Re: [v6ops] Extension Headers / Impact on Security Devices

Tim Chown <tjc@ecs.soton.ac.uk> Wed, 20 May 2015 08:14 UTC

Return-Path: <tjc@ecs.soton.ac.uk>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5537B1ACD9A for <v6ops@ietfa.amsl.com>; Wed, 20 May 2015 01:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.231
X-Spam-Level:
X-Spam-Status: No, score=-1.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7g7vBHnRBfu for <v6ops@ietfa.amsl.com>; Wed, 20 May 2015 01:14:34 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [IPv6:2001:630:d0:f102::25e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E4801ACAD8 for <v6ops@ietf.org>; Wed, 20 May 2015 01:14:33 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (localhost [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id t4K8EOAs017511; Wed, 20 May 2015 09:14:24 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk t4K8EOAs017511
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=201304; t=1432109666; bh=oFVzuigiaVBwGWlDWD9LznOGEvc=; h=Mime-Version:Subject:From:In-Reply-To:Date:Cc:References:To; b=tCsjf7dSuvWZ+0SE0dwkgGzk3PRXb9yfn5otP9FRPFXFLxVRI5CmIzfPQ2nb3QEwT 21lPfgcSUFBrVF5kgTBINsz66Oufuu1lIVVzjt8OF0WpISKEnmUMUW4rIvt2wk0U20 C1shDkqmlSds+z8+tloN41F9vE/JX6Ab1ToG5Ch0=
Received: from gander.ecs.soton.ac.uk ([2001:630:d0:f102:250:56ff:fea0:401]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102:250:56ff:fea0:68da]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP (valid=N/A) id r4J9EO20289021256q ret-id none; Wed, 20 May 2015 09:14:26 +0100
Received: from [IPv6:2001:630:d0:f111:d141:a0df:b442:ece1] ([IPv6:2001:630:d0:f111:d141:a0df:b442:ece1]) (authenticated bits=0) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id t4K8ENxg009687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 May 2015 09:14:24 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <555B8712.9080906@isi.edu>
Date: Wed, 20 May 2015 09:14:25 +0100
Content-Transfer-Encoding: quoted-printable
Message-ID: <EMEW3|c91cdcfda9ced16fe59fdbc4171372c9r4J9EO03tjc|ecs.soton.ac.uk|1A7F7D26-BBFD-4981-BF1C-978115C0B90A@ecs.soton.ac.uk>
References: <20150515113728.GH3028@ernw.de> <7449B614-BF21-4AD8-A642-831D5B385B41@employees.org> <20150518.134312.74662992.sthaug@nethelp.no> <555B8712.9080906@isi.edu> <1A7F7D26-BBFD-4981-BF1C-978115C0B90A@ecs.soton.ac.uk>
To: Joe Touch <touch@isi.edu>
X-Mailer: Apple Mail (2.2098)
X-smtpf-Report: sid=r4J9EO202890212500; tid=r4J9EO20289021256q; client=relay,forged,no_ptr,ipv6; mail=; rcpt=; nrcpt=4:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: t4K8EOAs017511
X-ECS-MailScanner: Found to be clean
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/IEWsa2NUFmRy_mr_JF6g9ktz0A4>
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 08:14:37 -0000

> On 19 May 2015, at 19:55, Joe Touch <touch@isi.edu> wrote:
> 
> On 5/18/2015 4:43 AM, sthaug@nethelp.no wrote:
>>>> - it has not happened in the past 17 yrs (since publication of RFC2460) that compelling, Internet-scale use cases of extension headers have been brought up.
>>> 
>>> this is clearly wrong. FH, AH, ESP are all widely deployed.
>>> any form of tunnelling is essentially either using the IP header as an extension header. including GRE.
>> 
>> AH is in RFC 2402 (1998).
>> ESP is in RFC 2406 (1998).
>> FH is in RFC 2460 (1998).
>> 
>> Do we have any examples of Internet-scale use cases where the extension
>> header has been defined *after* RFC 2460?
> 
> The following are defined after 2460:
> 
> 135 	Mobility Header 			[RFC6275]
> 139 	Host Identity Protocol 			[RFC7401]
> 140 	Shim6 Protocol 				[RFC5533]
> 253 	Use for experimentation and testing 	[RFC3692][RFC4727]
> 254 	Use for experimentation and testing 	[RFC3692][RFC4727]
> 
> FWIW.

Which, as I think you imply, haven’t exactly been widely implemented or successfully used.

The other question is what existing work is being done that relies on the correct (desired) operation of EHs? The two that would spring out would be segment routing and sfc, at least one of which is using the existing Routing Header. If such protocols are constrained to specific administrative domains then their successful operation I would assume is down to specific EH handling in the equipment in that domain, and its capabilities, rather than (undesired) operator filtering somewhere between sender and receiver.

Tim