Re: [v6ops] [OPSEC] Call for WG adoption - Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension Headers
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 13 October 2014 19:25 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5119B1A8BB5; Mon, 13 Oct 2014 12:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6pKTYckgEgF; Mon, 13 Oct 2014 12:24:53 -0700 (PDT)
Received: from mail-pd0-x22e.google.com (mail-pd0-x22e.google.com [IPv6:2607:f8b0:400e:c02::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 704291A8BBE; Mon, 13 Oct 2014 12:24:53 -0700 (PDT)
Received: by mail-pd0-f174.google.com with SMTP id y13so6095955pdi.33 for <multiple recipients>; Mon, 13 Oct 2014 12:24:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=uANDhjnajAxB+G0iTTKDjFc/2UwgJbv+WiZfnXBIz6o=; b=VGGnGi2bp6AAmBpZ39vhDtNcir5uY9vlFW/UFiwQGVQqceVwKMK8JSGBH6E0n1/LFm wMCA7nDbDBgEEM25zzff8SY6N9LWtknRXdJfw7Yz4RJKAxTICMOSvil10FRQnh1lq5Vc A31k1DnAH5FRFf+YAW+/p7KAtG1J2NBmL9Oi55BvLN4RH1PHjeGZjkPe8znOezwEtx6W fMR2rD4fea3/Gzg/e2qrp77J9CacJVQ+/aFHeGOT4kBE/2b1uIY4rsKNaApD9sERcOe4 czs1gMwuOdPzzCW5+6EUYFHE4osZOCs4cB7BGKsbc5oHY6Dn35LQals3awdDO5i71bZa hA/w==
X-Received: by 10.70.5.164 with SMTP id t4mr587173pdt.48.1413228293094; Mon, 13 Oct 2014 12:24:53 -0700 (PDT)
Received: from [192.168.178.23] (75.196.69.111.dynamic.snap.net.nz. [111.69.196.75]) by mx.google.com with ESMTPSA id n2sm11980158pdh.30.2014.10.13.12.24.49 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 13 Oct 2014 12:24:51 -0700 (PDT)
Message-ID: <543C2700.3060404@gmail.com>
Date: Tue, 14 Oct 2014 08:24:48 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "C. M. Heard" <heard@pobox.com>
References: <201410101259128179113@gmail.com> <279945F5-9A00-41AB-903E-FF4F858CB387@employees.org> <alpine.DEB.2.02.1410130907280.14735@uplift.swm.pp.se> <B499E06A-887A-4A9B-8FB9-EE2D3A1F9095@employees.org> <alpine.DEB.2.02.1410130926090.14735@uplift.swm.pp.se> <Pine.LNX.4.64.1410130723530.25821@shell4.bayarea.net>
In-Reply-To: <Pine.LNX.4.64.1410130723530.25821@shell4.bayarea.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/mpshtS0QIQ7WEW1BTJABbSyD_KE
Cc: opsec <opsec@ietf.org>, v6ops <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] Call for WG adoption - Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension Headers
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2014 19:25:03 -0000
On 14/10/2014 03:38, C. M. Heard wrote: > On Mon, 13 Oct 2014, Mikael Abrahamsson wrote: >> On Mon, 13 Oct 2014, Ole Troan wrote: >>>>> shouldn't this be a draft authored by operators? giving operational >>>>> recommendations coming out of... well, actual operations? >>>> Well, another way of looking at this is that operators just want things to >>>> work as well as they can, so they need guidance from vendors and protocol >>>> designers. >>>> >>>> Isn't this a BCOP style document? I believe at least one of the authors is >>>> active in one or more BCOP group. >>> the protocol designer's recommendation does appear pretty clear, RFC2460: >>> >>> "With one exception, extension headers are not examined or processed >>> by any node along a packet's delivery path, until the packet reaches >>> the node (or each of the set of nodes, in the case of multicast) >>> identified in the Destination Address field of the IPv6 header." > > RFC 7045, a standards-track document, explicitly changes that. The > subject draft does not make any recommendations that contradict > RC 7045. It supplements RFC 7045 where the latter does not fully > nail down the behaviour. > > There is also draft-gont-6man-ipv6-opt-transmit, which (if > approved) will do the same for options that RFC 7045 does for > extension headers. Same commens wrt that. > >> You mean you don't want non-operators in the IETF to make recommendations? >> >> The way I see it is that vendors are making equipment based on customer >> requirements. Since a lot of vendor equipment obviously inspect packets, >> including those with extension headers along the way (probably to do ACLs), >> then this equipment is already violating the functioning of the protocol >> (which of course is nothing new). >> >> My opinion is that it's better to look at common implementation and document >> and give recommendations where this differs from the blueprints. >> >> What I don't like is that if we follow along this path we're basically saying >> "extension headers don't work on the Internet" which has the implication that >> fewer will use them, meaning the vendors that don't follow the protocol >> designer intention has little downside, and thus perpetuating the problem. >> >> I don't know how to make it right though. I would like to see extension >> headers working well, but I also understand that people want to be able to do >> filtering. > > RFC 7045 revises IPv6 to acknowledge the reality of packet > inspection by forwarding devices, but lit levies requirements that, > if followed, should make the behaviour far less destructive. The > sibject draft complements it with operational advice that is much in > the same spirit. Exactly. I believe this draft, and the options draft, are *exactly* what the IETF should do (and why we have an E in our name instead of an S; we are not the Internet Standards Task Force). If our standards are unrealistic, we should be the ones to do something about it... Brian
- [v6ops] FW: Call for WG adoption - Recommendation… Gunter Van de Velde (gvandeve)
- Re: [v6ops] FW: Call for WG adoption - Recommenda… Joe Touch
- Re: [v6ops] Call for WG adoption - Recommendation… Fred Baker (fred)
- Re: [v6ops] Call for WG adoption - Recommendation… Joe Touch
- Re: [v6ops] Call for WG adoption - Recommendation… Fernando Gont
- Re: [v6ops] Call for WG adoption - Recommendation… Joe Touch
- Re: [v6ops] Call for WG adoption - Recommendation… Fernando Gont
- Re: [v6ops] Call for WG adoption - Recommendation… Fernando Gont
- Re: [v6ops] Call for WG adoption - Recommendation… Tim Chown
- Re: [v6ops] Call for WG adoption - Recommendation… Joe Touch
- Re: [v6ops] Call for WG adoption - Recommendation… Fernando Gont
- Re: [v6ops] Call for WG adoption - Recommendation… Joe Touch
- Re: [v6ops] Call for WG adoption - Recommendation… Joe Touch
- Re: [v6ops] Call for WG adoption - Recommendation… Brian E Carpenter
- Re: [v6ops] Call for WG adoption - Recommendation… Joe Touch
- Re: [v6ops] Call for WG adoption - Recommendation… Brian E Carpenter
- Re: [v6ops] Call for WG adoption - Recommendation… Fernando Gont
- Re: [v6ops] Call for WG adoption - Recommendation… Joe Touch
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Yuchi Chen
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Ole Troan
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Mikael Abrahamsson
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Ole Troan
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Mikael Abrahamsson
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… C. M. Heard
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Brian E Carpenter
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Joe Touch
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… C. M. Heard
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Joe Touch
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… joel jaeggli
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Joe Touch
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… joel jaeggli
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… C. M. Heard
- Re: [v6ops] [OPSEC] Call for WG adoption - Recomm… Tim Chown