Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08

Fernando Gont <fgont@si6networks.com> Wed, 16 October 2013 22:12 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B71611E82ED; Wed, 16 Oct 2013 15:12:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.682
X-Spam-Level:
X-Spam-Status: No, score=-2.682 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCC9M7tmDI4R; Wed, 16 Oct 2013 15:12:28 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 9118C11E82F2; Wed, 16 Oct 2013 15:12:24 -0700 (PDT)
Received: from 17-153-16-190.fibertel.com.ar ([190.16.153.17] helo=[192.168.1.166]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1VWZKE-0001IY-4L; Thu, 17 Oct 2013 00:12:21 +0200
Message-ID: <525F0F35.9010706@si6networks.com>
Date: Wed, 16 Oct 2013 19:12:05 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>, secdir@ietf.org, iesg@ietf.org, draft-ietf-6man-oversized-header-chain.all@tools.ietf.org
References: <51D41722.8080900@gondrom.org> <525F0063.202@gondrom.org>
In-Reply-To: <525F0063.202@gondrom.org>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 22:12:28 -0000

Hi, Tobias,

Thanks so much for your review! -- Please find my comments in-line...

On 10/16/2013 06:08 PM, Tobias Gondrom wrote:
> 1. A question, less from a security, but interoperability perspective:
> is there any deplyoment data on any potential backwards compatibility
> issues with current IPv6 deployments? Namely are there noteworthy
> deployments with large IPv6 header chains beyond the first fragment
> currently in deployment?

No.


> 2. section 5 third paragraph:
> I wonder whether we should be more strict and replace the "MAY" with a
> "SHOULD"?
> This would make intermediate behavior consistent with the host from the
> previous paragraph and should avoid inconsistencies within the network
> topology?

IIRC, the "intermmediate systems MAY drop" is so that intermmediate
systems are not required to process the entire header chain. -- i.e.:
"If you want to drop such packets, you're free to... but we don't
require e.g. routers to process the entire IPv6 header chain to find
whether the entire header chain is present and then decide whether to
drop or not".

OTOH, the "MAY send an ICMPv6 error message" could be changed to "if you
drop, you SHOULD send an ICMPv6 error message", I guess.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492