Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
Joe Touch <touch@isi.edu> Tue, 21 April 2015 18:47 UTC
Return-Path: <touch@isi.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C007D1A897B for <v6ops@ietfa.amsl.com>; Tue, 21 Apr 2015 11:47:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WyF8DTY5Ey2C for <v6ops@ietfa.amsl.com>; Tue, 21 Apr 2015 11:47:55 -0700 (PDT)
Received: from webspace.isi.edu (webspace.isi.edu [128.9.64.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 944CE1A8973 for <v6ops@ietf.org>; Tue, 21 Apr 2015 11:47:55 -0700 (PDT)
Received: from [192.168.1.3] (pool-71-103-148-202.lsanca.dsl-w.verizon.net [71.103.148.202]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id t3LIlAeq009946 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 21 Apr 2015 11:47:20 -0700 (PDT)
Message-ID: <55369B2D.80906@isi.edu>
Date: Tue, 21 Apr 2015 11:47:09 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: "Joel M. Halpern" <jmh@joelhalpern.com>
References: <D157BDE1.44CEE%evyncke@cisco.com> <55351EA0.2010700@isi.edu> <20150420212125.GE54385@Space.Net> <55356F68.1020605@isi.edu> <20150421064811.GG54385@Space.Net> <5536709B.1050001@isi.edu> <CAHw9_iJPRwAre_cr4+1BEyKzcZWCC-bYxJizSDUBqnkaYCRHAw@mail.gmail.com> <553696EC.4060207@isi.edu> <55369855.1040101@joelhalpern.com>
In-Reply-To: <55369855.1040101@joelhalpern.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/ohQcNqytETIJnnpJfEX19WIRzLA>
Cc: "draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org" <draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>, Merike Kaeo <merike@doubleshotsecurity.com>, Fernando Gont <fgont@si6networks.com>
Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2015 18:47:56 -0000
On 4/21/2015 11:35 AM, Joel M. Halpern wrote: > The need to protect the control plane components (routers, controllers, > whatever you want to call them) from overload is a well-established > practice in the industry. It is expected by operators when they buy, > and delivered by all major vendors in the devices they build. > > Given that until recently it has been a behavior inside a device, no, it > is not documented inan RFC. That does not mean it is untrue or > unrealistic. I don't disagree. But it is an E-ticket ride - it is inherently expensive. I don't object to ops docs that say "this is hard", but I do think it's not productive to say "and we should make the protocol easier by gutting the hard parts" unless there is a rationale - one that presumably doesn't rely only on "because it's hard". Because that just translates to "because I'm greedy". Here's an analogy: Cars advertise seating capacity. It's unrealistic to expect every 4-person car to fit four 600-pound people. It's equally unrealistic to redefine "person" to mean "110-pound model". There needs to be a balance between what's expensive and inconvenient vs. neutering a protocol to make it easy to implement. Protecting the control plane can be done by the receiving host (destination router). Protecting the network from sending traffic that is dumped at the destination is certainly a useful capability, but not to protect the destination router. It protects the network as a whole. Protecting the network as a whole is useful, and may involve some level of DPI - or may not. If the traffic is encrypted, then only the destination router can protect itself anyway. But dropping the packets because of EH use just makes the filtering router an attacker to the E2E communication between the routers. Joe
- [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: … Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Eric Vyncke (evyncke)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fernando Gont
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Fred Baker (fred)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Eric Vyncke (evyncke)
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… C. M. Heard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Warren Kumari
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joel M. Halpern
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… joel jaeggli
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Havard Eidnes
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Jeroen Massar
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Ole Troan
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Jeroen Massar
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Ray Hunter
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Mark ZZZ Smith
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… sthaug
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Nick Hilliard
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Templin, Fred L
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Gert Doering
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Joe Touch
- Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-wor… Brian E Carpenter