Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world
Fernando Gont <fgont@si6networks.com> Thu, 04 September 2014 23:23 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15BE51A02A3 for <v6ops@ietfa.amsl.com>; Thu, 4 Sep 2014 16:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wr62JSKycs70 for <v6ops@ietfa.amsl.com>; Thu, 4 Sep 2014 16:23:33 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EAE21A02A0 for <v6ops@ietf.org>; Thu, 4 Sep 2014 16:23:33 -0700 (PDT)
Received: from [181.46.190.53] (helo=[172.16.5.35]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1XPgNF-0004zm-4C; Fri, 05 Sep 2014 01:23:29 +0200
Message-ID: <5408F464.6010705@si6networks.com>
Date: Thu, 04 Sep 2014 20:23:16 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
References: <54074E9B.5030007@si6networks.com> <20140903235529.C08031E5282B@rock.dv.isc.org> <5407B564.7060003@gmail.com> <20140904005937.397471E53E95@rock.dv.isc.org>
In-Reply-To: <20140904005937.397471E53E95@rock.dv.isc.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/VU_EVfnwEoF-bv-gMBfXVRF2ZuI
Cc: draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 23:23:35 -0000
On 09/03/2014 09:59 PM, Mark Andrews wrote: >> >> I think the problem is that isn't painful at all to the people who >> configure the blocking device. It's only painful to actual users. > > Which in 99% of case work for the same people that orded the firewall > to be installed. If fragments aren't getting to your device take > the issue up with your management. It's almost always a problem > at the receiving end. Brian already commented on this issue. That said, for the case we are describing, your assessment does not really apply: the filtering is happening in transit rather than at the edge. e.g., I was able to attack my own connection against www.kernel.org, and there wasn't any firewall on my access. Whether firewalls at the edge are predominant when it comes to filtering of IPv6 packets with Ehs between peers (i.e., peer to peer) is something worth exploring... but for the time being is rather orthogonal to our discussion (although it might help to exacerbate the problem when there's no filtering on the network, but the border firewall does filter IPv6 packets with EHs). Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [v6ops] Security Considerations for draft-gont-v6… Fernando Gont
- Re: [v6ops] Security Considerations for draft-gon… Mark Andrews
- Re: [v6ops] Security Considerations for draft-gon… Brian E Carpenter
- Re: [v6ops] Security Considerations for draft-gon… Mark Andrews
- Re: [v6ops] Security Considerations for draft-gon… Brian E Carpenter
- Re: [v6ops] Security Considerations for draft-gon… Fernando Gont
- Re: [v6ops] Security Considerations for draft-gon… Fernando Gont