IETF Logo Mail Archive

Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops

Lorenzo Colitti <lorenzo@google.com> Fri, 18 March 2016 12:20 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED99612D51B for <v6ops@ietfa.amsl.com>; Fri, 18 Mar 2016 05:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9oiBUxjXmKs for <v6ops@ietfa.amsl.com>; Fri, 18 Mar 2016 05:20:52 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A24312D681 for <v6ops@ietf.org>; Fri, 18 Mar 2016 05:20:24 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id m126so112283813ywd.0 for <v6ops@ietf.org>; Fri, 18 Mar 2016 05:20:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JPPTIsE1iVgTijwmX2CcLU4qBHAFpKybg3v6FxrpNn4=; b=XmW8bv2lrr2W7/kibdR643MAChlxllthqK07JbGetcDplYBrLOqJMc+eDlXGTUNPiG F0LDBfqzXCAphEMsyw/+kuMTbUcMKcli2vFJWlQuaBWQwXV1CapX3DYMk4Itxc3fez98 dtkB+tjD2FrtygW9iuffnBZsvolre4RPRYbmYgDB6NQXuldNPpQRMALCcu6mMjXlyPTP w5o5pHb0gJq9ieLR8Yken56YJDN8UwyEyqnXKggiza+iEq/B9Fr1N2nFCWl/eJOMBBEI 9Ex7FMQk3p6hR6QQ8bbAY2CVHt91KcFTo9uIUVl72nWwnkbpNoYln28wFHa1QUfvZZCc 533A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JPPTIsE1iVgTijwmX2CcLU4qBHAFpKybg3v6FxrpNn4=; b=YedTghiMvVMemfOyrxR9bOL9Sptmvmv+DEUo5OpUWJU9ti2IC929+AHNt3C7C5gaCH HEYrYoKrXD39YLSuJoK1hDz0DqyINuy/kADEQ0jOnZHgkBr/KRK/nlPZfyzGUQabgk1H U+ZROHur/7eqAgypBscQbzKn2Jnh+o5390sFQ6lRWpJuI4/jjJuKuiieVdy1XlcPi6Tq abIArw6on3HxYFjJdeKiGAoPhQa8iphS90cvokM2pNQIP30upF/MybiaRpX2qSrF76kF JBLE9qCLyjNOtebbUZsR7RGKk+5cErxXgx/b7YifqH4EUx8E9UkXjjQWc1jBCrDYFfxS 1gZw==
X-Gm-Message-State: AD7BkJISSbNn+awJmRkyeMbB21o5rX7XlHANXRe0znzuFePCN6j6a+veBcdroA/j+Ahovj2sc14+XrxYXImvw7N6
X-Received: by 10.13.214.1 with SMTP id y1mr6486575ywd.307.1458303623486; Fri, 18 Mar 2016 05:20:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.19.65 with HTTP; Fri, 18 Mar 2016 05:20:03 -0700 (PDT)
In-Reply-To: <56EBBC7E.8060602@si6networks.com>
References: <A277BE71-BD70-4AFE-97DA-F224D7DBBCB8@cisco.com> <CALx6S353ognNHWnjbNSdW5hb_e6Hv3LqLa_r+e9yEW4F=cjH=A@mail.gmail.com> <56E6FC18.1060304@foobar.org> <CALx6S35pcSj_LLnDWJ68KwSYiHeu6FwrXTaR4N2xE6aY7MRO1A@mail.gmail.com> <CAHw9_iLbqEvsw0x4dDcA3Zy3SXKUROcQuy5nSynsL9Xi+xrZLg@mail.gmail.com> <566C93D0-62FF-4700-BC05-7F9AF12AF1BD@employees.org> <56E892B8.9030902@foobar.org> <394925FE-FAB1-4FFC-B1CF-4F64CC58F613@employees.org> <56E94275.20700@foobar.org> <3AE1DE20-D735-4262-A3FB-7C01F30BAFA2@employees.org> <56E96F74.7000206@foobar.org> <CALx6S37zP4UvCtBJsvnPN6OmDB0OQDMfRrJNy1XF0t4COStUjQ@mail.gmail.com> <EE17974D-EDA4-4732-B29E-B2B3BC36DB86@employees.org> <56E9A16B.4030605@si6networks.com> <A2634C00-EBF8-48DA-9604-790F5213F536@employees.org> <34E270CB-AEB4-4034-99B8-1E6AB528CF67@employees.org> <3AE9BA3C-E7B6-4C0F-B6B4-5A737485123D@employees.org> <8e822f51-fc8c-8dc4-bb38-f089a6e7742a@bogus.com> <CAKD1Yr2vCMtEXAhMOGr4wG4O9N1094pu=vNeqqFfBJ7KLTt3bw@mail.gmail.com> <56EBBC7E.8060602@si6networks.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Fri, 18 Mar 2016 21:20:03 +0900
Message-ID: <CAKD1Yr34tx1yzX7UrL5tf+QunnUwY6-ne3AsFvFwtdYU2TD0dQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="94eb2c0770e4745984052e51c554"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/PpwQO_h_hvOrOJD5YPdHq10jmPA>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 12:20:56 -0000

On Fri, Mar 18, 2016 at 5:29 PM, Fernando Gont <fgont@si6networks.com>
wrote:

> > From the point of view of security, I don't see a difference. Not found
> > should be treated as unknown anyway.
>
> Dropping as a result of unfound is unintended effect. That's the point.


I don't think that's a useful argument. If you don't know what you're
doing, everything is unintended.

I think we should assume that network administrators know that EHs exist
and that they are making explicit decisions on whether to filter them or
not, based on the capabilities of their hardware.

If an admin configures a policy that says "from next-header tcp" and
doesn't care to check the documentation as to whether that means "the next
header after the IPv6 header is TCP" or "the last header in the chain is
TCP"... well, they get what they deserve

No different from someone who writes a policy that says "allow port 80" to
protect a webserver and is surprised when anyone can talk to any port on
the webserver by sending packets with a source port of 80.

v2.23.0 | Report a Bug | By Email