Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs-packet-drops-00 - Middleboxes

Ole Troan <otroan@employees.org> Sun, 02 August 2020 12:05 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C7D3A0BE6 for <v6ops@ietfa.amsl.com>; Sun, 2 Aug 2020 05:05:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qbjFbw_qykts for <v6ops@ietfa.amsl.com>; Sun, 2 Aug 2020 05:05:30 -0700 (PDT)
Received: from clarinet.employees.org (clarinet.employees.org [IPv6:2607:7c80:54:3::74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEC263A0A8E for <v6ops@ietf.org>; Sun, 2 Aug 2020 05:05:29 -0700 (PDT)
Received: from [10.166.244.167] (77.18.52.167.tmi.telenormobil.no [77.18.52.167]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 6BEF24E11B28; Sun, 2 Aug 2020 12:05:28 +0000 (UTC)
Content-Type: multipart/alternative; boundary=Apple-Mail-EEEB731C-825F-40F8-9EFD-27352B49BEB8
Content-Transfer-Encoding: 7bit
From: Ole Troan <otroan@employees.org>
Mime-Version: 1.0 (1.0)
Date: Sun, 2 Aug 2020 14:05:25 +0200
Message-Id: <F35B476E-CA80-4442-976D-214CAF1FD75D@employees.org>
References: <f65dff980756428e9aeec77fe87d8138@huawei.com>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
In-Reply-To: <f65dff980756428e9aeec77fe87d8138@huawei.com>
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
X-Mailer: iPhone Mail (17G68)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/1GKAaGP7ussFidO562jzX1klPos>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs-packet-drops-00 - Middleboxes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2020 12:05:31 -0000


> On 1 Aug 2020, at 18:47, Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
> 
> I am still not happy that middleboxes (Firewall, Load Balancer) are discarded as the reasons for EH drops.
> 
> Tom (Herbert) is right that “FWs and middleboxes that insist on meddling in protocol layers beyond the networking layer where both the standard and the Internet architecture say they are not supposed to look at”
> 
> But they are! We should not ignore the reality.
> 
> It is especially evident that they are among reasons for EHs drops after response:
> 
> > I would love to see the firewall device that is capable of processing ALL protocol headers in the IETF protocol suite! Reality is that firewalls can only process what they are programmed to process which is typically a very small subset of the possible protocols a host might want to use.
> 
>  
> 
> It is not good to ignore/hide some type of drops that we do not like.
> 
I think you have a good point. 

If I was implementing a function to wash traffic in front of a set of eg DNS servers, why would I ever let any EH through? Known or unknown.

There’s a chicken and egg situation. Awaiting  an across the Internet useful EH option. 

Apart from measuring the transparency level of the core Internet, it’s unclear to me what useful conclusions we can draw from this work. 

Cheers 
Ole