IETF Logo Mail Archive

Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 25 November 2018 19:40 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72653124BE5; Sun, 25 Nov 2018 11:40:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P1uRae9jwOyy; Sun, 25 Nov 2018 11:40:33 -0800 (PST)
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51137124C04; Sun, 25 Nov 2018 11:40:33 -0800 (PST)
Received: by mail-pf1-x434.google.com with SMTP id b7so5481753pfi.8; Sun, 25 Nov 2018 11:40:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=xEfWtHQWPhP5rEavMQM8XLzb12zinNxjuNfpGSOhRGU=; b=k13oIopwFn/OLyrxLCtgMPGJ2jMWq6akyNLZsCAmuUwMoD22gTOVxF+9FVexp5sDYJ iaapaDJXg8ILuEpjAI6ui04GRdn90fYSj5WWIFssSPkgmTW3oCK2zVo0xDOJ1XJnDf5s CWMtZjlyIZFhZKWzKeV1Yi0RjvOnopRZp/Q9bQ+hZxQQB2HCErUxXSAz6uam0eazfutK sd0DMq1ITupdQGmkG5ZZ7YaVTVKCGbKUbPEibq1YETNKsS3UKht0wg9nXX+RGoTRRogy ixPrO4cSjZTy9+xaldXEUxyqBA2s3nLUKcEQcg1tRoVjdeBWC/ST6pGeAliDeWEvXu+m 2CUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=xEfWtHQWPhP5rEavMQM8XLzb12zinNxjuNfpGSOhRGU=; b=PjOINDkCDw3xLriEShRpgbEK7zifJ+BMA52Z3YecGDnGhZNEp9dhSp7PKUkGbyGPVB uvVTQZrvwaQdqwKD3Mj3qT3TF/GeV16sgB8tVma8dfMQpUPcPVMTCeiiYtDv7GwOHJ1P tTUXcs9Pvs7f8YAnVDcG8BIgE5P4hjjXs4i2skpxQyf2Ro3Ox6KvZlVd+pHB/2mTFbye uHg8eP02Ae6ss6K25pJyRWh2IYf+toPSXtWi4iDxY8ip2f9FkWsda/boyV1ZHEwsmGMg zkwHz6D8iNynC9DfIqPY+SSzLtOtSN3J4XjAc/asVNnukyKwM3A90tCQfQo0GUtcXpSf DxQw==
X-Gm-Message-State: AGRZ1gKWaKKEYdtk9AKlFLGNG/XFpOnNGSHimMNH1PG8Zlwi2dO6knrz 48aK48ojZsc5Tq7TCeTIEuy1KoxP
X-Google-Smtp-Source: AJdET5cyauuVbR4H2orFdKEcYTInh7bcXu4ZlHhby/RqjQNJ9hfA60BBqOPD6YH3s0sewsDTsBe97g==
X-Received: by 2002:a62:d504:: with SMTP id d4mr24623957pfg.38.1543174832641; Sun, 25 Nov 2018 11:40:32 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id f193-v6sm89180383pfc.74.2018.11.25.11.40.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 25 Nov 2018 11:40:31 -0800 (PST)
To: Joe Touch <touch@strayalpha.com>, Nick Hilliard <nick@foobar.org>
Cc: tsv-art <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org
References: <154300282321.9639.11604402305352742547@ietfa.amsl.com> <C4886ABA-3BBE-46AE-B2D9-9A6836D7A8BB@strayalpha.com> <2c28d4ac-87de-bcaf-54e8-4e745235c800@gmail.com> <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <0f56c25d-7ac7-e534-4e2c-cc09f5154e77@foobar.org> <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <6bd1ec94-f420-1f4c-9254-941814704dbb@gmail.com>
Date: Mon, 26 Nov 2018 08:40:25 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/M4bvoVK_PJE69sjD8HDo_NEAHEo>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Nov 2018 19:40:36 -0000

On 2018-11-26 04:53, Joe Touch wrote:
> A reasoned discussion of the pros and cons would be useful.
> 
> What we have is the perspective, often heavily represented by vendors and operators, of the driving reality that:
> 
> a) implementing extended features is an attack on profits
> b) properly configuring and monitoring extended features is an attack on effort
> 
> A reasoned argument would be useful. That is not what has been repeatedly presented, IMO.

I don't think that's entirely fair to RFC7045. But the fact is that
there's a tussle here between the desire for the ability to deploy
new protocols freely, and the desire for the ability to block
potentially harmful or malicious traffic. The definition of "harmful
or malicious" is not universally agreed. "Harmful to my business model"
is certainly one possible interpretation. But then, we decided to
implement the Internet as a largely unregulated competitive system,
so we got tussles.

As far as I can tell, there is nothing much that the IETF can do about
this.

    Brian

> 
> Joe
> 
>> On Nov 25, 2018, at 4:59 AM, Nick Hilliard <nick@foobar.org> wrote:
>>
>> Joe Touch wrote on 25/11/2018 06:24:
>>> The reality is that standards are not followed, agreed. That does not
>>> imply that we need to relax those standards - instead, it can be
>>> reason to fix broken devices.
>>> Working at the level of the most broken device is no way to run a
>>> production Internet.
>>> And claiming that doing so is appropriate for security reasons is
>>> just as broken, as it always has been.
>> Joe,
>>
>> another point of view would be that operator feedback should be welcomed because sometimes protocols are found to be difficult to implement fully, or when implemented fully cause unforeseen consequences.  EHs are a good example of this.  When originally conceived - for the best of intentions - the spec was sufficiently loose that they were not just unimplementable from a practical point of view, but the spec was open to protocol level security problems.  RFC7112 describes some issues relating to EHs, but there are plenty of other examples.
>>
>> How, where and when to filter EH packets creates a bind, no doubt about it. Some EHs are intrinsically troublesome (e.g. anything with hbh processing requirements); others can be processed without issues.  The IETF can choose to ignore this problem or get involved and have some influence about what might constitute best practice.  If this happens, vendors might even fix some of their silicon.  Declaring that the problem exists only on one side won't make the Internet better.
>>
>> Nick
>>
>> _______________________________________________
>> Tsv-art mailing list
>> Tsv-art@ietf.org
>> https://www.ietf.org/mailman/listinfo/tsv-art
> 
>

v2.23.0 | Report a Bug | By Email