Re: [OPSEC] Lars Eggert's No Objection on draft-ietf-opsec-ipv6-eh-filtering-08: (with COMMENT)
Fernando Gont <fernando@gont.com.ar> Mon, 31 January 2022 11:14 UTC
Return-Path: <fernando@gont.com.ar>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33883A2CCE; Mon, 31 Jan 2022 03:14:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RbjU6NGxen3N; Mon, 31 Jan 2022 03:14:34 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A5983A2054; Mon, 31 Jan 2022 03:14:28 -0800 (PST)
Received: from [IPV6:2800:810:464:8944:f02a:56f8:a6ae:5c29] (unknown [IPv6:2800:810:464:8944:f02a:56f8:a6ae:5c29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 8A14B28082E; Mon, 31 Jan 2022 11:14:21 +0000 (UTC)
Message-ID: <992fdacd-0d7b-4391-2e86-1f4e48944aa5@gont.com.ar>
Date: Mon, 31 Jan 2022 08:14:14 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: Lars Eggert <lars@eggert.org>, The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-ipv6-eh-filtering@ietf.org, opsec-chairs@ietf.org, opsec@ietf.org, Éric Vyncke <evyncke@cisco.com>, fernando.gont@edgeuno.com
References: <162618040324.12999.8725328522603048781@ietfa.amsl.com>
From: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <162618040324.12999.8725328522603048781@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/rY0Qin5hHy6gOOOvnkWteqKpxMk>
Subject: Re: [OPSEC] Lars Eggert's No Objection on draft-ietf-opsec-ipv6-eh-filtering-08: (with COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jan 2022 11:14:39 -0000
Hi, Lars, My apologies for the delay in my response. (Things have been a bit messy over here -- changed jobs, had covid, etc. .. but now getting back to "normal") In-line.... On 13/7/21 09:46, Lars Eggert via Datatracker wrote: [....] > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > This is mostly a personal style issue, but I find large parts of the document > hard to read, because of a myriad of very short (1-2 line) subsections, each > with their own repetitive section heading. FWIW, part of that is that the groups wanted that this document be useful as a reference for looking-up options, rather than something you´d read entirely. > Section 2.3. , paragraph 7, comment: >> We recommend that configuration options are made available to govern >> the processing of each IPv6 EH type and each IPv6 option type. Such >> configuration options should include the following possible settings: > > Out of curiosity, is there a reason a "strip option and forward packet" isn't > one of the options below? Yes: unless according to the traditional interpretation of RFC8200, that's forbidden. > Section 3.2. , paragraph 2, comment: >> In some device architectures, IPv6 packets that contain IPv6 EHs can >> cause the corresponding packets to be processed on the slow path, and >> hence may be leveraged for the purpose of Denial of Service (DoS) >> attacks [I-D.ietf-v6ops-ipv6-ehs-packet-drops] [Cisco-EH] >> [FW-Benchmark]. > > Do such device architectures really still exist in 2021? Yes. > The [Cisco-EH] > reference is from 2006, and the URL in [FW-Benchmark] does not seem to return > content. Fixed! > Section 3.4.1.2. , paragraph 2, comment: >> This EH is specified in [RFC8200]. At the time of this writing, the >> following options have been specified for the Hop-by-Hop Options EH: > > Wouldn't a pointer to the respective IANA registry suffice here, rather than a > list that is going to be inaccurate with time? At the end of the day, it would seem to me it would be the same: we list the options to subsequently analyze/discuss them. I guess we could remove "at the time of this writing", since thatś kind of implicit? > > Document has Informational status, but uses RFC2119 keywords. FWIW, it only quotes text with RFC2119 keywords, but doesn't really use RFC2119 keywords to introduce requirements or the like. -- anything to fix here? > > Found terminology that should be reviewed for inclusivity; see > https://www.rfc-editor.org/part2/#inclusive_language for background and more > guidance: > > * Term "his"; alternatives might be "they", "them", "their". Are these the instances in the Acks? > * Term "traditional"; alternatives might be "classic", "classical", > "common", "conventional", "customary", "fixed", "habitual", "historic", > "long-established", "popular", "prescribed", "regular", "rooted", > "time-honored", "universal", "widely used", "widespread". Fixed. > These URLs in the document did not return content: > * > http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack-ipv6hackers1-firewall-security-assessment-and-benchmarking.pdf Fixed! > > These URLs in the document can probably be converted to HTTPS: > * > http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.pdf > * http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml * > http://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml Fixed! Thanks! Regards, -- -- Fernando Gont e-mail: fernando@gont.com.ar PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- [OPSEC] Lars Eggert's No Objection on draft-ietf-… Lars Eggert via Datatracker
- Re: [OPSEC] Lars Eggert's No Objection on draft-i… Fernando Gont