IETF Logo Mail Archive

Re: I-D Action:draft-ietf-6man-exthdr-01.txt

"Joel M. Halpern" <jmh@joelhalpern.com> Mon, 03 January 2011 21:51 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DC9E3A6C8E for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 13:51:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.36
X-Spam-Level:
X-Spam-Status: No, score=-102.36 tagged_above=-999 required=5 tests=[AWL=-0.095, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AU-FTf8+t+-q for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 13:51:29 -0800 (PST)
Received: from morbo.mail.tigertech.net (morbo.mail.tigertech.net [67.131.251.54]) by core3.amsl.com (Postfix) with ESMTP id 3AFB93A6C8D for <ipv6@ietf.org>; Mon, 3 Jan 2011 13:51:29 -0800 (PST)
Received: from hgblob.mail.tigertech.net (hgblob.mail.tigertech.net [64.62.209.71]) by morbo.tigertech.net (Postfix) with ESMTP id 16914A6F6F for <ipv6@ietf.org>; Mon, 3 Jan 2011 13:53:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hgblob.tigertech.net (Postfix) with ESMTP id 065423228BE9 for <ipv6@ietf.org>; Mon, 3 Jan 2011 13:53:26 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at hgblob.tigertech.net
Received: from [10.10.10.101] (pool-71-161-50-147.clppva.btas.verizon.net [71.161.50.147]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by hgblob.tigertech.net (Postfix) with ESMTPSA id 730543244781 for <ipv6@ietf.org>; Mon, 3 Jan 2011 13:53:25 -0800 (PST)
Message-ID: <4D224550.5080808@joelhalpern.com>
Date: Mon, 03 Jan 2011 16:53:20 -0500
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt
References: <20101217234501.11691.81147.idtracker@localhost> <AANLkTi=Lr_4zOd=-DrAxic_t_o0MvyOoWPYmiktZZod2@mail.gmail.com> <63416880-97B6-4CE4-864A-1402DA977B5F@tony.li> <AA183326-2E70-4A23-83A7-9F96131ADFF4@tony.li> <4D113364.3050105@ericsson.com> <201101032040.p03KeE86005244@cichlid.raleigh.ibm.com> <4D223EC0.7020906@gmail.com> <4D2242E9.8040804@gont.com.ar>
In-Reply-To: <4D2242E9.8040804@gont.com.ar>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jan 2011 21:51:31 -0000

If we take the view that a firewall will block anything it does not 
know, without question or limit, then
1) We have no way to extend our basic protocols that will pass through 
firewalls (we have to tunnel / encapsulate)
2) you are correct that this document does not help.

Also, if we assume that no one will ever define any new extension 
headers, then this work does not matter.

(If we want that prohibition to be the case, we should say so, and 
remove the hook for new extension headers that was left in 2460.)

On the other hand, if we think that there will be new extension headers, 
and we think that firewalls block things if they can not find enough 
information to allow them through, then it can be helpful if the 
firewalls (and other devices) can parse pass these new extensions 
without knowing them.  (Remember, these are for end-point consumption only.)

It seems to me a disservice to simultaneously let people use new 
extension headers and not give them a way to use them that can be parsed 
past by the common devices that could easily want to do such parsing.

My own preference would probably be to say that all end-to-end IP 
information should be in the destination options.  But if we do not want 
to go there, then we should own up to the implications thereof.  (In 
particular, there might be corner cases that can't use destination 
options.  We should tell people to use destination options first.  And 
tell them what to do if they can't.)

Yours,
Joel

On 1/3/2011 4:43 PM, Fernando Gont wrote:
> On 03/01/2011 06:25 p.m., Brian E Carpenter wrote:
>
>> The basic motivation for the present draft is clear:
>>
>>>     However,
>>>     some intermediate nodes such as firewalls, may need to look at the
>>>     transport layer header fields in order to make a decision to allow or
>>>     deny the packet.
>>
>> That is, help middleboxes to violate e2e transparency and, furthermore,
>> allow unknown headers to cross those middleboxes.
>
> I don't think this I-D will make a difference.
>
>> From the POV of a firewall, unless it really wants a packet to
> pass-through, it will block it.
>
> So, whether the Extension Header is unknown, or whether
> draft-ietf-6man-exthdr-01.txt is implemented and the Specific type is
> unknown will lead to the same result: the packet will be discarded.
>
> This proposal would only be useful to firewalls that implement a
> "default allow", and that simply want to somehow ignore an unknown
> extension header and base their decision on the upper-layer protocol
> (only). -- But we all know that firewalls operate (or should operate) in
> "default deny" rather than "default allow".
>
> So IMHO this proposal won't be useful for such firewalls.
>
> Thanks,

v2.23.0 | Report a Bug | By Email