Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Joe Touch <touch@strayalpha.com> Mon, 26 November 2018 21:59 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D377A131068; Mon, 26 Nov 2018 13:59:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.22
X-Spam-Level:
X-Spam-Status: No, score=-1.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lec8459mlphI; Mon, 26 Nov 2018 13:59:45 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0F86131056; Mon, 26 Nov 2018 13:59:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=Message-ID:References:In-Reply-To:Subject:Cc: To:From:Date:Content-Type:MIME-Version:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=PFD7aRFGKEtz2fY2ZsI8hpiUfuZk4pFrIVhCXirsIuU=; b=ml8SFTJUy59UkXuZrsFNjcc+H 0MZ/dqud62jiI1Tm2XO8pKA7lxmthzqlSrlK90WMtvSQh40wrW2lbe5S17cIcEfaw2ohp8EMm5Khy sKFVDT3T5vuWoi89uGC5lyxWn4GDwZuFudvIyhmMKMCe/kNYuBMfyUDgiNB1HpbAJSUqyIuhPCaW8 cefg0kb5zn9B7zYB5kxavQza22lmTTUlTvHvtkrO5TgqQibtXb6pqE1ZyXFlQrAJgPPxXOkvJiiXy DcGoDE6ukzRaCNOmhtKaFjAjjZ83ekC5lBVZCzxv3W1RbX3NNaoDCwmvR9QZXVZEENQrT16XlElWr Z8ppGLU5w==;
Received: from [::1] (port=58768 helo=server217.web-hosting.com) by server217.web-hosting.com with esmtpa (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gROuo-001FTP-BI; Mon, 26 Nov 2018 16:59:39 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_24da51290c5183e9c24919a3935b50a2"
Date: Mon, 26 Nov 2018 13:59:38 -0800
From: Joe Touch <touch@strayalpha.com>
To: Gert Doering <gert@space.net>
Cc: Christian Huitema <huitema@huitema.net>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, Nick Hilliard <nick@foobar.org>, OPSEC <opsec@ietf.org>, tsv-art <tsv-art@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <20181126175336.GW72840@Space.Net>
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <0f56c25d-7ac7-e534-4e2c-cc09f5154e77@foobar.org> <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com> <6bd1ec94-f420-1f4c-9254-941814704dbb@gmail.com> <6be84ccf-9a72-2694-e19d-fa19043a0cb1@huitema.net> <4C249487-BD58-41BB-B8B6-081323E29F6C@strayalpha.com> <20181126075746.GO72840@Space.Net> <6C50775C-EB67-4236-93B8-DF0259E04167@strayalpha.com> <20181126175336.GW72840@Space.Net>
Message-ID: <c959d8cb6f6a04a8da8318cfa89da341@strayalpha.com>
X-Sender: touch@strayalpha.com
User-Agent: Roundcube Webmail/1.3.3
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/LN46DNVjc_lehstndxMWQlI9Ba8>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 21:59:56 -0000

On 2018-11-26 09:53, Gert Doering wrote:

> Hi,
> 
> ...
> As people have explained in great detail, there's work that the routers
> are built to do, where the number of packets they can handle is nearly
> arbitrarily high.
> 
> Then there's packets that are seen as an exception, and handled in a
> not-as-powerful path.  Back then, when the Internet was new, these 
> exceptional packets were considered "something we'll handle when the 
> need arises", and it mostly worked.

Translation - "we cheated", and that's not working anymore. Agreed. 

> Today, whenever anything is connected
> to the real Internet has a weakness, it will be abused.  Thus, these 
> packets will have to be rate-limited, up to the point of uselessness.

Rate limiting is quite different from 100% discards. When abuse happens,
it's clearly safe to react. 

But reacting to the mere presence of this additional - unexpected - work
is not itself abuse. And frankly it's only abuse because vendors claim
IPv6 compliance by cheating and operators go along with the game. 

> Of course you can build a box that can do everything with the same 
> speed.  I would recommend to the reader to make himself familiar with
> current market realities, though, regarding "cost", "power consumption",
> "feasibility to build in time before the increase in bandwidth has them
> obsoleted again" and "willingness of customers to pay serious money for 
> their Internet access".

If you sold this as "partial IPv6" or "incomplete support for RFC8200",
then sure. 

If most of the time these options are not used, then fine - rate limit
when they come up. But say that's what you're doing. 

And don't pretend that this is for security purposes. 

Joe