Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
Mark Andrews <marka@isc.org> Tue, 27 November 2018 00:07 UTC
Return-Path: <marka@isc.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6712813106F; Mon, 26 Nov 2018 16:07:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Twvu8lv1f-d6; Mon, 26 Nov 2018 16:07:46 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6BF12DF72; Mon, 26 Nov 2018 16:07:46 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 9DCB13AC858; Tue, 27 Nov 2018 00:07:33 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EF6EA160067; Tue, 27 Nov 2018 00:07:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id CDBF1160082; Tue, 27 Nov 2018 00:07:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PBlGRuhJbzyS; Tue, 27 Nov 2018 00:07:11 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 2E3A8160067; Tue, 27 Nov 2018 00:07:09 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CABcZeBMw+ZS=VAtrciGEKkQodCXmP-WSGjjoGYyrK+328kCBnw@mail.gmail.com>
Date: Tue, 27 Nov 2018 11:06:51 +1100
Cc: Joe Touch <touch@strayalpha.com>, opsec@ietf.org, IETF discussion list <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, tsv-art@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <01CACB34-C018-4EC5-A437-90F745856549@isc.org>
References: <154300282321.9639.11604402305352742547@ietfa.amsl.com> <C4886ABA-3BBE-46AE-B2D9-9A6836D7A8BB@strayalpha.com> <2c28d4ac-87de-bcaf-54e8-4e745235c800@gmail.com> <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <4138e2eb-71e0-4c3d-36cb-38da8369a7c6@si6networks.com> <1BEB4C2C-0873-4D08-8A7D-1C3E30AC374F@strayalpha.com> <CABcZeBMw+ZS=VAtrciGEKkQodCXmP-WSGjjoGYyrK+328kCBnw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/POGVHiE9OctSt-4uKL4-WacNur4>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 00:07:48 -0000
The same is true in DNS. Recursive servers end up having to probe with different extensions set. Such probing is being turned off for basic EDNS because it leads to false positives about what the remote server support which in turn breaks DNSSEC which depends on EDNS and being able to set the DO flag bit. One source vendors are so fed up with this stupidity by firewall vendors that they are collectively going to stop shipping code that automatically attempts to work around this breakage. The big open recursive resolver operators are also turning off work arounds. This at least will mean that DNSSEC will become more reliable. https://dnsflagday.net https://ednscomp.isc.org/compliance/summary.html has lots of time series showing how different extension mechanisms are blocked / mis-handled. EDNS has stated from day 1 that unknown EDNS flags are to be ignored yet there are firewall vendors that seem to think it is a good idea to block them. It took years for DO to be allow through by most firewalls. EDNS has stated from day 1 that unknown EDNS versions are supposed to be responded to by BADVERS with the highest version supported but we still have firewall vendors block EDNS version != 0 requests. EDNS also says that unknown EDNS options are to be ignored by the server yet there are firewalls that block them by default. There are those that block NSID options in the request by default, but it something the DNS operator has to enable in the server for there to be a NSID in the response. None of this blockage provides any real security. Name servers handle all of these extensions and don’t fall over. There really is too much paranoia by firewall and other vendors. Just because something is using a extension mechanism it doesn’t mean that it is dangerous or abuse. Getting back to IPv6 headers ASIC’s that can’t skip over fragmentation headers are just plain broken. ASIC’s that can’t generate PTB responses are just plain broken. These are part of basic IPv6. Neither should require hitting the slow path. Mark > On 27 Nov 2018, at 2:18 am, Eric Rescorla <ekr@rtfm.com> wrote: > > Picking a random message to reply to. > > I'm not any kind of IPv6 expert, so I'm not taking a position on the goodness or badness of extension headers. > > With that said, we do have a fair amount of experience with trying to deploy new protocols in the face of significant levels of network-level filtering; TLS 1.3 was delayed by a year or so when we discovered that there were middleboxes which made incorrect assumptions about our extension points. At the end of the day, we got things working, but at the cost of some not very attractive hacks, and if you look at QUIC, a lot of the design is motivated by concealing extension points from network intermediaries in order to avoid a replay of this scenario. Otherwise, we're worried that we won't be able to extend the protocol in the future. > > So, at least from the endpoint's perspective, a situation in which network intermediaries block any new protocol features they don't recognize is not really great. > > -Ekr > > > > > > > On Mon, Nov 26, 2018 at 6:36 AM Joe Touch <touch@strayalpha.com> wrote: > > > > On Nov 25, 2018, at 11:54 PM, Fernando Gont <fgont@si6networks.com> wrote: > > > > What this doc tries to do is to analyze the possible effects of > > different types and options, and only advice to drop them when there is > > a clear reason to do so. > > It claims those actions based on security. This is not a security issue. It is a revenue preservation issue. > > There is a big difference between using a protocol feature and abusing it. The implication that merely using some of these features is a security issue and an abuse is the problem with this document - and the approach of similar documents. > > Joe -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [Tsv-art] Tsvart last call review of draft-ietf-o… Michael Scharf
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Nick Hilliard
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christian Huitema
- Re: [Tsv-art] Tsvart last call review of draft-ie… Nick Hilliard
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christian Huitema
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Eric Rescorla
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Benjamin Kaduk
- Re: [Tsv-art] Tsvart last call review of draft-ie… Mark Andrews
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christopher Morrow
- Re: [Tsv-art] Tsvart last call review of draft-ie… C. M. Heard
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christopher Morrow
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian E Carpenter
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Joe Touch
- Re: [Tsv-art] Tsvart last call review of draft-ie… Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Mark Andrews
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … David Farmer
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Randy Bush
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Stewart Bryant
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Christian Huitema
- [Tsv-art] HbH flags [Tsvart last call review of d… Brian E Carpenter
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Brian E Carpenter
- [Tsv-art] game over, EH [Tsvart last call review … Brian E Carpenter
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- [Tsv-art] ECMP [Tsvart last call review of draft-… Brian E Carpenter
- Re: [Tsv-art] HbH flags [Tsvart last call review … Brian E Carpenter
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Stephen Farrell
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Fernando Gont
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Fernando Gont
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Fernando Gont
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Christopher Morrow
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Christopher Morrow
- Re: [Tsv-art] HbH flags [Tsvart last call review … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Gert Doering
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] [OPSEC] HbH flags [Tsvart last call… Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Brian Trammell (IETF)
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Stewart Bryant
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Stewart Bryant
- Re: [Tsv-art] HbH flags [Tsvart last call review … Ole Troan
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Stewart Bryant
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Ole Troan
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Stewart Bryant
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Gert Doering
- Re: [Tsv-art] HbH flags [Tsvart last call review … Stewart Bryant
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Stewart Bryant
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Stewart Bryant
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Gert Doering
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Ole Troan
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Spencer Dawkins at IETF
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] [OPSEC] HbH flags [Tsvart last call… Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Ole Troan
- Re: [Tsv-art] HbH flags [Tsvart last call review … Stewart Bryant
- Re: [Tsv-art] HbH flags [Tsvart last call review … Joe Touch
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Fernando Gont
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Smith, Donald
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Ole Troan
- Re: [Tsv-art] game over, EH [Tsvart last call rev… C. M. Heard
- Re: [Tsv-art] [OPSEC] game over, EH [Tsvart last … Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… C. M. Heard
- Re: [Tsv-art] [OPSEC] game over, EH [Tsvart last … Smith, Donald
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Nico Williams
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Brian E Carpenter
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Nick Hilliard
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Brian E Carpenter
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Nick Hilliard
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Brian E Carpenter
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Jared Mauch
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Fernando Gont
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Christopher Morrow
- Re: [Tsv-art] HbH flags [Tsvart last call review … Christopher Morrow
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Gert Doering
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Joe Touch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Pete Resnick
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Jared Mauch
- Re: [Tsv-art] HbH flags [Tsvart last call review … Jared Mauch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Joe Touch
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Nico Williams
- [Tsv-art] OT: TCP session lifetime - Re: game ove… Jared Mauch
- Re: [Tsv-art] OT: TCP session lifetime - Re: game… Nico Williams
- Re: [Tsv-art] game over, EH [Tsvart last call rev… Eric Rescorla
- Re: [Tsv-art] OT: TCP session lifetime - Re: game… Gert Doering
- [Tsv-art] Engaging constructively [HbH flags [Tsv… Alissa Cooper
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Wes Hardaker
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Brian E Carpenter
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Wes Hardaker
- Re: [Tsv-art] [OPSEC] Tsvart last call review of … Fernando Gont
- Re: [Tsv-art] ECMP [Tsvart last call review of dr… Fernando Gont