IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Ted Lemon <Ted.Lemon@nominum.com> Tue, 10 February 2015 00:02 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 331881A87EE; Mon, 9 Feb 2015 16:02:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x3P0ei1GJwjP; Mon, 9 Feb 2015 16:02:52 -0800 (PST)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80A311A6EE8; Mon, 9 Feb 2015 16:02:52 -0800 (PST)
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 59D52DA028E; Tue, 10 Feb 2015 00:02:52 +0000 (UTC)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id 2198C53E082; Mon, 9 Feb 2015 16:02:52 -0800 (PST)
Received: from vpna-188.vpn.nominum.com (64.89.227.188) by CAS-03.WIN.NOMINUM.COM (64.89.235.66) with Microsoft SMTP Server (TLS) id 14.3.224.2; Mon, 9 Feb 2015 16:02:51 -0800
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <54D94764.7030509@si6networks.com>
Date: Mon, 09 Feb 2015 19:02:42 -0500
Content-Transfer-Encoding: quoted-printable
Message-ID: <757363AB-66DB-422C-99D0-BCE3A320AC55@nominum.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net> <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com> <54D8F98D.1030101@si6networks.com> <B3474476-3FA1-484E-BAAD-E7A6474BA11C@nominum.com> <54D90EE5.2060002@gmail.com> <5C9CF492-A795-4023-BB91-28B1B52706E4@nominum.com> <54D92987.2080505@gmail.com> <CDA3CF60-BB2E-4F77-B325-B3057C01FBD1@nominum.com> <54D94764.7030509@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: [64.89.227.188]
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/XjfwZWQBMroWKXvip-9pGBe6YW8>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "C. M. Heard" <heard@pobox.com>, Pete Resnick <presnick@qti.qualcomm.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 00:02:54 -0000

On Feb 9, 2015, at 6:48 PM, Fernando Gont <fgont@si6networks.com> wrote:
> You're essentially proposing a hack to fix a known protocol design flaw,
> instead of accepting the flaw, and allow DHCPv6-shield to comply with
> the existing specifications/requirements (RFC7045).

How is this a hack?   It correctly identifies all DHCPv6 packets.   The solution I've proposed is completely in compliance with RFC 7045.   If you want to argue that a solution is wrong, you should say what is wrong with it, not refer to it as a "hack" as if merely by calling it a "hack," you have somehow shown that it is not a good solution.

>  -- all this under the assumption that RFC6564 gets deployed. In which
> case you're essentially declaring "game over" for any new transport
> protocol.

Er, no, the point of this is to _not_ break new transport protocols.   RFC 7045 does not deprecate RFC 6564.   If you want to deprecate RFC 6564, please go do the work in the appropriate venue.   It's my understanding, however, that you already tried this, and did not get consensus to even adopt your proposal as a working group work item.

v2.23.0 | Report a Bug | By Email