Re: [v6ops] Extension Headers / Impact on Security Devices

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 19 May 2015 23:52 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 350191A873D for <v6ops@ietfa.amsl.com>; Tue, 19 May 2015 16:52:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KlxFs3PvyGwR for <v6ops@ietfa.amsl.com>; Tue, 19 May 2015 16:52:21 -0700 (PDT)
Received: from mail-pd0-x236.google.com (mail-pd0-x236.google.com [IPv6:2607:f8b0:400e:c02::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA05E1A1A77 for <v6ops@ietf.org>; Tue, 19 May 2015 16:52:21 -0700 (PDT)
Received: by pdbnk13 with SMTP id nk13so45471051pdb.1 for <v6ops@ietf.org>; Tue, 19 May 2015 16:52:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=16XvM0z/vSbfc42I21BQ/pGTm2hjpedb2/Xs3ukoK64=; b=riyXXXK5dT4UhQZG5tjBZrhKxZN84so0mVPEe92asmZOlz5u1gcQG5lusDAn2rcOuY wVGOvViCJ/EmFURtQMQMwi+POhOTLzVN/tHIVPhZ49PkkCVGKK9GOW9ZXcJKF0eFIG5g hCkg+1FLUAbt1qonvKuniLsZ7bOibRmN70pJoHSb9wSzjIGEmmUegGqXx7GpCb+PnFvJ HauSPmq23Od3JCteUZfp19tMvoNOERqUJJWJVtsk3+OquQzq6kb+IBv5bv/05YQj/MrO hIXdLNBb3RxzbevUa7FeB6Qmsu1Evrq80Go9MhN7uCZoa7Dl9wNsX8+HiHtJcQUasCV3 mm9A==
X-Received: by 10.70.128.110 with SMTP id nn14mr58958100pdb.135.1432079541263; Tue, 19 May 2015 16:52:21 -0700 (PDT)
Received: from ?IPv6:2001:df0:0:2006:c0da:ac17:5f6d:8e76? ([2001:df0:0:2006:c0da:ac17:5f6d:8e76]) by mx.google.com with ESMTPSA id bc3sm14117922pbb.47.2015.05.19.16.52.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 May 2015 16:52:20 -0700 (PDT)
Message-ID: <555BCCB3.9050103@gmail.com>
Date: Wed, 20 May 2015 11:52:19 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Sander Steffann <sander@steffann.nl>
References: <20150515113728.GH3028@ernw.de> <878002773.794.1431739346723.JavaMail.yahoo@mail.yahoo.com> <555AB8FA.2080405@si6networks.com> <F6AA9AEA-49F0-488C-84EA-50BE103987C8@nominum.com> <555B8622.5000806@isi.edu> <555BA184.8080701@gmail.com> <477839EA-7270-4321-AA12-763AD27ADBD9@steffann.nl>
In-Reply-To: <477839EA-7270-4321-AA12-763AD27ADBD9@steffann.nl>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/taG4K7FHGOE2w_KpZPgY4w5q560>
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 23:52:23 -0000

On 20/05/2015 09:37, Sander Steffann wrote:
> Hi,
> 
>> Op 19 mei 2015, om 22:48 heeft Brian E Carpenter <brian.e.carpenter@gmail.com> het volgende geschreven:
>>
>> No. RFC 2460 makes it clear that hops don't modify extension headers
>> (except for shuffling within a routing header).
>>
>> Also, there is a draft for this:
>> https://tools.ietf.org/html/draft-zhang-6man-offset-option-01
>>
>> (which does discuss the security issue; as with the evil bit, a firewall
>> would be foolish to trust this option).
> 
> What this says is basically that any device that might benefit from this option would be foolish to trust it :)

No, things like load balancers and diffserv classifiers could use it
(inside a suitably paranoid firewall, indeed).

   Brian