[OPSEC] Robert Wilton's No Objection on draft-ietf-opsec-ipv6-eh-filtering-08: (with COMMENT)
Robert Wilton via Datatracker <noreply@ietf.org> Wed, 14 July 2021 14:21 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsec@ietf.org
Delivered-To: opsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E553A1A38; Wed, 14 Jul 2021 07:21:07 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Robert Wilton via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-ipv6-eh-filtering@ietf.org, opsec-chairs@ietf.org, opsec@ietf.org, Éric Vyncke <evyncke@cisco.com>, evyncke@cisco.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.34.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Robert Wilton <rwilton@cisco.com>
Message-ID: <162627246688.2550.633739475665083091@ietfa.amsl.com>
Date: Wed, 14 Jul 2021 07:21:07 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/IeZFw0CZP2H8URypIbQAELIf4us>
Subject: [OPSEC] Robert Wilton's No Objection on draft-ietf-opsec-ipv6-eh-filtering-08: (with COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2021 14:21:08 -0000
Robert Wilton has entered the following ballot position for draft-ietf-opsec-ipv6-eh-filtering-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-ipv6-eh-filtering/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Hi, Thanks for this document, it is useful to try and tame how SPs are filtering IPv6 extension headers. However, I did find some of this document somewhat surprising in the context of RFC 8200, and this is perhaps just my naivety on how it is actually deployed: My reading on RFC 8200 extension headers can be summarized as: - Hop by hop options default to being off unless you enable them. - Other extension headers only have relevance once the packet reaches the destination node, and hence I would have thought that all transit nodes should by default just ignore them. Given that this document is specifically only for transit nodes where the packets are not destined to them, I was expecting a summary along the lines of: - Ignore hop by hop options unless they protocols in the transmit domain are making use of them. - Allow, and ignore, all other extension headers. Maybe filter RH types 0 and 1 because they should not be used, but even this processing could be left until the destination node. My slight fear with the current draft is that it makes this all seem very complicated and protocol specific which possibly might encourage ISPs to just drop all packets using EHs. Regards, Rob
- [OPSEC] Robert Wilton's No Objection on draft-iet… Robert Wilton via Datatracker
- Re: [OPSEC] Robert Wilton's No Objection on draft… Eric Vyncke (evyncke)