Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
"C. M. Heard" <heard@pobox.com> Sun, 25 November 2018 02:49 UTC
Return-Path: <heard@pobox.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D081912D4E9; Sat, 24 Nov 2018 18:49:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com; domainkeys=pass (1024-bit key) header.from=heard@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CPRU9oWlD0I; Sat, 24 Nov 2018 18:49:12 -0800 (PST)
Received: from pb-smtp21.pobox.com (pb-smtp21.pobox.com [173.228.157.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C980128CF3; Sat, 24 Nov 2018 18:49:12 -0800 (PST)
Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 969D12B114; Sat, 24 Nov 2018 21:49:11 -0500 (EST) (envelope-from heard@pobox.com)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=/TVQ0hmRctD7oLFNHx/laslBKlA=; b=DDSCdE jwmpDOLt/peBTQ7dVZ7WI1rgYzDYngeEKz5U0WLcwLvOJAEjknJMGgRf/qCeNKeE 3/L5o4I3J1CetGocqrNwQOtbZnoCXevWoGFdiUmh0ygEVCbhPK5PWPxuHQMy4ur6 3wn6+32XhgfIRjgnTqramLRHCwEMIdnWHec4A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type; q=dns; s=sasl; b=gFgYCreN8DmfQsjjfs9Ae09IMkIE7vXJ 7Q7Xy5IspV1ZaUdNEz32JQmzE6+j9dYpuwCZ6itwbSnclnJ/bq0EXuYooHhG+RbW uUh2qelIV6qZpOm8sEm3fksSt2cE843VKZSE3O1T0KjRDe7NGR3HlyuSkwIdaR8g nJm72L61Fmw=
Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 8EB2C2B113; Sat, 24 Nov 2018 21:49:11 -0500 (EST) (envelope-from heard@pobox.com)
Received: from mail-io1-f44.google.com (unknown [209.85.166.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id 15CE92B110; Sat, 24 Nov 2018 21:49:09 -0500 (EST) (envelope-from heard@pobox.com)
Received: by mail-io1-f44.google.com with SMTP id s22so11331381ioc.8; Sat, 24 Nov 2018 18:49:09 -0800 (PST)
X-Gm-Message-State: AA+aEWZLZYSoVJR2Kp4Ds2DWMVp4YTyBSLS5ucqKOkPY7xnh5VYssiU8 qXTbo+HzvOyLuXufoJFblXe7HGTLsB1BKqShC7w=
X-Google-Smtp-Source: AFSGD/VBGWMjPSm47mQjqp7p6UEY2UU7UZFUF8qxQKXS8hKQ4r6d04SzJ4Rsn0s3zu5g6j5NFKl/ISAGPf/JvhmYrz8=
X-Received: by 2002:a6b:7307:: with SMTP id e7-v6mr10527449ioh.94.1543114147790; Sat, 24 Nov 2018 18:49:07 -0800 (PST)
MIME-Version: 1.0
References: <CACL_3VGBOP7YkVuuoE_kWebVMh73XFEGgO1HXZod_Dv1La4b3w@mail.gmail.com> <CACL_3VHOryH4AcgZSgd1zMfNwxUD5HfG0VWT2kiKUDXhbyQgdg@mail.gmail.com> <89aea476-6a06-5d06-f43f-b9e71b9fb546@si6networks.com>
In-Reply-To: <89aea476-6a06-5d06-f43f-b9e71b9fb546@si6networks.com>
From: "C. M. Heard" <heard@pobox.com>
Date: Sat, 24 Nov 2018 18:48:55 -0800
X-Gmail-Original-Message-ID: <CACL_3VHvEiqKiTx_G4x4KTO5j6cgJMJ8W_1RG5Qut71LhLdgzw@mail.gmail.com>
Message-ID: <CACL_3VHvEiqKiTx_G4x4KTO5j6cgJMJ8W_1RG5Qut71LhLdgzw@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Michael Scharf <michael.scharf@hs-esslingen.de>, TSV-ART <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, IETF <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering@ietf.org
Content-Type: text/plain; charset="UTF-8"
X-Pobox-Relay-ID: AE8EBCBA-F05C-11E8-94A8-CC883AD79A78-06080547!pb-smtp21.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/cfAqonFxwgIWW2wf_xae3aIEITg>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Nov 2018 02:49:14 -0000
On Sat, Nov 24, 2018 at 5:14 PM Fernando Gont <fgont@si6networks.com> wrote: > On 24/11/18 17:13, C. M. Heard wrote: > >> On Nov 23, 2018, at 11:53 AM, Michael Scharf wrote: > >> > >> Reviewer: Michael Scharf > >> Review result: Ready > >> > >> This document has been reviewed as part of the transport area review team's > >> ongoing effort to review key IETF documents. These comments were written > >> primarily for the transport area directors, but are copied to the document's > >> authors and WG to allow them to address any issues raised and also to the IETF > >> discussion list for information. > >> > >> When done at the time of IETF Last Call, the authors should consider this > >> review as part of the last-call comments they receive. Please > >> always CC tsv-art at ietf.org if you reply to or forward this review. > >> > >> I have reviewed draft-ietf-opsec-ipv6-eh-filtering-06. There are no apparent > >> transport issues. The proposed filtering could slow down the deployment of > >> experimental protocols that use IPv6 options, but the tradeoffs are explained > >> in the document. > > > > Did you notice that Section 3.5.5 advises discarding IPv6 packets whose Next > > Header value is unknown -- i.e., IPv6 packets with unknown EHs **or** unknown > > transport protocols? Even for an IPv6 core router in the open Internet? > > The document gos in line with RFC7045. Not sure what the issues is here... RFC 7045 requires that treatment of unknown Next Header codepoints be configurable and says that the default configuration MAY be to discard. The draft advises all operators to select the discard option. As Brian Carpenter pointed out in his response to the thread started by my last call comments, that effectively trumps the MAY in RFC 7045 with a lower case should. So it really is not in line with RFC 7045. That's one problem. And as Joe Touch said, treating every unknown codepoint as an attack is itself an attack. Remember, the advice in the draft is directed to operators of **transit routers**, including core routers in the open Internet, and applies to traffic not directed to the router. So the purpose is to protect downstream infrastructure and customers. But customers who want to use new transport protocols will be harmed, not protected, by the discarding of packets with Next Header values that are unknown to the operator of the router. Biasing the advice in this way exacerbates the very protocol ossification issues that the draft purports to want to solve. That's a much bigger problem. I think that you and your co-author did a good job in Section 4.5 with unknown options; there the advice is much more nuanced, instead of being biased toward the blanket default-deny policy that got us into the ossification mess in the first place. Why not give the same advice for unknown Next Header codepoints, as I suggested in my last call comments? Or leave the advice neutral, as Brian suggested? Mike Heard
- [Tsv-art] (no subject) C. M. Heard
- Re: [Tsv-art] Tsvart last call review of draft-ie… C. M. Heard
- Re: [Tsv-art] (no subject) Scharf, Michael
- Re: [Tsv-art] Tsvart last call review of draft-ie… Fernando Gont
- Re: [Tsv-art] Tsvart last call review of draft-ie… C. M. Heard