Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
Nick Hilliard <nick@foobar.org> Sat, 24 November 2018 20:44 UTC
Return-Path: <nick@foobar.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7956E12E7C1; Sat, 24 Nov 2018 12:44:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQ7HU-wyVSQC; Sat, 24 Nov 2018 12:44:10 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305CA12426E; Sat, 24 Nov 2018 12:44:09 -0800 (PST)
X-Envelope-To: ietf@ietf.org
Received: from crumpet.local (089-101-070074.ntlworld.ie [89.101.70.74] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id wAOKi777095380 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 24 Nov 2018 20:44:07 GMT (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-070074.ntlworld.ie [89.101.70.74] (may be forged) claimed to be crumpet.local
To: "C. M. Heard" <heard@pobox.com>
Cc: IETF <ietf@ietf.org>, OPSEC <opsec@ietf.org>
References: <CACL_3VExxwN6z-WHbp3dcdLNV1JMVf=sgMVzh-k0shNJFeADbQ@mail.gmail.com> <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com> <CACL_3VFSHqU-D+NJu=k2-p4tbjZukT7i7WEoX+5kdUtdHB4Rjw@mail.gmail.com> <CACL_3VGk0CsHObEgSwLdCp8agOWrjccB94-aynEz3Bv0w+EU+w@mail.gmail.com> <475fe28a-aafe-d3b0-e665-fe97dd1439b8@foobar.org> <CACL_3VGHWW8fCDo8Q9br2fwXn5zBi+kN_5a1sOTX7m7QaU8iyg@mail.gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <84ee1f5f-f88e-8288-58fa-b820624b57e7@foobar.org>
Date: Sat, 24 Nov 2018 20:44:06 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.5
MIME-Version: 1.0
In-Reply-To: <CACL_3VGHWW8fCDo8Q9br2fwXn5zBi+kN_5a1sOTX7m7QaU8iyg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/2GWqpieLrbDOf3FMpLtsEg9h52c>
Subject: Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 20:44:13 -0000
C. M. Heard wrote on 24/11/2018 16:14: > On Sat, Nov 24, 2018 at 7:37 AM Nick Hilliard <nick@foobar.org> wrote: >> C. M. Heard wrote on 23/11/2018 16:20: >> transit operators would generally take the view that any data-plane >> packet which needs to be put through a slow path will be rate limited up >> to 100% loss. We can argue endlessly at the IETF about the pros and >> cons of this from a protocol development and management point of view >> but at the end of the day, transit operators have networks to run, and >> there is a jarring disparity between data-plane forwarding speed and >> control-plane processing capacity. If you expect one to bleed into the >> other, something needs to give. This is often going to be >> silicon-specific; what is slow-pathed on one platform may not be >> slow-pathed on another, so generalised statements are difficult in this >> situation. > > It's not clear to me what that has to do with the specific comments > that I made (and that you elided). I would understand if I had brought > up handling of, say, HbH options rather than default drop policies for > unknown (and experimental) header types. Perhaps you could clarify. hm yes, it was a bit obtuse. What I was trying to get at (and completely failed to achieve) was: 1. that EHs are largely unusable anyway, so if this draft makes some types slightly more unusable, that isn't going to make much of a practical difference. RFC7872 suggests failure rates of ~30% - 50% for fragment headers. Once you're in this territory, nothing you can do will make things any worse. 2. transit operators don't like filtering stuff. They will filter traffic if and only if that traffic is a nuisance or forms a threat to the operation of their networks, and: > My primary objection is to the advice that says discard unknown > EHs and upper-layer protocols by default. That advice needs to > be more nuanced -- as is the advice for unknown option types > given in Sec. 4.4.5, I see no reason why these cases should > get different advice. ...3. Any recommendation that the IETF makes in this area may, or may not, be taken as input into a decision machine, the result of which will be to filter, or rate limit, or to forward. From this perspective, the documentation needs to observe and make suggestions. Nick
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filteri… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Joe Touch
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Ron Bonica
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Bob Hinden
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… C. M. Heard
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Tim Chown
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Joe Touch
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Brian E Carpenter
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… C. M. Heard
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… joel jaeggli
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… joel jaeggli
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Fernando Gont
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Fernando Gont
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Fernando Gont
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Brian E Carpenter
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Bob Hinden
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Ole Troan
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard