IETF Logo Mail Archive

Re: Mirja Kühlewind's Discuss on draft-ietf-6man-rfc2460bis-09: (with DISCUSS and COMMENT)

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Sat, 15 April 2017 13:50 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63329126DD9 for <ipv6@ietfa.amsl.com>; Sat, 15 Apr 2017 06:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGOUMR10YBVS for <ipv6@ietfa.amsl.com>; Sat, 15 Apr 2017 06:50:01 -0700 (PDT)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4380C127ABE for <ipv6@ietf.org>; Sat, 15 Apr 2017 06:50:01 -0700 (PDT)
Received: (qmail 27979 invoked from network); 15 Apr 2017 15:49:59 +0200
Received: from p5dec216f.dip0.t-ipconnect.de (HELO ?192.168.178.33?) (93.236.33.111) by kuehlewind.net with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 15 Apr 2017 15:49:59 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: Mirja Kühlewind's Discuss on draft-ietf-6man-rfc2460bis-09: (with DISCUSS and COMMENT)
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <0c7d3a7b-99c9-dbef-d6cc-9a4a94cb9c9f@gmail.com>
Date: Sat, 15 Apr 2017 15:49:58 +0200
Cc: Bob Hinden <bob.hinden@gmail.com>, draft-ietf-6man-rfc2460bis@ietf.org, IPv6 List <ipv6@ietf.org>, IESG <iesg@ietf.org>, 6man-chairs@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4AE56E75-78D4-43EA-8118-8195FD8A3D08@kuehlewind.net>
References: <149201127005.15808.3277140025315157500.idtracker@ietfa.amsl.com> <248F8BA5-48D6-4933-B45F-7F1B20477C2C@employees.org> <3C06A5F9-19B9-48E1-BB67-57D540E5E38D@kuehlewind.net> <A5628A89-3830-4851-87F1-AE8329597DAE@gmail.com> <58B249A0-2F0B-4AD6-890D-BB0F0594DEE1@kuehlewind.net> <0c7d3a7b-99c9-dbef-d6cc-9a4a94cb9c9f@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/sUE6J9umvIOboZ7cFdLydRlNNhw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2017 13:50:03 -0000

Hi Brian,

thanks for splitting the discussion up into it’s three piece. However, i’m answering this one first because there is some relation to the other one on HBH. Further see below.

> Am 14.04.2017 um 04:28 schrieb Brian E Carpenter <brian.e.carpenter@gmail.com>:
> 
> And one more comment for today:
> On 13/04/2017 23:36, Mirja Kuehlewind (IETF) wrote:
> 
> ...
>>> As it says in Section 4.8:
>>> 
>>>  Defining new IPv6 extension headers is not recommended.  There has to
>>>  be a very clear justification why any new extension header is needed
>>>  before it is standardized.  Instead of defining new Extension
>>>  Headers, it is recommended that the Destination Options header is
>>>  used to carry optional information that must be examined only by a
>>>  packet's destination node(s), because they provide better handling
>>>  and backward compatibility.
>>> 
>> Yes, this text is the text I have problem with. I think I would suggest to drop the first part and only have this part:
>> 
>> "It is recommended to rather use the Destination Options header 
>> to carry optional information that must be examined only by a
>> packet's destination node(s), instead of defining new Extension
>> Headers, because they provide better handling
>> and backward compatibility."
> 
> "Defining new IPv6 extension headers is not recommended" is a rather
> mild statement. There were certainly some in the WG who wanted
> a MUST NOT here. It's an operational and security concern: existing
> middleboxes, especially firewalls, are allergic to extension headers
> that they don't understand. This is unfortunate, since the design model
> was that the forwarding path should be transparent to all headers, which
> meant that new headers could be deployed between consenting adults
> without any infrastructure issues. But this simply doesn't work in
> the real world - that's the main reason we wrote RFC7045. I think it's
> worth quoting this:
> 
>   This combination of circumstances creates a "Catch-22" situation
>   [Heller] for the deployment of any newly standardised extension
>   header except for local use.  It cannot be widely deployed because
>   existing middleboxes will drop it on many paths through the Internet.
>   However, most middleboxes will not be updated to allow the new header
>   to pass until it has been proved safe and useful on the open
>   Internet, which is impossible until the middleboxes have been
>   updated.
> 
> So, defining new IPv6 extension headers is not recommended, because
> they probably won't work across the Internet. But it isn't a MUST NOT,
> because if there was a compelling operational case, we could do it and
> the middleboxes would follow.

First of all yes, giving further explanation/background is definitely a good thing to do, and maybe also provide a reference to rfc7045 if appropriate.

I think I agree that I would not like to make a normative statement here, given that the circumstances are not due to the protocol design itself but because of the current deployment situation we have (which in theory could change in future).

However, instead of making a clear recommendation to not every define a new extension header, I think I would prefer if the text was phrased in the a way that would make the risk clear, give a clear recommendation to rather use destination options if suitable, and then say nothing else.

Maybe you can work on some new text and then have a quick (?) check with the wg which text is preferred. If there is clear consensus for one way by the wg I will not further block this.

However, please see my next mail.

Mirja

P.S.: My understanding from the text above is that the new extension header will be dropped but not the whole packets. Is that right? Because in this case there are still ways for experimentation.


> 
> RFC 7045 was intended to nudge middlebox developers in the right
> direction, and similarly draft-ietf-opsec-ipv6-eh-filtering. But it's
> an uphill battle.
> 
>     Brian
>

v2.23.0 | Report a Bug | By Email