[OPSEC] Erik Kline's No Objection on draft-ietf-opsec-ipv6-eh-filtering-08: (with COMMENT)
Erik Kline via Datatracker <noreply@ietf.org> Thu, 01 July 2021 05:03 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsec@ietf.org
Delivered-To: opsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F2A553A0D46; Wed, 30 Jun 2021 22:03:48 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Erik Kline via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-ipv6-eh-filtering@ietf.org, opsec-chairs@ietf.org, opsec@ietf.org, Éric Vyncke <evyncke@cisco.com>, evyncke@cisco.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.33.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Erik Kline <ek.ietf@gmail.com>
Message-ID: <162511582896.10745.1599530578040574909@ietfa.amsl.com>
Date: Wed, 30 Jun 2021 22:03:48 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/tlnGdAYY8vXPVe6kV7SdFYmBZ7w>
Subject: [OPSEC] Erik Kline's No Objection on draft-ietf-opsec-ipv6-eh-filtering-08: (with COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2021 05:03:49 -0000
Erik Kline has entered the following ballot position for draft-ietf-opsec-ipv6-eh-filtering-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-ipv6-eh-filtering/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- [S1] [nit] * "some of the measured packet drops be the result" -> "some of the measured packet drops are the result", I think [S2.3] [comment] * "o Discard (and log) packets containing" -> "o Drop (and log) packets containing" since the subsequent bullet is about "Reject", and discard is defined to mean either drop or reject...I think it only makes that this bullet be about dropping a packet. * "Ignore this IPv6 EH or option type ... and forward the packet" I think this might want to say "process the packet according rules for the remaining headers" or something, rather than just "forward the packet". Basically, if the packet would, for example, match some other firewall deny rule based on its transport header, that behaviour should be applied in this particular case where the IPv6 EH/option is configured to be ignored (rather than just saying "and forward the packet"). [S4.3.9.4] [comment] * It seems fairly clear from RFC 5570 Security Considerations that a CALIPSO option is best protected with an AH, and in such cases stripping the CALIPSO option would cause the packet to fail validation at the (suitably configured) destination. Similarly, it might be good to note in S4.3.9.5 that if an AH is present presumably the advice from S3.4.5.5 applies.
- [OPSEC] Erik Kline's No Objection on draft-ietf-o… Erik Kline via Datatracker
- Re: [OPSEC] Erik Kline's No Objection on draft-ie… Benjamin Kaduk
- Re: [OPSEC] Erik Kline's No Objection on draft-ie… Fernando Gont
- Re: [OPSEC] Erik Kline's No Objection on draft-ie… Erik Kline
- Re: [OPSEC] Erik Kline's No Objection on draft-ie… Benjamin Kaduk