Re: [OPSEC] [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
Ole Troan <otroan@employees.org> Wed, 05 December 2018 18:58 UTC
Return-Path: <otroan@employees.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 723FE130E7B; Wed, 5 Dec 2018 10:58:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qh2Osdlk1a2K; Wed, 5 Dec 2018 10:58:13 -0800 (PST)
Received: from bugle.employees.org (accordion.employees.org [IPv6:2607:7c80:54:3::74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0262F130E95; Wed, 5 Dec 2018 10:58:12 -0800 (PST)
Received: from [192.168.10.187] (30.51-175-112.customer.lyse.net [51.175.112.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bugle.employees.org (Postfix) with ESMTPSA id 14598FECC068; Wed, 5 Dec 2018 18:58:12 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Ole Troan <otroan@employees.org>
X-Mailer: iPhone Mail (16B92)
In-Reply-To: <20181205180855.GR1543@Space.Net>
Date: Wed, 05 Dec 2018 19:58:09 +0100
Cc: Joe Touch <touch@strayalpha.com>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, Mark Andrews <marka@isc.org>, David Farmer <farmer@umn.edu>, OPSEC <opsec@ietf.org>, tsv-art <tsv-art@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D2075A3C-7A7F-448B-8D84-7D7C406AC05D@employees.org>
References: <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <20181205122142.GJ1543@Space.Net> <F17C4944-09EC-4AAC-84A0-B660E36AAE89@strayalpha.com> <20181205133821.GL1543@Space.Net> <B6280E0C-6B20-43C1-BB34-170FB06F1EF7@strayalpha.com> <20181205135723.GN1543@Space.Net> <54C715AE-8931-4FA9-AA01-2311EB0055F0@employees.org> <20181205164558.GQ1543@Space.Net> <CCFEFC5B-53AE-4079-B64A-A72A71274FAD@employees.org> <20181205180855.GR1543@Space.Net>
To: Gert Doering <gert@space.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/cs1Rj__8Bu-j1t9YJ6ckskDWWjk>
Subject: Re: [OPSEC] [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 18:58:15 -0000
> On 5 Dec 2018, at 19:08, Gert Doering <gert@space.net> wrote: > > Hi, > >> On Wed, Dec 05, 2018 at 06:57:28PM +0100, Ole Troan wrote: >> You are creating the ???perceived??? security problem yourself, by requiring processing deeper into the packet than is required. >> Just comply with RFC8200. As long as a router is not configured to process any HBH options, it can ignore the header. >> You seem to think HBH still means ???punt to software???. If it ever meant that. >> >> There???s no need for rate-limiting for not processing HBH obviously. > > I *must* be able to look at the protocol field of packets coming in on > our borders (see detailed description on our rate-limiting rules in > another mail of today). If there are EHs in the way so our routers' > hardware cannot decide if this is a TCP or UDP packet, these packets > go down the drain. > > And I'm fairly sure you understand that operational reality, so I'm not > sure what point you are making. > > (It's not just HBH. EHs are fundamentally incompatible with today's > reality) My point is that if you are worried about the processing cost for routers of EHs and HBH specifically, then this “security” draft makes that much worse than what’s specified in rfc8200. Cheers Ole > > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
- [OPSEC] Tsvart last call review of draft-ietf-ops… Michael Scharf
- Re: [OPSEC] Tsvart last call review of draft-ietf… Joe Touch
- Re: [OPSEC] Tsvart last call review of draft-ietf… Brian E Carpenter
- Re: [OPSEC] Tsvart last call review of draft-ietf… Joe Touch
- Re: [OPSEC] Tsvart last call review of draft-ietf… Fernando Gont
- Re: [OPSEC] Tsvart last call review of draft-ietf… Fernando Gont
- Re: [OPSEC] Tsvart last call review of draft-ietf… Joe Touch
- Re: [OPSEC] Tsvart last call review of draft-ietf… Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christian Huitema
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christian Huitema
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Fernando Gont
- Re: [OPSEC] Tsvart last call review of draft-ietf… Fernando Gont
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] Tsvart last call review of draft-ietf… Joe Touch
- Re: [OPSEC] Tsvart last call review of draft-ietf… Eric Rescorla
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Benjamin Kaduk
- Re: [OPSEC] Tsvart last call review of draft-ietf… Mark Andrews
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Stewart Bryant
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Stewart Bryant
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Stewart Bryant
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christopher Morrow
- Re: [OPSEC] Tsvart last call review of draft-ietf… C. M. Heard
- Re: [OPSEC] Tsvart last call review of draft-ietf… Christopher Morrow
- Re: [OPSEC] Tsvart last call review of draft-ietf… Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] Tsvart last call review of draft-ietf… Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [OPSEC] Tsvart last call review of draft-ietf… Brian E Carpenter
- Re: [OPSEC] Tsvart last call review of draft-ietf… Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] Tsvart last call review of draft-ietf… Christopher Morrow
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christopher Morrow
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christopher Morrow
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Mark Andrews
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … David Farmer
- Re: [OPSEC] Tsvart last call review of draft-ietf… Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Stewart Bryant
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Randy Bush
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Stewart Bryant
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Christian Huitema
- [OPSEC] HbH flags [Tsvart last call review of dra… Brian E Carpenter
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Brian E Carpenter
- [OPSEC] game over, EH [Tsvart last call review of… Brian E Carpenter
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- [OPSEC] ECMP [Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [OPSEC] HbH flags [Tsvart last call review of… Brian E Carpenter
- Re: [OPSEC] game over, EH [Tsvart last call revie… Stephen Farrell
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Fernando Gont
- Re: [OPSEC] game over, EH [Tsvart last call revie… Fernando Gont
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Fernando Gont
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Christopher Morrow
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Christopher Morrow
- Re: [OPSEC] HbH flags [Tsvart last call review of… Christopher Morrow
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] HbH flags [Tsvart last call review of… Gert Doering
- Re: [OPSEC] game over, EH [Tsvart last call revie… Gert Doering
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Brian Trammell (IETF)
- Re: [OPSEC] game over, EH [Tsvart last call revie… Stewart Bryant
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Stewart Bryant
- Re: [OPSEC] HbH flags [Tsvart last call review of… Ole Troan
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Stewart Bryant
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Ole Troan
- Re: [OPSEC] game over, EH [Tsvart last call revie… Stewart Bryant
- Re: [OPSEC] game over, EH [Tsvart last call revie… Gert Doering
- Re: [OPSEC] HbH flags [Tsvart last call review of… Stewart Bryant
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Stewart Bryant
- Re: [OPSEC] game over, EH [Tsvart last call revie… Stewart Bryant
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Gert Doering
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Ole Troan
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Spencer Dawkins at IETF
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Ole Troan
- Re: [OPSEC] HbH flags [Tsvart last call review of… Stewart Bryant
- Re: [OPSEC] HbH flags [Tsvart last call review of… Joe Touch
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Fernando Gont
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Smith, Donald
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Ole Troan
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Fernando Gont
- Re: [OPSEC] game over, EH [Tsvart last call revie… C. M. Heard
- Re: [OPSEC] game over, EH [Tsvart last call revie… Jared Mauch
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Jared Mauch
- Re: [OPSEC] game over, EH [Tsvart last call revie… C. M. Heard
- Re: [OPSEC] game over, EH [Tsvart last call revie… Smith, Donald
- Re: [OPSEC] game over, EH [Tsvart last call revie… Gert Doering
- Re: [OPSEC] game over, EH [Tsvart last call revie… Nico Williams
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Brian E Carpenter
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Nick Hilliard
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Brian E Carpenter
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Nick Hilliard
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Brian E Carpenter
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Eric Rescorla
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Jared Mauch
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Fernando Gont
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Christopher Morrow
- Re: [OPSEC] HbH flags [Tsvart last call review of… Christopher Morrow
- Re: [OPSEC] [Tsv-art] Tsvart last call review of … Gert Doering
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Eric Rescorla
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Jared Mauch
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Eric Rescorla
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Joe Touch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Pete Resnick
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Jared Mauch
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Jared Mauch
- Re: [OPSEC] HbH flags [Tsvart last call review of… Jared Mauch
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Joe Touch
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Nico Williams
- [OPSEC] OT: TCP session lifetime - Re: [Tsv-art] … Jared Mauch
- Re: [OPSEC] OT: TCP session lifetime - Re: [Tsv-a… Nico Williams
- Re: [OPSEC] [Tsv-art] game over, EH [Tsvart last … Eric Rescorla
- Re: [OPSEC] OT: TCP session lifetime - Re: [Tsv-a… Gert Doering
- [OPSEC] Engaging constructively [HbH flags [Tsvar… Alissa Cooper
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Wes Hardaker
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Brian E Carpenter
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Wes Hardaker
- Re: [OPSEC] ECMP [Tsvart last call review of draf… Fernando Gont