Re: [v6ops] Discussion focus: draft-ietf-v6ops-ipv6rtr-reqs-01.txt
Pablo Alvarez <palvarez@akamai.com> Fri, 05 January 2018 16:35 UTC
Return-Path: <palvarez@akamai.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CB161274D2 for <v6ops@ietfa.amsl.com>; Fri, 5 Jan 2018 08:35:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exIeKJCpMDDr for <v6ops@ietfa.amsl.com>; Fri, 5 Jan 2018 08:35:01 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 312DC1205D3 for <v6ops@ietf.org>; Fri, 5 Jan 2018 08:35:01 -0800 (PST)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id w05GWoDi025445 for <v6ops@ietf.org>; Fri, 5 Jan 2018 16:35:01 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=subject : references : from : to : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=jan2016.eng; bh=ccdlXiK129IuXu/i9wjcAjnhqKckd/JL0R4t70S4528=; b=JMXXv6EpfeiC4dH2OeBaiyTP2llD54xL6aTXCLX6y7/WXanDQBVZNBMtZclao94DE4oh KJufMMrO6MZFKPfg6wlbw8UI9OLwU1kour4zU0WWi/pa4kCKPstspu3LDIsZrPVZX8oV 2dgo2+F5wr3i8Piuru8HG+4N/AIdaDTn0MU0LvpZlsLXV9h5YaafoFknr0BpD4FMc3vd FOWHs98LmJoFCTvkjesn8nEOYqE7+IeWFpQSzA57sihTOKrvHeJq54SRwlrSBgeXyJGT DEDqeo2EOBMHQO4ggFWhHVhaMtQ9C9CEINuQv9gcBxr4GCBOSdeAVDYMmuUIEX7dCRX2 1g==
Received: from prod-mail-ppoint3 ([96.6.114.86]) by mx0a-00190b01.pphosted.com with ESMTP id 2f62x9960v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <v6ops@ietf.org>; Fri, 05 Jan 2018 16:35:00 +0000
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w05GXmcp022654 for <v6ops@ietf.org>; Fri, 5 Jan 2018 11:35:00 -0500
Received: from prod-mail-relay15.akamai.com ([172.27.17.40]) by prod-mail-ppoint3.akamai.com with ESMTP id 2f95dex3ej-1 for <v6ops@ietf.org>; Fri, 05 Jan 2018 11:34:59 -0500
Received: from [172.28.11.215] (padesk.kendall.corp.akamai.com [172.28.11.215]) by prod-mail-relay15.akamai.com (Postfix) with ESMTP id AF17F20069 for <v6ops@ietf.org>; Fri, 5 Jan 2018 09:34:59 -0700 (MST)
References: <151491899410.22628.14408666128226236605@ietfa.amsl.com> <09b101d383fa$dd6fca30$984f5e90$@gmail.com>
From: Pablo Alvarez <palvarez@akamai.com>
To: v6ops@ietf.org
Message-ID: <d954bb41-c173-c176-ca8d-6b829355c846@akamai.com>
Date: Fri, 05 Jan 2018 11:34:59 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <09b101d383fa$dd6fca30$984f5e90$@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-05_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=12 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801050232
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-05_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=12 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801050233
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/nheDHMeaVnSE0BZWyYacnsyDWJY>
Subject: Re: [v6ops] Discussion focus: draft-ietf-v6ops-ipv6rtr-reqs-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 16:35:04 -0000
Comments on section 5.4 ICMP Considerations
1. Thanks for adding the new text in the fifth bullet ("SHOULD NOT
filter Destination Unreachable or Packet..."). It was intended to
clarify and supersede the text in the first bullet ("SHOULD NOT filter
ICMP unreachables..."), so I do not think the first bullet is needed any
longer.
2. I believe the statement in the second bullet ("SHOULD filter ICMP
echo and echo response by default, to prevent the discovery of reachable
hosts and topology") is too strong. There are valid business and
research reasons to discover reachable hosts and topology. I understand
that obscurity is a valid security layer. However, it is not clear to me
that the security risks of that discovery or of ICMP based attacks are
high enough that we should recommend ICMP filtering by default.
Moreover, the text does not specify whether the filtering refers to all
echo and echo reply packets traversing the router (which I believe would
clearly be excessive) or only those intended for the router (which I
still would argue is too strong).
I propose the following. By default:
- ICMP echo request/reply packets not intended for the router should be
forwarded like any other packet
- ICMP echo request packets directed at the router should be
rate-limited to protect the router CPU (in a similar way to the error
packet generation described in the third bullet point).
- I have no strong opinion on ICMP echo reply packets directed at the
router. Pinging from a router can be a useful tool so we want to be able
to see those. Maybe blocking them by default unless the ping tool is in
use would work, but that adds complexity.
Pablo Alvarez
On 01/02/18 13:52, 7riw77@gmail.com wrote:
>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the IPv6 Operations WG of the IETF.
>>
>> Title : Requirements for IPv6 Routers
>
> I've addressed all of the comments I had notes for except --
>
> - Should PVD be included?
> - Add a redirects section -- I don't remember what this was in reference to.
> - The suggestion for an appendix containing a plain list of the requirements.
>
> The first needs on list discussion, I think. For the second, I need to find the context. For the third -- I may add an appendix if we get to a version with no comments, if folks think it's useful.
>
> 😊 /r
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
- [v6ops] I-D Action: draft-ietf-v6ops-ipv6rtr-reqs… internet-drafts
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6rtr-… 7riw77
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6rtr-… Fred Baker
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6rtr-… Tim Chown
- Re: [v6ops] Discussion focus: draft-ietf-v6ops-ip… Pablo Alvarez
- Re: [v6ops] Discussion focus: draft-ietf-v6ops-ip… 7riw77
- Re: [v6ops] Discussion focus: draft-ietf-v6ops-ip… Pablo Alvarez
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6rtr-… Mikael Abrahamsson