]) with mapi; Tue, 4 Jan 2011 00:48:06 +0000
From: "Rosomakho, Yaroslav" <yaroslav@arbor.net>
To: "ipv6@ietf.org" <ipv6@ietf.org>
Date: Tue, 04 Jan 2011 00:48:04 +0000
Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt
Thread-Topic: I-D Action:draft-ietf-6man-exthdr-01.txt
Thread-Index: AcurqQzV25+AinSPRtmonafpNc+A2A==
Message-ID: <C9484261.A29A%yaroslav@arbor.net>
In-Reply-To: <4D2242E9.8040804@gont.com.ar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.0.101115
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2011 00:46:08 -0000

Generally I support the draft, but I also agree with comments about
firewalls.

To make this idea work, I would suggest changing word "must" to word
"SHOULD" in definition of Hdr Options parameters.
Designers of these additional headers have to acknowledge the fact that
there is no guarantee of delivery of unknown headers over firewalls in any
case.

I also have concern about mandatory "ICMP Parameter problem" message
required by second bit in the Hdr Options. While generally this is a nice
idea, it could be abused to start a reflection attack. Obviously in real
life this will be mitigated by control plane policing and other
traditional security measures, but draft does not permit that.
Replacing "must" with a "SHOULD" will fix this problem as well.

Have you considered an option to allow a device that does not understand
extension header to remove just the unknown header and continue processing
the packet?
 


Best Regards,
Yaroslav



On 4/1/11 12:43 AM, "Fernando Gont" <fernando@gont.com.ar> wrote:

>On 03/01/2011 06:25 p.m., Brian E Carpenter wrote:
>
>> The basic motivation for the present draft is clear:
>> 
>>>    However,
>>>    some intermediate nodes such as firewalls, may need to look at the
>>>    transport layer header fields in order to make a decision to allow
>>>or
>>>    deny the packet.
>> 
>> That is, help middleboxes to violate e2e transparency and, furthermore,
>> allow unknown headers to cross those middleboxes.
>
>I don't think this I-D will make a difference.
>
>From the POV of a firewall, unless it really wants a packet to
>pass-through, it will block it.
>
>So, whether the Extension Header is unknown, or whether
>draft-ietf-6man-exthdr-01.txt is implemented and the Specific type is
>unknown will lead to the same result: the packet will be discarded.
>
>This proposal would only be useful to firewalls that implement a
>"default allow", and that simply want to somehow ignore an unknown
>extension header and base their decision on the upper-layer protocol
>(only). -- But we all know that firewalls operate (or should operate) in
>"default deny" rather than "default allow".
>
>So IMHO this proposal won't be useful for such firewalls.
>
>Thanks,
>-- 
>Fernando Gont
>e-mail: fernando@gont.com.ar || fgont@acm.org
>PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
>--------------------------------------------------------------------
>IETF IPv6 working group mailing list
>ipv6@ietf.org
>Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email