Re: [v6ops] Extension Headers / Impact on Security Devices

Sander Steffann <sander@steffann.nl> Tue, 19 May 2015 21:37 UTC

Return-Path: <sander@steffann.nl>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183671B3360 for <v6ops@ietfa.amsl.com>; Tue, 19 May 2015 14:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.094
X-Spam-Level:
X-Spam-Status: No, score=0.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oPCwg72LUwq7 for <v6ops@ietfa.amsl.com>; Tue, 19 May 2015 14:37:26 -0700 (PDT)
Received: from mail.sintact.nl (mail.sintact.nl [83.247.10.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18C3E1B3357 for <v6ops@ietf.org>; Tue, 19 May 2015 14:37:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.sintact.nl (Postfix) with ESMTP id 89A3052; Tue, 19 May 2015 23:37:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=steffann.nl; h= x-mailer:references:message-id:content-transfer-encoding:date :date:in-reply-to:from:from:subject:subject:mime-version :content-type:content-type:received:received; s=mail; t= 1432071441; bh=xvMR3heiRw4NeBwNOBgCQV7655NigxpaNMZh/I+Q/lo=; b=M 7EO9VIjwt8S+x+iH3BY9PkLpry4W3PD3TIg4VBATzWFDzcmwhdI2PDGxx08TApJV eA/sq+WozYqXK1ZMmaSLZf0ISYFxM2thcTdHX5Kv4MO+gVQl2bLz7NdwELYb/8uA aF8PmN0t5wQyKqAnvJHRcwshG2zhWp1CW8vzImZVYw=
X-Virus-Scanned: Debian amavisd-new at mail.sintact.nl
Received: from mail.sintact.nl ([127.0.0.1]) by localhost (mail.sintact.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UI6fjdSbzaSG; Tue, 19 May 2015 23:37:21 +0200 (CEST)
Received: from macpro.10ww.steffann.nl (macpro.10ww.steffann.nl [IPv6:2a00:8640:1:0:224:36ff:feef:1d89]) by mail.sintact.nl (Postfix) with ESMTPSA id 37EF34D; Tue, 19 May 2015 23:37:20 +0200 (CEST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Clacks-Overhead: GNU Terry Pratchett
From: Sander Steffann <sander@steffann.nl>
In-Reply-To: <555BA184.8080701@gmail.com>
Date: Tue, 19 May 2015 23:37:19 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <477839EA-7270-4321-AA12-763AD27ADBD9@steffann.nl>
References: <20150515113728.GH3028@ernw.de> <878002773.794.1431739346723.JavaMail.yahoo@mail.yahoo.com> <555AB8FA.2080405@si6networks.com> <F6AA9AEA-49F0-488C-84EA-50BE103987C8@nominum.com> <555B8622.5000806@isi.edu> <555BA184.8080701@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/nWtEsMk7aSWhp9HW5T7DLv8h_Uo>
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 21:37:28 -0000

Hi,

> Op 19 mei 2015, om 22:48 heeft Brian E Carpenter <brian.e.carpenter@gmail.com> het volgende geschreven:
> 
> No. RFC 2460 makes it clear that hops don't modify extension headers
> (except for shuffling within a routing header).
> 
> Also, there is a draft for this:
> https://tools.ietf.org/html/draft-zhang-6man-offset-option-01
> 
> (which does discuss the security issue; as with the evil bit, a firewall
> would be foolish to trust this option).

What this says is basically that any device that might benefit from this option would be foolish to trust it :)

Cheers,
Sander