IETF Logo Mail Archive

Re: [OPSEC] (no subject)

"Scharf, Michael" <Michael.Scharf@hs-esslingen.de> Sat, 24 November 2018 20:46 UTC

Return-Path: <Michael.Scharf@hs-esslingen.de>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7382130E02; Sat, 24 Nov 2018 12:46:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hs-esslingen.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Gs2Sy8N_hrn; Sat, 24 Nov 2018 12:46:41 -0800 (PST)
Received: from mail.hs-esslingen.de (mail.hs-esslingen.de [134.108.32.78]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E413A130DFD; Sat, 24 Nov 2018 12:46:40 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.hs-esslingen.de (Postfix) with ESMTP id E5B2825A18; Sat, 24 Nov 2018 21:46:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hs-esslingen.de; s=mail; t=1543092398; bh=Wrdh6ea+oPayL7HaejiUrM8gx3gnerwYjuH7bv9HiQE=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=ypR6Pnp3BvhKbwf99vJqdpIt2NE9yIqFGey61p3DmXtLo0HdgtS1stl/ZL9kxG3ks PhzKIFckgqSAegWo7vryFlb+lq0N9mEDUbY1vybpMGhVJdh88PQTqIWsDJVlLfrdEQ +3e8I08MerXpl89xCgRR8bdduGoCdqFIs3MOxxpE=
X-Virus-Scanned: by amavisd-new-2.7.1 (20120429) (Debian) at hs-esslingen.de
Received: from mail.hs-esslingen.de ([127.0.0.1]) by localhost (hs-esslingen.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0LADy48aa5w; Sat, 24 Nov 2018 21:46:38 +0100 (CET)
Received: from rznt8101.rznt.rzdir.fht-esslingen.de (rznt8101.hs-esslingen.de [134.108.29.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.hs-esslingen.de (Postfix) with ESMTPS; Sat, 24 Nov 2018 21:46:38 +0100 (CET)
Received: from RZNT8114.rznt.rzdir.fht-esslingen.de ([169.254.3.98]) by rznt8101.rznt.rzdir.fht-esslingen.de ([fe80::bd73:d6a9:24d7:95f1%10]) with mapi id 14.03.0415.000; Sat, 24 Nov 2018 21:46:38 +0100
From: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
To: "C. M. Heard" <heard@pobox.com>
CC: TSV-ART <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, IETF <ietf@ietf.org>, "draft-ietf-opsec-ipv6-eh-filtering@ietf.org" <draft-ietf-opsec-ipv6-eh-filtering@ietf.org>
Thread-Index: AQHUhDGQD38gsZx+UEa4BhlPkM4YfaVfXQkg
Date: Sat, 24 Nov 2018 20:46:37 +0000
Message-ID: <6EC6417807D9754DA64F3087E2E2E03E2D172160@rznt8114.rznt.rzdir.fht-esslingen.de>
References: <CACL_3VGBOP7YkVuuoE_kWebVMh73XFEGgO1HXZod_Dv1La4b3w@mail.gmail.com>
In-Reply-To: <CACL_3VGBOP7YkVuuoE_kWebVMh73XFEGgO1HXZod_Dv1La4b3w@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [134.108.29.249]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/FLe5rU8ZZKnOXbZRjJ7MBLmDGjg>
Subject: Re: [OPSEC] (no subject)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 20:46:44 -0000

> > Reviewer: Michael Scharf
> > Review result: Ready
> >
> > This document has been reviewed as part of the transport area review
> team's
> > ongoing effort to review key IETF documents. These comments were
> written
> > primarily for the transport area directors, but are copied to the
> document's
> > authors and WG to allow them to address any issues raised and also to
> the IETF
> > discussion list for information.
> >
> > When done at the time of IETF Last Call, the authors should consider
> this
> > review as part of the last-call comments they receive. Please
> > always CC tsv-art at ietf.org if you reply to or forward this review.
> >
> > I have reviewed draft-ietf-opsec-ipv6-eh-filtering-06. There are no
> apparent
> > transport issues. The proposed filtering could slow down the
> deployment of
> > experimental protocols that use IPv6 options, but the tradeoffs are
> explained
> > in the document.
> 
> Did you notice that Section 3.5.5 advises discarding IPv6 packets whose
> Next
> Header value is unknown -- i.e., IPv6 packets with unknown EHs **or**
> unknown
> transport protocols?  Even for an IPv6 core router in the open
> Internet?

Given the widespread deployment of NAT/NAPT and firewalls, which will typically drop packets with unknown transport protocols by default (AFAIKT), I have doubts that implementing the suggested policy in IPv6 core routers changes the overall situation significantly. 

Unfortunately, the reality is that it is today challenging to deploy new transport protocols in the Internet, no matter what this informational document writes.

> If not, would that fact change your assessment of this document?

I should perhaps have better highlighted the impact on unknown transport protocols. Yet, the real-world impact on transport protocols is IMHO small.

As a side note, if the document headed for BCP, I would be more concerned.
 
> As I noted in my own last call comments, I think that a more nuanced
> approach
> is called for (e.g., as set forth in Section 4.4.5 for unknown option
> values).

I will not disagree with using a more nuanced approach.

Michael

v2.23.0 | Report a Bug | By Email