Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
Ole Troan <otroan@employees.org> Tue, 27 November 2018 08:28 UTC
Return-Path: <otroan@employees.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D405B12872C; Tue, 27 Nov 2018 00:28:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWCS6VYpUUHj; Tue, 27 Nov 2018 00:28:15 -0800 (PST)
Received: from bugle.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B14B6130DE9; Tue, 27 Nov 2018 00:28:14 -0800 (PST)
Received: from astfgl.hanazo.no (77.16.223.47.tmi.telenormobil.no [77.16.223.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bugle.employees.org (Postfix) with ESMTPSA id A3C49FECBF17; Tue, 27 Nov 2018 08:28:12 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id 38483A527CC; Tue, 27 Nov 2018 09:28:07 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <65e96716-48d3-a26c-905a-a5e47deea683@si6networks.com>
Date: Tue, 27 Nov 2018 09:28:06 +0100
Cc: Bob Hinden <bob.hinden@gmail.com>, "C. M. Heard" <heard@pobox.com>, OPSEC <opsec@ietf.org>, IETF <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <16F94EAB-CE40-4A4A-BAB3-4DDAC44980B0@employees.org>
References: <CACL_3VExxwN6z-WHbp3dcdLNV1JMVf=sgMVzh-k0shNJFeADbQ@mail.gmail.com> <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com> <CACL_3VFSHqU-D+NJu=k2-p4tbjZukT7i7WEoX+5kdUtdHB4Rjw@mail.gmail.com> <CACL_3VGk0CsHObEgSwLdCp8agOWrjccB94-aynEz3Bv0w+EU+w@mail.gmail.com> <475fe28a-aafe-d3b0-e665-fe97dd1439b8@foobar.org> <CACL_3VGHWW8fCDo8Q9br2fwXn5zBi+kN_5a1sOTX7m7QaU8iyg@mail.gmail.com> <3dc898de-6a18-4106-52fd-36cb8f60b19b@gmail.com> <f2784abe-d5b5-a556-3cfa-63481a7a8929@foobar.org> <CACL_3VGqhc-gFhbGJNm9XjZRXHpv9yZ3e4CurmT2P-VpQuVi3w@mail.gmail.com> <40f9b0b3-f9fd-fc09-dad1-3e575df791a3@si6networks.com> <CACL_3VHnUZwcG2=QbJ8HZf6nqiYv8qXxK8cOkuBmdX3QsKfPNg@mail.gmail.com> <12480906-A488-477E-BAE9-B7E22FD34060@gmail.com> <65e96716-48d3-a26c-905a-a5e47deea683@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/DYqt8ulxK9vScHcnM-LN4cWkMoc>
Subject: Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 08:28:17 -0000
Fernando, et al, >> From reading the email thread, this sentence seems to me to be a good summary of the draft. > > Most of the content of this document is about analyzing the implications > of each EH and option, to help folks with the aforementioned analysis -- > regardless of what the outcome of scuh analysis is. OK, that’s good to hear. If that’s the case I would have liked to see more text on explaining the background, give reasons why filtering in the middle of the network is harmful (protocol extensions, ossification, violates Internet arc hitecture principles, packet parsing is costly, might required symmetric paths, etc). A very unfortunate consequence of this work, is that the IETF appears to send a message that routers in the Internet is now expected to parse deep into packets and perform filtering actions. That’s a big change of the Internet architecture, and our view of layering. A few comments on the actual advice: The HBH advice (3.4.1.5) is fine and reflects that I think. Likewise for the RH advice (3.4.2.5), FH (3.4.3.5) and DestOpt (3.4.6.5). * Protocol numbers 253/254 OLD: 3.4.10.5. Advice Intermediate systems should discard packets containing these EHs. Only in specific scenarios in which RFC3692-Style experiments are to be performed should these EHs be permitted. NEW: 3.4.10.5. Advice Intermediate systems should permit packets that contain these EHs. * New protocol types / extension headers OLD 3.5.5. Advice Intermediate systems should discard packets containing unknown IPv6 EHs. NEW: 3.5.5. Advice Intermediate systems should permit packets containing unknown IPv6 EHs. * MLD 4.3.7.5. Advice Intermediate systems should discard packets that contain this option. Only in specific environments where support for RSVP, multicast routing, or similar protocols is desired, should this option be permitted. Multicast is fundamental to the function of e.g. IPv6 ND. IPv6 links must generally be multicast capable. A recommendation of a blanket kill of MLD can’t be right. I don’t know how this recommendation should be formed, perhaps say something to separate MLD as used on-link with hop-limit = 1? Unknown options types: OLD: 4.4.5. Advice Enterprise intermediate systems that process the contents of IPv6 EHs should discard packets that contain unknown options. Other intermediate systems that process the contents of IPv6 EHs should permit packets that contain unknown options. NEW: 4.4.5. Advice Intermediate systems should not discard packets based on the presence of unknown options. Ole
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filteri… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Joe Touch
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Ron Bonica
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Bob Hinden
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… C. M. Heard
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Tim Chown
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Joe Touch
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Brian E Carpenter
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… C. M. Heard
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… joel jaeggli
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… joel jaeggli
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Fernando Gont
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Fernando Gont
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Fernando Gont
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Brian E Carpenter
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Bob Hinden
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Ole Troan
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard