Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt
Joe Touch <touch@isi.edu> Thu, 17 July 2014 22:39 UTC
Return-Path: <touch@isi.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2E71A0329; Thu, 17 Jul 2014 15:39:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmMqbWFBxrxm; Thu, 17 Jul 2014 15:39:00 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37C601A0334; Thu, 17 Jul 2014 15:38:59 -0700 (PDT)
Received: from [128.9.160.81] (nib.isi.edu [128.9.160.81]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id s6HMcc8B002175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 17 Jul 2014 15:38:38 -0700 (PDT)
Message-ID: <53C8506E.1050002@isi.edu>
Date: Thu, 17 Jul 2014 15:38:38 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>, "C. M. Heard" <heard@pobox.com>
References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> <53C57F39.7080800@gont.com.ar> <53C5C279.2090600@gmail.com> <53C5C91C.2020203@isi.edu> <53C5CAEE.5080805@si6networks.com> <53C6B1E5.4060905@isi.edu> <Pine.LNX.4.64.1407161401400.6057@shell4.bayarea.net> <53C82DE3.5010007@isi.edu> <53C84841.3050702@si6networks.com>
In-Reply-To: <53C84841.3050702@si6networks.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/UGpJ35Z058F_XU662Z3qRoOh5g8
Cc: OPSEC <opsec@ietf.org>, Internet Area <int-area@ietf.org>, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jul 2014 22:39:04 -0000
On 7/17/2014 3:03 PM, Fernando Gont wrote: > On 07/17/2014 02:11 PM, Joe Touch wrote: >> >> >> On 7/16/2014 3:13 PM, C. M. Heard wrote: >>> Even it I don't agree with all of them, the filtering >>> recommendations in this draft do seem to motivated by legitimate >>> operational >>> concerns, not blanket paranoia. >> >> They need to be characterized as what they are: >> >> - an attempt to accommodate devices that are NOT IPv6-compliant > > I'd have a hard time coming uup with a vendor/device that can process > IPv6 packets with HBH header with the same performance as regular > packets. So.. are you suggesting that we start claiming that "we > currently do not know of any ipv6-compliant routers", or what? (fwiw, I > expect you are not) If we are, then it's time to adjust RFC2460. IMO, we ought to: - define the features/capabilities we think are necessary - require that anything that doesn't support what's necessary as non-compliant Otherwise, you're just un-doing all the work that goes into the standards process in the first place. All because you think that anything you don't expect is an attack. It isn't. It just means you're not prepared. Joe
- Re: [v6ops] I-D Action: draft-gont-opsec-ipv6-eh-… Brian E Carpenter
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Mikael Abrahamsson
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Brian E Carpenter
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Joe Touch
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] I-D Action: draft-gont-opsec-ipv6-eh-… C. M. Heard
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Joe Touch
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… C. M. Heard
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Joe Touch
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Joe Touch
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Fernando Gont
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Fernando Gont
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Joe Touch
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Fernando Gont
- Re: [v6ops] [OPSEC] [Int-area] I-D Action: draft-… Warren Kumari
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… RJ Atkinson
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Mikael Abrahamsson
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Smith, Donald