IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Ole Troan <otroan@employees.org> Wed, 05 December 2018 14:53 UTC

Return-Path: <otroan@employees.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ACBE126C01; Wed, 5 Dec 2018 06:53:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ez2oQgNknLXA; Wed, 5 Dec 2018 06:53:39 -0800 (PST)
Received: from bugle.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B27CD1271FF; Wed, 5 Dec 2018 06:53:39 -0800 (PST)
Received: from astfgl.hanazo.no (30.51-175-112.customer.lyse.net [51.175.112.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bugle.employees.org (Postfix) with ESMTPSA id AA55FFECC0A9; Wed, 5 Dec 2018 14:53:38 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id CC9CEAA92D6; Wed, 5 Dec 2018 15:53:35 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <20181205135723.GN1543@Space.Net>
Date: Wed, 05 Dec 2018 15:53:35 +0100
Cc: Joe Touch <touch@strayalpha.com>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, Mark Andrews <marka@isc.org>, David Farmer <farmer@umn.edu>, OPSEC <opsec@ietf.org>, tsv-art <tsv-art@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <54C715AE-8931-4FA9-AA01-2311EB0055F0@employees.org>
References: <CAL9jLaYfysKm7qrG=+jq7zV=5ODnSX-tAhBAiTU7SzYF-YmcGw@mail.gmail.com> <728C6048-896E-4B12-B80B-2091D7373D16@strayalpha.com> <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com> <5E70C208-0B31-4333-BB8C-4D45E678E878@isc.org> <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <20181205122142.GJ1543@Space.Net> <F17C4944-09EC-4AAC-84A0-B660E36AAE89@strayalpha.com> <20181205133821.GL1543@Space.Net> <B6280E0C-6B20-43C1-BB34-170FB06F1EF7@strayalpha.com> <20181205135723.GN1543@Space.Net>
To: Gert Doering <gert@space.net>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/1qx8D5NrX5YFqOPRRVhV8eL805M>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 14:53:45 -0000

Gert,

>> Vendors are not required to lie when claiming IPv6 support.
> 
> So you prefer that vendors just do not deliver IPv6 at all?
> 
> Let me repeat that: what you want will not be paid by the marketplace.
> 
> Chained EHs are a relict from a time when everybody was nice and 
> cooperative, bandwith was sparse, routers used CPUs to forward packets,
> and money came from governments to research networks in huge amounts.
> 
> This is not today's Internet anymore.
> 
> You can accept that or not, but nothing you can say will magically make 
> the necessary amount of money and development resources (let alone 
> "interest") appear to build and deploy routers that can do what you want 
> all across the Internet.

This is the exact reason we have layering in the Internet protocols.
IPv6 routers are not meant to parse further into packets then the IPv6 header (with one exception (1)).

That network devices find it hard to parse deep into user’s traffic is a feature.
I find the argument that we should then change upper layer protocols to accommodate that, hard to digest.

I agree with Joe, this isn’t a security issue.

Ole

(1) The exception is the HBH header which is intended as a hook for forwarding devices to do further processing of the packet.
To Joe’s point, RFC8200 specifies that the header is to be ignored unless the device is specifically configured to handle the header.
There is obviously no security risk for the router itself in ignoring the NH=0 and forwarding the packet.
There might be a risk if and when an actual HBH option is specified. But that specification should have security considerations.

v2.23.0 | Report a Bug | By Email