IETF Logo Mail Archive

Re: [Tsv-art] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

"C. M. Heard" <heard@pobox.com> Thu, 06 December 2018 19:41 UTC

Return-Path: <heard@pobox.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CD3D131134; Thu, 6 Dec 2018 11:41:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com; domainkeys=pass (1024-bit key) header.from=heard@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ggy6Um4QfTd; Thu, 6 Dec 2018 11:41:43 -0800 (PST)
Received: from pb-smtp2.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1F45129AB8; Thu, 6 Dec 2018 11:41:42 -0800 (PST)
Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 1ACE1128440; Thu, 6 Dec 2018 14:41:42 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=gxDrlRJRJix9JGipx9hHBXSyDGw=; b=GywtA/ 1b/Mn2rZRFr0s9lvSXBL2aeAc64UEta5Sxs2Qj2296Llh9znPxBPFYpOaNyR+m0j x48zs+U+ighL84wEdisHyd3Ah0UdU3tcSc6szxx0WgcH/6hmDh+ppE1xVwrQio74 0OvsYWvbVIpnT6RLsMOjV2x4fBODm3TRABSf8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type; q=dns; s=sasl; b=sEG6iQOXtMAJ7x7D45CA9TlHQuHUvqTF nhqfV8SwYj3hX8DCbFPJBbSrEQ44krQQg/MP/UP8iBh4qtktsKPJy4aNmKySk1IX zWktFIrk5yzsNrb+cfEFjdbi6l1eOgBex9pTRscAZ16Qpw4ArITffNeruJKJFo6W pquBD27fSJQ=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 121CD12843F; Thu, 6 Dec 2018 14:41:41 -0500 (EST)
Received: from mail-io1-f50.google.com (unknown [209.85.166.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 867C612843B; Thu, 6 Dec 2018 14:41:40 -0500 (EST)
Received: by mail-io1-f50.google.com with SMTP id r9so1375033ioa.1; Thu, 06 Dec 2018 11:41:40 -0800 (PST)
X-Gm-Message-State: AA+aEWYg0Q2y1xUX6jcERfzqQjMfHmf2DCAAP7hY+/OHbKZe54+iUpph 055BZFEVSKwx6gVWC1/gkHo7MpzhuLlinKShEuE=
X-Google-Smtp-Source: AFSGD/Vaha9PAxn5GcPInfBW7MIl+QJp24kqoFqWRKTAcbYg8CTnKEx3xZZEPBKzPykpX9AN48i2PaOKD4S1do6iTXY=
X-Received: by 2002:a6b:91d4:: with SMTP id t203mr26066267iod.267.1544125300035; Thu, 06 Dec 2018 11:41:40 -0800 (PST)
MIME-Version: 1.0
References: <CACL_3VGeJPzDhS0RVAvpQs9W8b4EODft-qJRwBD6Xxm+X6BZ6A@mail.gmail.com> <CAL9jLabK0bZz2nki=oFNHT0OrpVAB8pw7emAj2BtkHRCzkfmqQ@mail.gmail.com> <cf64abbf-e447-71e3-b983-4e525cc139aa@gmail.com> <CAL9jLaYMRDGFa7Qzj4ukRV1FPbJM40qbuZ34SYxoA30Z+h3EWw@mail.gmail.com> <20181205085227.GG1543@Space.Net> <9ba948f9-f286-1016-2dbd-f7056a15e744@gmail.com> <20181206093154.GF1543@Space.Net> <CACL_3VGy6rjr10E4FK4xd4pq_-XSfP2VGhVqT+z-6Gm17z7okA@mail.gmail.com> <F69B9DEA-1C23-4FBD-952D-ACC65780F320@puck.nether.net>
In-Reply-To: <F69B9DEA-1C23-4FBD-952D-ACC65780F320@puck.nether.net>
From: "C. M. Heard" <heard@pobox.com>
Date: Thu, 06 Dec 2018 11:41:28 -0800
X-Gmail-Original-Message-ID: <CACL_3VEbp6bWBbBWd-qsHa6szjHBw50BtOMc3y0PD2k=iuC_gQ@mail.gmail.com>
Message-ID: <CACL_3VEbp6bWBbBWd-qsHa6szjHBw50BtOMc3y0PD2k=iuC_gQ@mail.gmail.com>
To: Jared Mauch <jared@puck.nether.net>
Cc: Gert Doering <gert@space.net>, IETF <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, OPSEC <opsec@ietf.org>, TSV-ART <tsv-art@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Pobox-Relay-ID: F3CB10B8-F98E-11E8-945E-BFB3E64BB12D-06080547!pb-smtp2.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/UKYKVnsDCthCcecu7F9Yk6TNy8s>
Subject: Re: [Tsv-art] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 19:41:44 -0000

On Thu, Dec 6, 2018 at 11:12 AM Jared Mauch wrote:
> UDP is filtered or policed by network operators not because they want
> it, but as self-defense.  Nothing personal.  If you are on the end of
> a long subsea circuits, you may not be able to use UDP based
> protocols.  If you are trying to SNMP poll over public internet
> because you think you can e2e, you will become sad.  No operator wants
> to deploy these configurations, they must because of the problems.

I do get the need for self-defense. But ...

Does this apply to all UDP or just specific UDP-based protocols?

What I commented on specifically was UDP/443 (QUIC), something
that people are actually trying to deploy.

If you block it, is that based on evidence of actual UDP/443 attacks?

Mike Heard

v2.23.0 | Report a Bug | By Email