IETF Logo Mail Archive

Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC

Ole Troan <otroan@employees.org> Tue, 27 November 2018 08:28 UTC

Return-Path: <otroan@employees.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D405B12872C; Tue, 27 Nov 2018 00:28:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWCS6VYpUUHj; Tue, 27 Nov 2018 00:28:15 -0800 (PST)
Received: from bugle.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B14B6130DE9; Tue, 27 Nov 2018 00:28:14 -0800 (PST)
Received: from astfgl.hanazo.no (77.16.223.47.tmi.telenormobil.no [77.16.223.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bugle.employees.org (Postfix) with ESMTPSA id A3C49FECBF17; Tue, 27 Nov 2018 08:28:12 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id 38483A527CC; Tue, 27 Nov 2018 09:28:07 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <65e96716-48d3-a26c-905a-a5e47deea683@si6networks.com>
Date: Tue, 27 Nov 2018 09:28:06 +0100
Cc: Bob Hinden <bob.hinden@gmail.com>, "C. M. Heard" <heard@pobox.com>, OPSEC <opsec@ietf.org>, IETF <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <16F94EAB-CE40-4A4A-BAB3-4DDAC44980B0@employees.org>
References: <CACL_3VExxwN6z-WHbp3dcdLNV1JMVf=sgMVzh-k0shNJFeADbQ@mail.gmail.com> <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com> <CACL_3VFSHqU-D+NJu=k2-p4tbjZukT7i7WEoX+5kdUtdHB4Rjw@mail.gmail.com> <CACL_3VGk0CsHObEgSwLdCp8agOWrjccB94-aynEz3Bv0w+EU+w@mail.gmail.com> <475fe28a-aafe-d3b0-e665-fe97dd1439b8@foobar.org> <CACL_3VGHWW8fCDo8Q9br2fwXn5zBi+kN_5a1sOTX7m7QaU8iyg@mail.gmail.com> <3dc898de-6a18-4106-52fd-36cb8f60b19b@gmail.com> <f2784abe-d5b5-a556-3cfa-63481a7a8929@foobar.org> <CACL_3VGqhc-gFhbGJNm9XjZRXHpv9yZ3e4CurmT2P-VpQuVi3w@mail.gmail.com> <40f9b0b3-f9fd-fc09-dad1-3e575df791a3@si6networks.com> <CACL_3VHnUZwcG2=QbJ8HZf6nqiYv8qXxK8cOkuBmdX3QsKfPNg@mail.gmail.com> <12480906-A488-477E-BAE9-B7E22FD34060@gmail.com> <65e96716-48d3-a26c-905a-a5e47deea683@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/DYqt8ulxK9vScHcnM-LN4cWkMoc>
Subject: Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 08:28:17 -0000

Fernando, et al,

>> From reading the email thread, this sentence seems to me to be a good summary of the draft.
> 
> Most of the content of this document is about analyzing the implications
> of each EH and option, to help folks with the aforementioned analysis --
> regardless of what the outcome of scuh analysis is.

OK, that’s good to hear.
If that’s the case I would have liked to see more text on explaining the background, give reasons why filtering in the middle of the network is harmful (protocol extensions, ossification, violates Internet arc hitecture principles, packet parsing is costly, might required symmetric paths, etc).

A very unfortunate consequence of this work, is that the IETF appears to send a message that routers in the Internet is now expected to parse deep into packets and perform filtering actions. That’s a big change of the Internet architecture, and our view of layering.

A few comments on the actual advice:

The HBH advice (3.4.1.5) is fine and reflects that I think.
Likewise for the RH advice (3.4.2.5),  FH (3.4.3.5) and DestOpt (3.4.6.5).

* Protocol numbers 253/254

OLD:
3.4.10.5.  Advice
   Intermediate systems should discard packets containing these EHs.
   Only in specific scenarios in which RFC3692-Style experiments are to
   be performed should these EHs be permitted.

NEW:
3.4.10.5.  Advice
   Intermediate systems should permit packets that contain these EHs.

* New protocol types / extension headers

OLD
3.5.5.  Advice
   Intermediate systems should discard packets containing unknown IPv6
   EHs.

NEW:
3.5.5.  Advice
   Intermediate systems should permit packets containing unknown IPv6
   EHs.


* MLD
4.3.7.5.  Advice
   Intermediate systems should discard packets that contain this option.
   Only in specific environments where support for RSVP, multicast
   routing, or similar protocols is desired, should this option be
   permitted.

Multicast is fundamental to the function of e.g. IPv6 ND. IPv6 links must generally be multicast capable.
A recommendation of a blanket kill of MLD can’t be right.
I don’t know how this recommendation should be formed, perhaps say something to separate MLD as used on-link with hop-limit = 1?

Unknown options types:

OLD:
4.4.5.  Advice
   Enterprise intermediate systems that process the contents of IPv6 EHs
   should discard packets that contain unknown options.  Other
   intermediate systems that process the contents of IPv6 EHs should
   permit packets that contain unknown options.

NEW:
4.4.5.  Advice
   Intermediate systems should not discard packets based on the presence
   of unknown options.



Ole

v2.23.0 | Report a Bug | By Email