IETF Logo Mail Archive

Re: [v6ops] [OPSEC] Call for WG adoption - Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension Headers

"C. M. Heard" <heard@pobox.com> Mon, 13 October 2014 14:38 UTC

Return-Path: <heard@pobox.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DE3B1A0107 for <v6ops@ietfa.amsl.com>; Mon, 13 Oct 2014 07:38:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMXLTNyGHqyr for <v6ops@ietfa.amsl.com>; Mon, 13 Oct 2014 07:38:05 -0700 (PDT)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 106761A00F2 for <v6ops@ietf.org>; Mon, 13 Oct 2014 07:38:05 -0700 (PDT)
Received: (qmail 1234 invoked from network); 13 Oct 2014 07:38:02 -0700
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 13 Oct 2014 07:38:02 -0700
Date: Mon, 13 Oct 2014 07:38:02 -0700
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: Mikael Abrahamsson <swmike@swm.pp.se>
In-Reply-To: <alpine.DEB.2.02.1410130926090.14735@uplift.swm.pp.se>
Message-ID: <Pine.LNX.4.64.1410130723530.25821@shell4.bayarea.net>
References: <201410101259128179113@gmail.com> <279945F5-9A00-41AB-903E-FF4F858CB387@employees.org> <alpine.DEB.2.02.1410130907280.14735@uplift.swm.pp.se> <B499E06A-887A-4A9B-8FB9-EE2D3A1F9095@employees.org> <alpine.DEB.2.02.1410130926090.14735@uplift.swm.pp.se>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/RPUjJywkFxhuvN69i1HltWD0owA
Cc: opsec <opsec@ietf.org>, v6ops <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] Call for WG adoption - Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension Headers
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2014 14:38:06 -0000

On Mon, 13 Oct 2014, Mikael Abrahamsson wrote:
> On Mon, 13 Oct 2014, Ole Troan wrote:
> > > > shouldn't this be a draft authored by operators? giving operational
> > > > recommendations coming out of... well, actual operations?
> > >
> > > Well, another way of looking at this is that operators just want things to
> > > work as well as they can, so they need guidance from vendors and protocol
> > > designers.
> > >
> > > Isn't this a BCOP style document? I believe at least one of the authors is
> > > active in one or more BCOP group.
> >
> > the protocol designer's recommendation does appear pretty clear, RFC2460:
> >
> >   "With one exception, extension headers are not examined or processed
> >   by any node along a packet's delivery path, until the packet reaches
> >   the node (or each of the set of nodes, in the case of multicast)
> >   identified in the Destination Address field of the IPv6 header."

RFC 7045, a standards-track document, explicitly changes that.  The 
subject draft does not make any recommendations that contradict 
RC 7045.  It supplements RFC 7045 where the latter does not fully 
nail down the behaviour.

There is also draft-gont-6man-ipv6-opt-transmit, which (if 
approved) will do the same for options that RFC 7045 does for 
extension headers.  Same commens wrt that.

> You mean you don't want non-operators in the IETF to make recommendations?
> 
> The way I see it is that vendors are making equipment based on customer
> requirements. Since a lot of vendor equipment obviously inspect packets,
> including those with extension headers along the way (probably to do ACLs),
> then this equipment is already violating the functioning of the protocol
> (which of course is nothing new).
> 
> My opinion is that it's better to look at common implementation and document
> and give recommendations where this differs from the blueprints.
> 
> What I don't like is that if we follow along this path we're basically saying
> "extension headers don't work on the Internet" which has the implication that
> fewer will use them, meaning the vendors that don't follow the protocol
> designer intention has little downside, and thus perpetuating the problem.
> 
> I don't know how to make it right though. I would like to see extension
> headers working well, but I also understand that people want to be able to do
> filtering.

RFC 7045 revises IPv6 to acknowledge the reality of packet 
inspection by forwarding devices, but lit levies requirements that, 
if followed, should make the behaviour far less destructive.  The 
sibject draft complements it with operational advice that is much in 
the same spirit.

//cmh

v2.23.0 | Report a Bug | By Email