IETF Logo Mail Archive

Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Benjamin Kaduk <kaduk@mit.edu> Mon, 26 November 2018 23:18 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97DE0130DFA; Mon, 26 Nov 2018 15:18:39 -0800 (PST)
X-Quarantine-ID: <YqB_bud1p4nV>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char 9C hex): Received: ...s kaduk@ATHENA.MIT.EDU)\n\t\234by outgoing.mit[...]
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqB_bud1p4nV; Mon, 26 Nov 2018 15:18:37 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E604126CB6; Mon, 26 Nov 2018 15:18:37 -0800 (PST)
X-AuditID: 1209190c-25fff700000049ea-7f-5bfc7f4b14e9
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 68.28.18922.B4F7CFB5; Mon, 26 Nov 2018 18:18:35 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.14.7/8.9.2) with ESMTP id wAQNIXhg007991; Mon, 26 Nov 2018 18:18:34 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) �by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id wAQNIR3n001207 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 26 Nov 2018 18:18:31 -0500
Date: Mon, 26 Nov 2018 17:18:26 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Fernando Gont <fgont@si6networks.com>
Cc: Christian Huitema <huitema@huitema.net>, tsv-art <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org
Message-ID: <20181126231826.GD10033@kduck.kaduk.org>
References: <C4886ABA-3BBE-46AE-B2D9-9A6836D7A8BB@strayalpha.com> <2c28d4ac-87de-bcaf-54e8-4e745235c800@gmail.com> <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <0f56c25d-7ac7-e534-4e2c-cc09f5154e77@foobar.org> <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com> <6bd1ec94-f420-1f4c-9254-941814704dbb@gmail.com> <6be84ccf-9a72-2694-e19d-fa19043a0cb1@huitema.net> <c0e2edf7-762b-d521-e5a1-7751545371cb@si6networks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <c0e2edf7-762b-d521-e5a1-7751545371cb@si6networks.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprGKsWRmVeSWpSXmKPExsUixCmqrOtd/yfaYMtnbYu7ew6wWjxZ9YbN YnLjbHaLZxvns1h82HqXzWLWnkUsDmwet2acYvFYsuQnk8eHQz3sAcxRXDYpqTmZZalF+nYJ XBkvXx5mKrgmXnFmjnUDY59wFyMnh4SAicSJSRsYuxi5OIQE1jBJTNnzgBXC2cgo8fB8DzOE c5dJYsORi0wgLSwCqhIrr3aygNhsAioSDd2XmUFsEQFNibnPjzCBNDAL7GCUaF/9ghEkISwQ KfHh82q2LkYODl6gfW235SCGrmKR+HniLFgNr4CgxMmZT8CGMgtoSdz495IJpJ5ZQFpi+T8O kDCngLPE9nnf2EBsUQFlib19h9gnMArMQtI9C0n3LITuBYzMqxhlU3KrdHMTM3OKU5N1i5MT 8/JSi3QN9XIzS/RSU0o3MYIDW5JnB+OZN16HGAU4GJV4eCO+/o4WYk0sK67MPcQoycGkJMrr 8RcoxJeUn1KZkVicEV9UmpNafIhRgoNZSYTXdwlQjjclsbIqtSgfJiXNwaIkzvtb5HG0kEB6 YklqdmpqQWoRTFaGg0NJgvd97Z9oIcGi1PTUirTMnBKENBMHJ8hwHqDhp0FqeIsLEnOLM9Mh 8qcYjTluHPg/nZmjY92yOcxCLHn5ealS4rw7QUoFQEozSvPgpoGSk0T2/ppXjOJAzwnzfgGp 4gEmNrh5r4BWMQGtujYR5I/ikkSElFQDY9p6P9PLJpafn5fwKJ3N/tw9eaZ3jY7z6zPbL+/u evflt0vjTvWFul6ntWyc+Gyro225J1787mI7SfDEi+CMtaHB/fqv9LT0Kizq7vXL30+KunFh kwz3naU7llcvmzDt7IQwgUO3ltfqtMv/fSG7ICVBdNXk6928639/vPO3+I1K1/N85fnhEUos xRmJhlrMRcWJACM0m4spAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/EDix_-krE5LyYJqBC7VMr_RnA_o>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 23:18:40 -0000

On Mon, Nov 26, 2018 at 04:21:06AM -0300, Fernando Gont wrote:
> Christian.
> 
> On 25/11/18 17:40, Christian Huitema wrote:
> [.....]
> 
> > Nick made that point, probably unintentionally, when he wrote that
> > "transit operators would generally take the view that any data-plane
> > packet which needs to be put through a slow path will be rate limited up
> > to 100% loss". Last I checked, data plane processing is implemented in
> > specialized components that are designed for speed. I am quite concerned
> > that filtering recommendations made by the IETF will end up deeply
> > embedded in the hardware of at least some routers, and that changing
> > them in the future would be quite hard. That's pretty much the recipe
> > for ossification.
> 
> PLease take a look at the advice: it essentially argues "pass everything
> that has been stadardizez and that will not cause you pain". And, again,

How is this better than "pass everything that will not cause you pain"?
Why should the transit care if something is standardized or just an
experiment running over the internet?

> this is in line with RFC7045.  Compare that with what we have in the
> real world (RFC7872), and you'll probably agree that if folks were to
> implement this advice, it would be a *huge* improvement -- at the time
> of this writing you cannot even use ipsec reliably on the Internet(!).

One can agree that folks implementing this advice would be an improvement
over the current state of affairs, without agreeing that the IETF should
advocate against using our protocols as they were designed.

> 
> 
> > The IPv6 header contains a
> > "payload type" field, that may legitimately contain any of the payload
> > types defined in the IANA registry of protocol numbers
> > (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
> > Some of those payload types are flagged as IPv6 extension header types
> > and listed in the corresponding registry
> > (https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml). Discussing
> > EH without discussing the other payload types seems bizarre. Do the
> > reasons for blocking for the experimental payload type 253 also apply
> > to, for example, the UDP Lite payload type? What about discussing ESP
> > and not discussing L2TP or MANET?
> 
> This document discusses EHs. THe considerations for filtering on upper
> payloads are rather different, and normally depend on the upper protocol
> details. (e.g. TCP ports).

Perhaps I am confused, but IIUC this document discusses values placed in
the IPv6 "Next Header" field, some of which are EHs and some of which are
not.  Values not recognized to the processing entity may be EHs or may be
"next protocol"s, and if the value is not recognized there is no way to
know which is the case.  Ergo, filtering out unknown values that might be
EHs is also filtering out unknown next-protocols, which seems really bad
for the future flexibility of the internet.

-Ben

v2.23.0 | Report a Bug | By Email