Re: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05

Mark Smith <markzzzsmith@gmail.com> Wed, 24 February 2021 20:47 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3773F3A1B1B; Wed, 24 Feb 2021 12:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.597
X-Spam-Level:
X-Spam-Status: No, score=-0.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mI4wiDUNoar; Wed, 24 Feb 2021 12:47:32 -0800 (PST)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6A9D3A1B16; Wed, 24 Feb 2021 12:47:31 -0800 (PST)
Received: by mail-ot1-x32e.google.com with SMTP id k13so3491287otn.13; Wed, 24 Feb 2021 12:47:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XJb4cbv1F+QELmZRlMN4dE+SfdxGM9dtgb3nXui8XOE=; b=NszLOOC7A+3e0OzZkZjqUBWYQJarPupxd5TXsswZcCDq5johsXD+o295MRVZ+2Kw80 wLoQ5kDt6BLcthTHk0Z/CnnPIvc242HLwpYbYQhRGHB5CvjTpWtHgiDHtHjNM0s2Fctz TlSPVJ+e55il0rdfjKNv/gN9WprndDLz6HcJ8sIWohO5mt07RI9pVY9pBoVZg+RBAzft EaZlu9fIygyfpMl5VHesBsfZLelTb1jbkog+E9l4WwqyNtLWqMcYpJl3yOPYMLN3OSQ1 WUQTFGwVZFu7SMrxAr79W3FAKoO8Z+KY+5QGhoVJU1etd0SpXNtRCK8VdcNOWopHIw30 xvRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XJb4cbv1F+QELmZRlMN4dE+SfdxGM9dtgb3nXui8XOE=; b=LqTJgf3mM1Rq7amYBEeSaHrOW1xjtQxYT5lQbwvh8yWxtEMdU0hKFA6z0Q+5eEU1fA dyWeP9cHwHaqXyxtugGL0tuvYLsUzAjqXvlHTa4EwT2BlWSWdyTnMUNNFZ8sz6kdFDHk GOdOoGNHJqkcyJxhhbcD5EXXf6HzcSW30widRCpFyM3FA4KbqEyWiiZjaTax07IBUtyL 8EUt05SCxpbiuoTq7y2jAMByq56CSBJ0PmmpkJGqtoXef+V2TNAbJ0kO8D//0pGEWsSv 16UHzLuQ01wyjx9V3CypjEOb97jFKsW+xVapeJBKqgWnVhAVnc3RSS8vVXgcgyFnD4UF KBhg==
X-Gm-Message-State: AOAM530OSaRHauJRO1heG0TSuk1l3quPtRMqez4arYcfgc45sqXB7YwF V64Dujj0InukoFhXNOnsU6+TQ87MROVYElY5e3abIHzCLJExvw==
X-Google-Smtp-Source: ABdhPJxi+FvKL0Wrb7ho7Uty95997BU8c/ZJs7Z+dPfCAxZKbHpNrgPvNaJLRIPwgK2CSY2V53BY+4YOH1WPHMdxfls=
X-Received: by 2002:a05:6830:2108:: with SMTP id i8mr26199759otc.348.1614199651276; Wed, 24 Feb 2021 12:47:31 -0800 (PST)
MIME-Version: 1.0
References: <161366727749.10107.14514005068158901089@ietfa.amsl.com> <42668fb5-a355-e656-7d99-c40b3d33fb92@si6networks.com> <0e377231-c319-2157-30a0-759e2f96a692@gmail.com> <5f464f17-85ed-f105-35f9-02f35d04aed2@si6networks.com> <CALx6S364zGbq_HZNNVEaJHnHccuk4Zau2DXhmaVYbwnYQc-5bw@mail.gmail.com> <1847e8e3-543f-5deb-dd14-f7c7fa3677db@si6networks.com> <CALx6S34TPppMRJrOvyJ05LLeRvv+S51pQHJnzZDKk-qOdsF0AA@mail.gmail.com> <e41f3484-f816-e185-2d99-94323c8da732@si6networks.com> <CALx6S34qSxGijVcs229bAL5gMhMvMNYUXm3yEmrg6wxUiUAiaA@mail.gmail.com> <bf83d228-25bc-21bb-f984-d58ead6bf492@si6networks.com> <CALx6S35Kh-QAXJDAucuw5Wty37MBiwS=pqQknMZ+15b7D5Sn8A@mail.gmail.com> <34e78618-cb28-71a1-a9d3-7aec38032659@si6networks.com> <CAO42Z2zqD9_d2Fbr25Y2CV1GdzYKd167yf5DHeHna7V66pF65A@mail.gmail.com> <0bd316ac-1789-f4c6-d280-943ad6e60309@si6networks.com>
In-Reply-To: <0bd316ac-1789-f4c6-d280-943ad6e60309@si6networks.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Thu, 25 Feb 2021 07:47:04 +1100
Message-ID: <CAO42Z2xUrEO618Ln=8uegsXb0BLficW0GWzVmoVXA7ApCk9=dw@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Tom Herbert <tom@herbertland.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, IPv6 Operations <v6ops@ietf.org>, draft-ietf-v6ops-ipv6-ehs-packet-drops.all@ietf.org, last-call@ietf.org, tsv-art@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cf9a0605bc1b24ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/sRLw25qQyIA7ybzC3MHo3LOHBxU>
Subject: Re: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 20:47:34 -0000

On Thu, 25 Feb 2021, 03:27 Fernando Gont, <fgont@si6networks.com> wrote:

> On 23/2/21 13:54, Mark Smith wrote:
> > On Wed, 24 Feb 2021 at 02:51, Fernando Gont <fgont@si6networks.com>
> wrote:
> >>
> >> Hi, Tom,
> >>
> >> On 23/2/21 11:34, Tom Herbert wrote:
> >> [...]
> >>> >From the draft:
> >>>
> >>> "Unless appropriate mitigations are put in place (e.g., packet
> >>> dropping and/or rate- limiting), an attacker could simply send a large
> >>> amount of IPv6 traffic employing IPv6 Extension Headers with the
> >>> purpose of performing a Denial of Service (DoS) attack"
> >>>
> >>> That is clearly recommending a mitigation which is to drop packets or
> >>> rate-limit.
> >>
> >> No, We're just stating the obvious. If we were performing a
> >> recommendation, the text would be something like "IPv6 implementations
> >> should". And we'd also be using RFC2119 speak... and the document would
> >> be BCP.
> >>
> >
> > It reads like an implied recommendation to me.
> >
> > It's stating possible prevention measures, and then the consequences
> > of not doing them. That implies the stated prevention measures are
> > recommended. (e.g. "If you aren't careful with a knife, you could cut
> > yourself (so be careful with a knife)").
>
> I think you're reading more from the draft that what we have written or
> meant.
>

As a native English speaker, I'm just saying how this text reads to me.

Reading that text, I'd start thinking about how I put in place packet
dropping or rate-limiting to stop this DoS. Those may not be the only ways
to mitigate this issue, however since it has been suggested, I would assume
it is the best way, and I think most people would, because people place
more weight on stated options over unstated options.

The long term result will be that it will be common for packets with EHs to
be dropped or there is rate-limiting on them.

If you still want to mention packet dropping or rate-limiting, then you're
going to have to further clarify be when or when it isn't appropriate, and
also should mention other mitigations if they exist

e.g.

"An attacker could simply send a large amount of IPv6 traffic employing
IPv6 Extension Headers with the purpose of performing a Denial of Service
(DoS) attack. In a controlled and trusted network, a DoS attack may not be
likely or a concern, since the attacker is more easily identified and
halted. In an untrusted network, where a DoS attack is more likely,
mitigations such as packet dropping and/or rate- limiting, or other
mitigations, may be necessary."

That's well and truly further down the advice path, however, realise that
all I've done is expanded on what was already the advice in the text.



> Your example is a good one, and has indeed two parts:
>
>     "If you aren't careful with a knife, you could cut yourself"
>
> This is a *fact* and I don't think there's much room for debate around it.
>
>
>    "(so be careful with a knife)"
>
> *This* is advice.
>

The preventative advice appeared twice, firstly at the front, just to
follow the format of the text we're looking at - it's the "be careful"
part. I put the 2nd instance of the advice in to emphasise it was the
advice part, and in brackets because it's optional text and I normally
wouldn't say or write it.

"You can cut yourself with a knife, therefore you should be careful." is
where the advice is at the end.

If you are careful, you can still cut yourself with a knife. So the fact is
a knife can cut, the advice is be careful, whether or not it appears before
or after the fact about knives.

Regards,
Mark.


>
>
>
>
>
>
> Our document contains the former (a fact), but not the later (advice).
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
>