Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs-packet-drops-00 - Admin Policy

Fernando Gont <> Mon, 03 August 2020 12:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 626EA3A08EE for <>; Mon, 3 Aug 2020 05:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.946
X-Spam-Status: No, score=-0.946 tagged_above=-999 required=5 tests=[NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ura2BCCNtBQC for <>; Mon, 3 Aug 2020 05:58:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3730D3A08E9 for <>; Mon, 3 Aug 2020 05:58:30 -0700 (PDT)
Received: from [IPv6:2800:810:464:1f7:50ff:5211:f841:308c] (unknown [IPv6:2800:810:464:1f7:50ff:5211:f841:308c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id CB4BD280332; Mon, 3 Aug 2020 12:58:26 +0000 (UTC)
To: Mark Smith <>, Fernando Gont <>
Cc: v6ops list <>
References: <> <> <>
From: Fernando Gont <>
Message-ID: <>
Date: Mon, 3 Aug 2020 09:25:43 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs-packet-drops-00 - Admin Policy
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 Aug 2020 12:58:33 -0000

Hello, Mark,

On 3/8/20 08:35, Mark Smith wrote:
> I expect many network operators drop fragments because they were taught 
> to do ACLs/packet filters similar to the following:
> permit tcp any any eq http
> permit udp any any eq dns
> deny ip any any

You'll not get away with that in IPv6, since it would break ND.

That said, the above (modulo ICMPv6 and fragmentation) might seem 
reasonable on the edge (e.g. enterprise network), but not so much elsewhere.

(From RFC7872, you'll see that not all EHs share the same drop rate. IN 
fact, the drop rates are proportional to the EH len...)

> Network firewall admins can be a bit worse in the sense that they can be 
> more paranoid about blocking things they don't understand enough or 
> don't trust e.g. blocking all of ICMP by default.

When doing sysadmin, I've myself started from a default deny, and 
subsequently allowed things to make stuff work.

Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492