Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06
Hannes Gredler <hannes@juniper.net> Fri, 11 October 2013 19:41 UTC
Return-Path: <hannes@juniper.net>
X-Original-To: status@ietfa.amsl.com
Delivered-To: status@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07EA511E818F for <status@ietfa.amsl.com>; Fri, 11 Oct 2013 12:41:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.67
X-Spam-Level:
X-Spam-Status: No, score=-3.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urFmES4qZmMx for <status@ietfa.amsl.com>; Fri, 11 Oct 2013 12:41:35 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe004.messaging.microsoft.com [216.32.180.187]) by ietfa.amsl.com (Postfix) with ESMTP id 30DFA11E8184 for <status@ietf.org>; Fri, 11 Oct 2013 12:41:29 -0700 (PDT)
Received: from mail83-co1-R.bigfish.com (10.243.78.242) by CO1EHSOBE006.bigfish.com (10.243.66.69) with Microsoft SMTP Server id 14.1.225.22; Fri, 11 Oct 2013 19:41:28 +0000
Received: from mail83-co1 (localhost [127.0.0.1]) by mail83-co1-R.bigfish.com (Postfix) with ESMTP id 4F27A500093; Fri, 11 Oct 2013 19:41:28 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT003.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: 2
X-BigFish: VPS2(zz98dI9371I1432Izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzzz2fh2a8h839h947hd25he5bhf0ah1288h12a5h12a9h12bdh137ah139eh13b6h1441h14ddh1504h1537h162dh1631h1662h1758h1898h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1e23h1fe8h1ff5h2052h20b3m1155h)
Received-SPF: pass (mail83-co1: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=hannes@juniper.net; helo=BL2PRD0510HT003.namprd05.prod.outlook.com ; .outlook.com ;
Received: from mail83-co1 (localhost.localdomain [127.0.0.1]) by mail83-co1 (MessageSwitch) id 138152048660374_3971; Fri, 11 Oct 2013 19:41:26 +0000 (UTC)
Received: from CO1EHSMHS001.bigfish.com (unknown [10.243.78.254]) by mail83-co1.bigfish.com (Postfix) with ESMTP id 0AACF340063; Fri, 11 Oct 2013 19:41:26 +0000 (UTC)
Received: from BL2PRD0510HT003.namprd05.prod.outlook.com (157.56.240.101) by CO1EHSMHS001.bigfish.com (10.243.66.11) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 11 Oct 2013 19:41:25 +0000
Received: from snosikov-sslvpn-nc.jnpr.net (193.110.54.36) by pod51010.outlook.com (10.255.100.38) with Microsoft SMTP Server (TLS) id 14.16.371.2; Fri, 11 Oct 2013 19:41:24 +0000
MIME-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="iso-8859-1"
From: Hannes Gredler <hannes@juniper.net>
In-Reply-To: <CA+b+ERmusM-giWnBuXoAZ1xXyTpR6RMQipL6GS_HJF17TH4+3Q@mail.gmail.com>
Date: Fri, 11 Oct 2013 21:41:20 +0200
Content-Transfer-Encoding: 7bit
Message-ID: <2B72AA5C-D7A9-40E7-846D-4FBCCCAF1B1B@juniper.net>
References: <525639F6.8010503@cisco.com> <201310101354.r9ADsib8019588@cichlid.raleigh.ibm.com> <70D84A40-EB41-4D70-983A-DE3EB9FFE876@piuha.net> <5256E527.1030806@cisco.com> <37FBE6FA-0ECE-478A-861A-FD4CC0A8FC74@piuha.net> <20131011183222.GA30073@juniper.net> <CA+b+ERmusM-giWnBuXoAZ1xXyTpR6RMQipL6GS_HJF17TH4+3Q@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
X-Mailer: Apple Mail (2.1283)
X-Originating-IP: [193.110.54.36]
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "status@ietf.org" <status@ietf.org>
Subject: Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06
X-BeenThere: status@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Stacked Tunnels for Source Routing \(STATUS\)." <status.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/status>, <mailto:status-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/status>
List-Post: <mailto:status@ietf.org>
List-Help: <mailto:status-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/status>, <mailto:status-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2013 19:41:46 -0000
On Oct 11, 2013, at 9:14 PM, Robert Raszuk wrote: >> i do not think that packet-filtering is feasible on the default-free-zone >> on the internet. - can you take off packet-filtering in favour of security >> cookies ? > > What is not feasible ? Do you know any DFZ AS to permit in external > packets towards their infrastructure addresses carried in the > destination IP header ? the attack vector may not just be the infra prefixes but rather any routed IPv6 prefix that is transiting through an IPv6-SR capable router. all an attacker then needs to do is: 1. pick a route which transits an IPv6-SR capable node 2. add a forged extension header voila - you can get anywhere you want in the IPv6-SR domain; --- as much as i like the source-routing paradigm, it really sucks in the IP data planes due to the security hazards involved. i fail to see how attempt #4 for IP source routing is any better than the previous three attempts. /hannes
- [Status] Jari Arkko's BLOCK on charter-ietf-sprin… Stewart Bryant
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Thomas Narten
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Jari Arkko
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Jari Arkko
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… joel jaeggli
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Ted Lemon
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Ted Lemon
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stefano Previdi (sprevidi)
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Hannes Gredler
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Robert Raszuk
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Hannes Gredler
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Robert Raszuk
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Jari Arkko
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… joel jaeggli
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Jari Arkko
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Hannes Gredler
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Hannes Gredler
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Robert Raszuk
- Re: [Status] Jari Arkko's BLOCK on charter-ietf-s… Stewart Bryant