IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

RJ Atkinson <rja.lists@gmail.com> Wed, 30 May 2012 21:09 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE1221F8671 for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 14:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.424
X-Spam-Level:
X-Spam-Status: No, score=-3.424 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CHIfOPBmNkuh for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 14:09:08 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1918C21F8663 for <v6ops@ietf.org>; Wed, 30 May 2012 14:09:08 -0700 (PDT)
Received: by vcqp1 with SMTP id p1so201994vcq.31 for <v6ops@ietf.org>; Wed, 30 May 2012 14:09:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; bh=+M5zo/uPw/lJncisQI6gPXDQJpDmH6brgF3l/Rke4cs=; b=KvFUXKPrHb3UqrD2NNqZDWG9oejeBgO+elo8ywTOBixCYDq9FscUtuP03h2scd3SGU TDvEnD5G2pttadh/DETV0nnsZciB8BLbiHOYSY2DeUP6lN0Qh8HRfh2m3K5GeTdQ0jJ1 R0yMPiIjHrOn8vBU4Q6ddwse7YswOS6lIPg3cdq2/dQ25lmfAp+1gtGiVkDbdDDnW4Ar I0Ul+tyDd/3xF/EV5Ess9uEv+d6GVQFfh7WhvgoIZzu5pk03l8lNhAt8G+j4pdmLkklb DNozjT5AGUKfejpep89VlWczLwmlCjI7tsL/P1FvdrtgVkxQvFM9BqPvo8Mh1ozfHAcp g8yw==
Received: by 10.220.209.72 with SMTP id gf8mr18748361vcb.72.1338412147268; Wed, 30 May 2012 14:09:07 -0700 (PDT)
Received: from [10.30.20.11] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id g10sm1395847vdk.2.2012.05.30.14.09.06 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 30 May 2012 14:09:06 -0700 (PDT)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Wed, 30 May 2012 17:09:05 -0400
Message-Id: <1F73F9FE-9BA5-4506-A5FB-AE09C1C18626@gmail.com>
To: v6ops@ietf.org
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2012 21:09:08 -0000

Fernando wrote:
> It's not a protocol change,

Nonsense.  

> but an operational mitigation. -- for instance, there is no change
> in the way the sending router or the receiving hosts process RAs.


Rule 4 mandates changes to whether certain IPv6 packets get forwarded,
which is a major change to the IPv6 protocol specifications.


Rule 4 is both a protocol change and (misguided) operational mitigation.  
Rule 4 is mandatory according to this document and will cause certain 
perfectly valid IPv6 packets to be dropped instead of forwarded.  The
rule damages IPv6 and impairs utility of IPv6 in the real world.


The comprehensive fix is to update the hosts as Joel Halpern and Ron Bonica
outlined earlier today.  I don't think that change would be controversial,
so likely it could proceed quickly through 6MAN.  In the meantime,
Rule 4 could be edited and cleaned up such that no valid IPv6
packets get dropped by an RA Guard.

Yours,

Ran

v2.23.0 | Report a Bug | By Email