Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06

Jari Arkko <jari.arkko@piuha.net> Fri, 11 October 2013 13:12 UTC

Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Jari Arkko <jari.arkko@piuha.net>
In-Reply-To: <5256E527.1030806@cisco.com>
Date: Fri, 11 Oct 2013 16:11:53 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <37FBE6FA-0ECE-478A-861A-FD4CC0A8FC74@piuha.net>
References: <525639F6.8010503@cisco.com> <201310101354.r9ADsib8019588@cichlid.raleigh.ibm.com> <70D84A40-EB41-4D70-983A-DE3EB9FFE876@piuha.net> <5256E527.1030806@cisco.com>
To: stbryant@cisco.com
Cc: Thomas Narten <narten@us.ibm.com>, "iesg@ietf.org" <iesg@ietf.org>, "status@ietf.org" <status@ietf.org>
Subject: Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06
Precedence: list

After some off-line chatting, I have a proposal for text to be added to the charter:

There are a number of serious security concerns with source routing at the IP layer [RFC 5095].  As a part of its work, the working group will define the new IPv6-based routing header in way that blind attacks are never possible, i.e., attackers will be unable to send source routed packets that get successfully processed, without being part of the negations for setting up the source routes or being able to eavesdrop legitimate source routed packets. In some networks this base level security may be complemented with other mechanisms, such as packet filtering, cryptographic security, etc.

Would this work for people? FWIW from what I can tell, the above should be relatively easily doable, short cookies in headers, etc. It would remove my main concern of accidentally turned on devices becoming a security hole. It would also help deployment, as firewalls might otherwise default to blocking all kinds of routing headers.

Jari

[Status] Jari Arkko's BLOCK on charter-ietf-sprin… Stewart Bryant
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Thomas Narten
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Jari Arkko
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Jari Arkko
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… joel jaeggli
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Ted Lemon
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Ted Lemon
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stefano Previdi (sprevidi)
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Hannes Gredler
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Robert Raszuk
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Hannes Gredler
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Robert Raszuk
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Jari Arkko
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… joel jaeggli
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Jari Arkko
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Hannes Gredler
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Hannes Gredler
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Robert Raszuk
Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant