Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
sthaug@nethelp.no Wed, 22 April 2015 06:41 UTC
Return-Path: <sthaug@nethelp.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48FAF1B31AF for <v6ops@ietfa.amsl.com>; Tue, 21 Apr 2015 23:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Jlj1YJWPO4P for <v6ops@ietfa.amsl.com>; Tue, 21 Apr 2015 23:41:00 -0700 (PDT)
Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by ietfa.amsl.com (Postfix) with SMTP id 8C5C21B31CF for <v6ops@ietf.org>; Tue, 21 Apr 2015 23:40:58 -0700 (PDT)
Received: (qmail 82241 invoked from network); 22 Apr 2015 06:40:56 -0000
Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 22 Apr 2015 06:40:56 -0000
Date: Wed, 22 Apr 2015 08:40:56 +0200
Message-Id: <20150422.084056.74672865.sthaug@nethelp.no>
To: touch@isi.edu
From: sthaug@nethelp.no
In-Reply-To: <55369B2D.80906@isi.edu>
References: <553696EC.4060207@isi.edu> <55369855.1040101@joelhalpern.com> <55369B2D.80906@isi.edu>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/aOrE3mqyLm2biJUU6oH8OHYPNi4>
Cc: draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org, v6ops@ietf.org, merike@doubleshotsecurity.com, fgont@si6networks.com
Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 06:41:02 -0000
<flame retardant suit on> > There needs to be a balance between what's expensive and inconvenient > vs. neutering a protocol to make it easy to implement. Here we actually agree on the basic principle - but probably not on where that balance point is. > Protecting the control plane can be done by the receiving host > (destination router). This is a fundamental disagreement. Protecting the control plane needs to be done by *all* intermediate routers in today's somewhat hostile Internet environment. That also includes some traffic not explicitly addressed to the routers themselves (for instance traceroute to a destination reached *through* the routers). Only looking at traffic addressed to the routers themselves is not sufficient. > Protecting the network as a whole is useful, and may involve some level > of DPI - or may not. If the traffic is encrypted, then only the > destination router can protect itself anyway. But dropping the packets > because of EH use just makes the filtering router an attacker to the E2E > communication between the routers. We have some services that are available within our AS, and should not be available outside the AS. One such example is DNS resolvers (there are others). We have chosen to block such services at the border - by having the border routers explicitly blocking UDP/TCP port 53 to the resolver addresses. This obviously means the border routers must be able to *find* the UDP/TCP header in that part of the IPv6 packet they are able to inspect at line rate. This is not "DPI" in any sense of the word - it is very basic filtering. And here, I assume, is the next disagreement. If the UDP/TCP headers cannot be found because IPv6 EHs have pushed them beyond what the routers can inspect at line rate - the packet will be dropped. If we can get improved filtering capabilities in our routers as part of regular equipment upgrade cycles - great, everybody is happy. But we are not likely to buy significantly more expensive routers *just* to be able to peek further into the packets (number of customers needing this are *many* orders of magnitude too low - if they exist at all). Steinar Haug, AS 2116
- [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: … Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Eric Vyncke (evyncke)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fred Baker (fred)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Eric Vyncke (evyncke)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… C. M. Heard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Warren Kumari
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joel M. Halpern
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… joel jaeggli
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Havard Eidnes
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Jeroen Massar
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Ole Troan
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Jeroen Massar
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Ray Hunter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Templin, Fred L
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter