Re: [v6ops] I-D Action: draft-gont-v6ops-ipv6-ehs-packet-drops-01.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 19 October 2015 01:40 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88E071B2B76; Sun, 18 Oct 2015 18:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-srsA2HGSbk; Sun, 18 Oct 2015 18:40:28 -0700 (PDT)
Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56A1E1B2B73; Sun, 18 Oct 2015 18:40:28 -0700 (PDT)
Received: by pacfv9 with SMTP id fv9so77739081pac.3; Sun, 18 Oct 2015 18:40:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:organization:cc:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=3Ud3weCuTSxLBXUedKezt9X8KfWbV1HrDtZZjoe9Hhs=; b=enzi9lpMaY2ydosUTmWnzkaCBaZnTqIO2n7aN54c5Ui7ieWFPvlmlsuCDEWFn/65bS kJAXX449wShmbZHuSvFOwmgBjpr+mt2dHbrK6CIm6h8bKI4+cjObleOQaNb/Eo8DQW+E Gw5vdMK9ECO2bSdrVe17nM+z2LsTDSw6Qxc+a9eu7clEtXFBNM4xRI9oppRwgTe9HyLE DKTt1RDbiQdeoOrNOSsXqQZ1DbWyLJZgPcRVTjC5528TapgVjFGsGSfcNQ2tPs3egpXK OpT40/bSiOf2TP9XP7GEOYJAv3t1sMKWS8lmdheEGaf55VOhpHG7u0UPUbXOVRZoMMkv ZNPw==
X-Received: by 10.66.66.196 with SMTP id h4mr30108336pat.77.1445218828034; Sun, 18 Oct 2015 18:40:28 -0700 (PDT)
Received: from [192.168.178.25] (221.231.69.111.dynamic.snap.net.nz. [111.69.231.221]) by smtp.gmail.com with ESMTPSA id eg5sm33316711pac.30.2015.10.18.18.40.25 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Oct 2015 18:40:26 -0700 (PDT)
To: draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org
References: <20151015123705.4548.5970.idtracker@ietfa.amsl.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <56244A06.5040603@gmail.com>
Date: Mon, 19 Oct 2015 14:40:22 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151015123705.4548.5970.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/N6jSW0N37wGCE62-pznChu5vZ-s>
Cc: IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] I-D Action: draft-gont-v6ops-ipv6-ehs-packet-drops-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2015 01:40:29 -0000
Hi, > 2. Previous Work on IPv6 Extension Headers ... > ... [RFC7045] clarifies how intermediate > nodes should deal with IPv6 extension headers. More than that, it means that they can find the end of the header chain, which is the critical issue for this draft. Middleboxes that implement 7045 can find the end of any header chain conforming to headers standardised up to the date of implementation. > 4.1.1. Enforcing infrastructure ACLs I think you should list ICMP PTB and fragment headers as likely permitted traffic here. (Yes, I know you discuss PTB as an attack vector later, but in general it needs to be permitted everywhere.) > 4.1.3. ECMP and Hash-based Load-Sharing You could note that the flow label is a specific mitigation for this aspect (RFC 6437, 6438). > 4.2. Route-Processor Protection ... > The Hop-by-Hop Options header is particularly challenging since, in > most (if not all) implementations, it causes the corresponding packet > to be punted to a software path. As a result, operators usually drop > IPv6 packets containing this extension header. You definitely need a reference to draft-baker-6man-hbh-header-handling here. Regards Brian
- Re: [v6ops] I-D Action: draft-gont-v6ops-ipv6-ehs… Brian E Carpenter