IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Ole Troan <otroan@employees.org> Mon, 26 November 2018 18:03 UTC

Return-Path: <otroan@employees.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D423B12D4E8; Mon, 26 Nov 2018 10:03:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLdY3W0eehf7; Mon, 26 Nov 2018 10:03:02 -0800 (PST)
Received: from bugle.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B7F5124D68; Mon, 26 Nov 2018 10:03:01 -0800 (PST)
Received: from astfgl.hanazo.no (30.51-175-112.customer.lyse.net [51.175.112.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bugle.employees.org (Postfix) with ESMTPSA id 5C627FECC00D; Mon, 26 Nov 2018 18:03:01 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id 455D2A4E475; Mon, 26 Nov 2018 19:02:55 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <20181126175336.GW72840@Space.Net>
Date: Mon, 26 Nov 2018 19:02:54 +0100
Cc: Joe Touch <touch@strayalpha.com>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, OPSEC <opsec@ietf.org>, Christian Huitema <huitema@huitema.net>, tsv-art <tsv-art@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C7E31714-3D08-400F-85F8-391FF8E2DDE3@employees.org>
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <0f56c25d-7ac7-e534-4e2c-cc09f5154e77@foobar.org> <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com> <6bd1ec94-f420-1f4c-9254-941814704dbb@gmail.com> <6be84ccf-9a72-2694-e19d-fa19043a0cb1@huitema.net> <4C249487-BD58-41BB-B8B6-081323E29F6C@strayalpha.com> <20181126075746.GO72840@Space.Net> <6C50775C-EB67-4236-93B8-DF0259E04167@strayalpha.com> <20181126175336.GW72840@Space.Net>
To: Gert Doering <gert@space.net>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/A6yGtXHMKjvDeEKana0k05ZmNds>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 18:03:04 -0000

>>> And then IETF wonders why operators do not feel like time spent on
>>> providing their input to IETF WGs is well-spent.
>>> 
>>> What else can it be, on a real-world device, in today's Internet?
>> 
>> The failure of a device to run as advertised or the failure of an 
>> operation to select the an appropriate device.
> 
> This is where the "real-world" bit comes into play.
> 
>> Operators that want to conserve resources without cause are welcome
>> to run their routers inside glass boxes in museums.  Routers do
>> work. Packets cause that work. That work is not an attack unless
>> it is *disproportionate*. That is not shown for nearly any of the
>> cases in this document.
> 
> As people have explained in great detail, there's work that the routers
> are built to do, where the number of packets they can handle is nearly
> arbitrarily high.
> 
> Then there's packets that are seen as an exception, and handled in a
> not-as-powerful path.  Back then, when the Internet was new, these 
> exceptional packets were considered "something we'll handle when the 
> need arises", and it mostly worked.  Today, whenever anything is connected
> to the real Internet has a weakness, it will be abused.  Thus, these 
> packets will have to be rate-limited, up to the point of uselessness.  
> 
> Of course you can build a box that can do everything with the same 
> speed.  I would recommend to the reader to make himself familiar with
> current market realities, though, regarding "cost", "power consumption",
> "feasibility to build in time before the increase in bandwidth has them
> obsoleted again" and "willingness of customers to pay serious money for 
> their Internet access”.

While I agree with what you say here, this draft recommends the opposite.
It recommends that routers should do more work, not less.

Filtering out extension headers and options inside of extension headers, is not only costly, it also violates basic Internet Architecture principles.

Ole

v2.23.0 | Report a Bug | By Email