IETF Logo Mail Archive

Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 05 December 2018 02:59 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF2A5130DDE; Tue, 4 Dec 2018 18:59:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KGjAnkVbz58; Tue, 4 Dec 2018 18:59:17 -0800 (PST)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16FA2130DD2; Tue, 4 Dec 2018 18:59:17 -0800 (PST)
Received: by mail-pl1-x632.google.com with SMTP id u6so9298240plm.8; Tue, 04 Dec 2018 18:59:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=FNNimi6fpEODc+K+M0NEHfqvixy6li7gOO8qTv5Rxjw=; b=hSITjHIQJYRttZTTkLsPg7UcU5frSZ/AWcr2IQ8Qln6BJ5zk1o+ApN11GdmuCsP/HM 52GFwilN5bKIcz96khEmjKNKxHo7w5VbJw1RUFOyN2V+hLrxqStUZ9kL3dn8KHFh9jpl 7qK+uaKCr/J9UKjg73EiZYV6vvhIsrU3puMLhWXiFVl9uQ3mM/3AILqtumFRRR/in8Ur tSshWj2KRpvkIdBTsB1md1GKj5uLsqhSjNZTC5EsTsLE2EOK8K16leTMnu0R7lyWqsKz 8zICouMxNERyxycED2OgpRiHCZpreNrpoli/JJwaFP6TDfy3NQI/dhM1u+mXTfmbl3SE rAGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=FNNimi6fpEODc+K+M0NEHfqvixy6li7gOO8qTv5Rxjw=; b=LoCy/rMPPNy48o9nPX/9UjSv3NLPD+x48xFcFb2pGCkXpR838nf9Zj1cg9BUH2AFDw gvCA7HTsCWryadABZQpHaY4pmGPV9NfpJ0wTHuLXh6rBmRckHC0CMVbCQHlZgiV20Mir hgbD/Hk1ZDaBIhovsNfwUB5kcbbtW0FyMyumvJ6IpTRLo2rf702fZB+771VDc3vCNbYV 5VYKSeM9Eikdc48RzoCXfh7bj3XnArBDEnx9nl08s9gs3SxI0/bcKJt0ye2z6mHQ+Jnh 42k67wJxmIWKReeobgzHTw2Yu5kq4FtsPg+9nHg5wgyxLbnBGbgqHwcmWskLH3CWMIsT mykA==
X-Gm-Message-State: AA+aEWbQu0wypRLqjsqmOmV8Dy84lijC4xj22F/AZFCEzxLp81AvfTIn wNxHuiggAmdSjHcyF/ctnmUgxg3GaIs=
X-Google-Smtp-Source: AFSGD/VQeaTX0oJwED4VzZq0eZJa09r5PJlZFWFcmG016L/uXKn2bbG214uKt+rbMrdoBcCs8fhTlQ==
X-Received: by 2002:a17:902:d83:: with SMTP id 3mr1112993plv.43.1543978756310; Tue, 04 Dec 2018 18:59:16 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id i4sm35259979pfj.82.2018.12.04.18.59.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Dec 2018 18:59:15 -0800 (PST)
To: Joe Touch <touch@strayalpha.com>, "C. M. Heard" <heard@pobox.com>
Cc: IETF <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, OPSEC <opsec@ietf.org>, TSV-ART <tsv-art@ietf.org>
References: <CACL_3VGeJPzDhS0RVAvpQs9W8b4EODft-qJRwBD6Xxm+X6BZ6A@mail.gmail.com> <B6C8F695-074C-40BF-A73F-1B0C85F08F71@strayalpha.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <42f482b8-ef85-909b-861f-c95a6a9efde1@gmail.com>
Date: Wed, 05 Dec 2018 15:59:10 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2
MIME-Version: 1.0
In-Reply-To: <B6C8F695-074C-40BF-A73F-1B0C85F08F71@strayalpha.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/DITst1-z7qhEf6aZhs78M4kRPg4>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 02:59:20 -0000

On 2018-12-05 14:17, Joe Touch wrote:
> It’s difficult to reconcile the text from other RFCs below with the fact that 8200 kept the 01, 10, and 11 option types.
> 
> Joe
> 
>> On Dec 4, 2018, at 2:56 PM, C. M. Heard <heard@pobox.com> wrote:
>>
>> On Tue, 4 Dec 2018 15:17:33 -0500 Christopher Morrow wrote:
>>> A solution might be to have a mode where  a router may just ignore all
>>> headers except the src/dst-ip and simply forward all packets, trusting
>>> that the conversing adults will sort out problems with unknown/new/
>>> experimental headers or with a tortured ordering of headers (for
>>> instance).
>>
>> Glad to hear you say that, because that's exactly what RFC 7045
>> envisions as the default forwarding behavior:
>>
>>   Any forwarding node along an IPv6 packet's path, which forwards the
>>   packet for any reason, SHOULD do so regardless of any extension
>>   headers that are present […]r
> 
> This text is in direct contradiction to RFC2460 as per above.

Of course. RFC 7045 updated RFC2460.

> 
>>
>> Recognizing that processing of Hop-by-Hop Options in the fast path is
>> costly, RFC 8200 formally dropped the requirement for every router to
>> process them by default:
>>
>>   NOTE: While [RFC2460] required that all nodes must examine and
>>   process the Hop-by-Hop Options header, it is now expected that nodes
>>   along a packet's delivery path only examine and process the
>>   Hop-by-Hop Options header if explicitly configured to do so.
> 
> That is an expectation of the inadequacy of others. It does not clearly drop the requirement.

If so, that was a drafting error. RFC 7045 already formally changed
it to a SHOULD.

And IMHO it's entirely correct. For example, making the open Internet completely transparent to HbH means that a HbH-using application has a chance of crossing the open Internet successfully. By contrast, expecting line-speed routers on multi-Gbit
intercontinental links to process HbH condemns such an application to failure.

This was all thrashed out when we drafted RFC 7045 and again when we
drafted RFC 8200.

What's new here is that OPSEC wants to legitimise filtering for reasons
other than performance, and that's contentious.

    Brian

> 
>>
>> What some of us would like to see is a statement in the draft that it's
>> just fine to operate this way (Christian Huitema made that suggestion
>> earlier in this thread, and so did I in my detailed last-call comments).
>>
>> Mike Heard
>>
>> _______________________________________________
>> Tsv-art mailing list
>> Tsv-art@ietf.org
>> https://www.ietf.org/mailman/listinfo/tsv-art
> 
>

v2.23.0 | Report a Bug | By Email