IETF Logo Mail Archive

Re: [v6ops] [Technical Errata Reported] RFC4890 (3985)

joel jaeggli <joelja@bogus.com> Thu, 15 May 2014 04:09 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AF921A03C1 for <v6ops@ietfa.amsl.com>; Wed, 14 May 2014 21:09:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.951
X-Spam-Level:
X-Spam-Status: No, score=-1.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_26=0.6, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oAz_rEhuKHbh for <v6ops@ietfa.amsl.com>; Wed, 14 May 2014 21:09:44 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2B5B1A03BC for <v6ops@ietf.org>; Wed, 14 May 2014 21:09:43 -0700 (PDT)
Received: from mb-aye.local (c-67-188-0-113.hsd1.ca.comcast.net [67.188.0.113]) (authenticated bits=0) by nagasaki.bogus.com (8.14.7/8.14.7) with ESMTP id s4F49KtP032788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 15 May 2014 04:09:21 GMT (envelope-from joelja@bogus.com)
Message-ID: <53743DEA.4030703@bogus.com>
Date: Wed, 14 May 2014 21:09:14 -0700
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Thunderbird/29.0
MIME-Version: 1.0
To: "Fred Baker (fred)" <fred@cisco.com>, Elwyn Davies <elwynd@dial.pipex.com>, Mohacsi Janos <mohacsi@niif.hu>, "jamesrobertson@live.com" <jamesrobertson@live.com>
References: <20140514000750.1AF7818000E@rfc-editor.org> <8DA928AC-FCAF-4AB6-BE39-C6D155C91F17@cisco.com>
In-Reply-To: <8DA928AC-FCAF-4AB6-BE39-C6D155C91F17@cisco.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="mKrMilxNrrOBA1q814bEW3hKUN65cMHNC"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (nagasaki.bogus.com [147.28.0.81]); Thu, 15 May 2014 04:09:22 +0000 (UTC)
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/Aore5LAja1NsTNhSjacRdjDcmjc
Cc: V6 Ops List <v6ops@ietf.org>
Subject: Re: [v6ops] [Technical Errata Reported] RFC4890 (3985)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 May 2014 04:09:45 -0000

On 5/14/14, 8:25 PM, Fred Baker (fred) wrote:
> Guys:
> 
> Do we agree with this?

it's not really normative text, it's an example in an appendix.

assuming you think it's an issue  and the correction is reasonable I
would probably just hold it for a document update (seems unlikely atm
but who knows)


> On May 13, 2014, at 5:07 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
>> The following errata report has been submitted for RFC4890,
>> "Recommendations for Filtering ICMPv6 Messages in Firewalls".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata_search.php?rfc=4890&eid=3985
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: James Robertson <jamesrobertson@live.com>
>>
>> Section: Appendix B
>>
>> Original Text
>> -------------
>> if [ "$STATE_ENABLED" -eq "1" ]
>> then
>>  # Allow incoming time exceeded code 0 messages
>>  # only for existing sessions
>>  for inner_prefix in $INNER_PREFIXES
>>  do
>>    ip6tables -A icmpv6-filter -m state -p icmpv6 \
>>         -d $inner_prefix \
>>         --state ESTABLISHED,RELATED --icmpv6-type packet-too-big \
>>         -j ACCEPT
>>  done
>> else
>>  # Allow incoming time exceeded code 0 messages
>>  for inner_prefix in $INNER_PREFIXES
>>  do
>>    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
>>         --icmpv6-type ttl-zero-during-transit -j ACCEPT
>>  done
>> fi
>>
>> Corrected Text
>> --------------
>> if [ "$STATE_ENABLED" -eq "1" ]
>> then
>>  # Allow incoming time exceeded code 0 messages
>>  # only for existing sessions
>>  for inner_prefix in $INNER_PREFIXES
>>  do
>>    ip6tables -A icmpv6-filter -m state -p icmpv6 \
>>     -d $inner_prefix \
>>     --state ESTABLISHED,RELATED --icmpv6-type ttl-zero-during-transit \
>>     -j ACCEPT
>>  done
>> else
>>  # Allow incoming time exceeded code 0 messages
>>  for inner_prefix in $INNER_PREFIXES
>>  do
>>    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
>>         --icmpv6-type ttl-zero-during-transit -j ACCEPT
>>  done
>> fi
>>
>> Notes
>> -----
>> RFC 4890 Errata ID 2706 states that icmpv6-type packet-too-big should
>> state icmpv6-type ttl-zero-during-transmit. This should read
>> ttl-zero-during-transit.
>>
>> Instructions:
>> -------------
>> This errata is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party (IESG)
>> can log in to change the status and edit the report, if necessary. 
>>
>> --------------------------------------
>> RFC4890 (draft-ietf-v6ops-icmpv6-filtering-recs-03)
>> --------------------------------------
>> Title               : Recommendations for Filtering ICMPv6 Messages in Firewalls
>> Publication Date    : May 2007
>> Author(s)           : E. Davies, J. Mohacsi
>> Category            : INFORMATIONAL
>> Source              : IPv6 Operations
>> Area                : Operations and Management
>> Stream              : IETF
>> Verifying Party     : IESG
>

v2.23.0 | Report a Bug | By Email