Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
Joel jaeggli <joelja@bogus.com> Wed, 30 May 2012 21:55 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A739D1F0C5D for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 14:55:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.999
X-Spam-Level:
X-Spam-Status: No, score=-101.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LSManoUna2fw for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 14:55:33 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 2090D1F0C5C for <v6ops@ietf.org>; Wed, 30 May 2012 14:55:33 -0700 (PDT)
Received: from Joels-MacBook-Pro.local (218.sub-166-250-46.myvzw.com [166.250.46.218]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id q4ULtQK3079343 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Wed, 30 May 2012 21:55:26 GMT (envelope-from joelja@bogus.com)
Message-ID: <4FC69747.3090209@bogus.com>
Date: Wed, 30 May 2012 14:55:19 -0700
From: Joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Ronald Bonica <rbonica@juniper.net>
References: <20120529143900.25613.76678.idtracker@ietfa.amsl.com> <3B0A71DA-8846-4FFF-9AD8-9B106EF8799B@gmail.com> <4FC52FD3.9060206@gont.com.ar> <AB2444D4-E85B-4E61-9944-47FB1E369203@gmail.com> <003f01cd3e36$a3a09a60$eae1cf20$@lampo@eurid.eu> <DCC302FAA9FE5F4BBA4DCAD4656937791742B3394D@PRVPEXVS03.corp.twcable.com> <4FC64D8A.2020302@joelhalpern.com> <13205C286662DE4387D9AF3AC30EF456D76C387C2C@EMBX01-WF.jnpr.net>
In-Reply-To: <13205C286662DE4387D9AF3AC30EF456D76C387C2C@EMBX01-WF.jnpr.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Wed, 30 May 2012 21:55:28 +0000 (UTC)
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, 'Fernando Gont' <fernando@gont.com.ar>
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2012 21:55:33 -0000
On 5/30/12 12:32 , Ronald Bonica wrote: > Joel, > > On the one hand, I don't think that v6ops is overstepping its > charter. It isn't modifying IPv6. It is merely identifying a > combination of IPv6 features that might spell trouble used in the > same datagram. It's saying that that packets matching the criterion should be discarded in order to protect yourself from damage. That is to my mind a fairly operational recommendation. > On the other hand, I would be thrilled if the 6man WG would update > RFC 4443 to say something like "ICMPv6 packets MUST NOT be fragmented > unless the ICMPv6 Type, Code and Checksum all fit in the first > fragment". +1 > Ron <Speaking as individual contributor> > > >> -----Original Message----- From: v6ops-bounces@ietf.org >> [mailto:v6ops-bounces@ietf.org] On Behalf Of Joel M. Halpern Sent: >> Wednesday, May 30, 2012 12:41 PM To: 'Fernando Gont' Cc: >> v6ops@ietf.org Subject: Re: [v6ops] Last Call: >> <draft-ietf-v6ops-ra-guard- implementation-04.txt> (Implementation >> Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best >> Current Practice >> >> I do see the importance of being apply to apply RAGuard in a >> device which does not accumulate fragment state. (I don't want to >> try to analyze the potential DoS attack of having such state.) >> >> However, the proposal introduces a network limtiation, essentially >> a protocol change, in the network. I did not think v6Ops was free >> to recommend behaviors (dropping unclassifiable fragments) which >> basically violate the base IPv6 spec. >> >> It seems that the right answer was discussed much earlier, namely >> changing the protocol behavior (a 6man activity) to tell hosts to >> reject RA and ND packets which were received in fragments. >> >> If that is the right answer, then we have to be very careful about >> creating long-lived restrictions as a remediation until such a >> solution can be adopted. >> >> Yours, Joel _______________________________________________ v6ops >> mailing list v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops > _______________________________________________ v6ops mailing list > v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-imp… The IESG
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Marc Lampo
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ray Hunter
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Washam Fan
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… George, Wes
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel M. Halpern
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ran Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel jaeggli
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Marc Blanchet
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ray Hunter
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel M. Halpern
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Nick Hilliard
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-imp… The IESG