Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
"Templin, Fred L" <Fred.L.Templin@boeing.com> Wed, 22 April 2015 17:26 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A75871B38C2 for <v6ops@ietfa.amsl.com>; Wed, 22 Apr 2015 10:26:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dP3eJzg_FHkX for <v6ops@ietfa.amsl.com>; Wed, 22 Apr 2015 10:26:55 -0700 (PDT)
Received: from slb-mbsout-02.boeing.com (slb-mbsout-02.boeing.com [130.76.64.129]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E84081AD0EA for <v6ops@ietf.org>; Wed, 22 Apr 2015 10:26:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id t3MHQsNl001056; Wed, 22 Apr 2015 10:26:54 -0700
Received: from XCH-PHX-112.sw.nos.boeing.com (xch-phx-112.sw.nos.boeing.com [130.247.25.134]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id t3MHQh6o000416 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK); Wed, 22 Apr 2015 10:26:44 -0700
Received: from XCH-BLV-504.nw.nos.boeing.com ([169.254.4.120]) by XCH-PHX-112.sw.nos.boeing.com ([169.254.12.30]) with mapi id 14.03.0235.001; Wed, 22 Apr 2015 10:26:43 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Joe Touch <touch@isi.edu>
Thread-Topic: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
Thread-Index: AQHQfSBocvX3GrVyukWwwBTvA1/wuJ1ZSC1Q
Date: Wed, 22 Apr 2015 17:26:43 +0000
Message-ID: <2134F8430051B64F815C691A62D9831832E4FB3E@XCH-BLV-504.nw.nos.boeing.com>
References: <553696EC.4060207@isi.edu> <55369855.1040101@joelhalpern.com> <55369B2D.80906@isi.edu> <20150422.084056.74672865.sthaug@nethelp.no> <5537D7A6.4020106@isi.edu>
In-Reply-To: <5537D7A6.4020106@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/gcpRsD5buTZu3MGAkSJE1Ig9UNA>
Cc: "draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org" <draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 17:26:56 -0000
Hi, we will want to make use of IPv6 EHs (at least Destination Options and Fragment Header). Are people trying to get rid of them altogether? Thanks - Fred fred.l.templin@boeing.com > -----Original Message----- > From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Joe Touch > Sent: Wednesday, April 22, 2015 10:17 AM > To: sthaug@nethelp.no > Cc: draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org; v6ops@ietf.org; merike@doubleshotsecurity.com; > fgont@si6networks.com > Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text > > > > On 4/21/2015 11:40 PM, sthaug@nethelp.no wrote: > > <flame retardant suit on> > ... > > > >> Protecting the control plane can be done by the receiving host > >> (destination router). > > > > This is a fundamental disagreement. Protecting the control plane needs > > to be done by *all* intermediate routers in today's somewhat hostile > > Internet environment. That also includes some traffic not explicitly > > addressed to the routers themselves (for instance traceroute to a > > destination reached *through* the routers). Only looking at traffic > > addressed to the routers themselves is not sufficient. > > Sure - so here's the solution: > > 1) declare that your routers won't accept "host" packets (i.e., to their > interface addresses) that use EHs > > if you want to try, extend that to any AS whose routing > packets you want to DDOS filter (but they need to think this > is acceptable) > > 2) if you want to do DDOS filtering, do so on IP addresses for the > specific routers you are trying to protect > > either rate-limit everything to that address, drop > anything with an EH, rate-limit/drop based on TCP/UDP > ports, or any combination thereof > > I.e., not using EHs is your prerogative, and not forwarding EHs to > others is *their* prerogative, but castrating IPv6 for the entire > Internet is not necessary. > > Joe > > > > > > >> Protecting the network as a whole is useful, and may involve some level > >> of DPI - or may not. If the traffic is encrypted, then only the > >> destination router can protect itself anyway. But dropping the packets > >> because of EH use just makes the filtering router an attacker to the E2E > >> communication between the routers. > > > > We have some services that are available within our AS, and should not > > be available outside the AS. One such example is DNS resolvers (there > > are others). We have chosen to block such services at the border - by > > having the border routers explicitly blocking UDP/TCP port 53 to the > > resolver addresses. This obviously means the border routers must be > > able to *find* the UDP/TCP header in that part of the IPv6 packet they > > are able to inspect at line rate. This is not "DPI" in any sense of > > the word - it is very basic filtering. > > > > And here, I assume, is the next disagreement. If the UDP/TCP headers > > cannot be found because IPv6 EHs have pushed them beyond what the > > routers can inspect at line rate - the packet will be dropped. > > > > If we can get improved filtering capabilities in our routers as part > > of regular equipment upgrade cycles - great, everybody is happy. But > > we are not likely to buy significantly more expensive routers *just* > > to be able to peek further into the packets (number of customers > > needing this are *many* orders of magnitude too low - if they exist > > at all). > > > > Steinar Haug, AS 2116 > > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: … Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Eric Vyncke (evyncke)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fred Baker (fred)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Eric Vyncke (evyncke)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… C. M. Heard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Warren Kumari
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joel M. Halpern
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… joel jaeggli
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Havard Eidnes
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Jeroen Massar
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Ole Troan
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Jeroen Massar
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Ray Hunter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Templin, Fred L
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter