IETF Logo Mail Archive

Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops

"Ray Hunter (v6ops)" <v6ops@globis.net> Wed, 06 April 2016 09:54 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C26B12D160 for <v6ops@ietfa.amsl.com>; Wed, 6 Apr 2016 02:54:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MnLFcR_DJ0z5 for <v6ops@ietfa.amsl.com>; Wed, 6 Apr 2016 02:54:30 -0700 (PDT)
Received: from globis01.globis.net (mail.globis.net [IPv6:2001:470:1f15:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 290FA12D14F for <v6ops@ietf.org>; Wed, 6 Apr 2016 02:54:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id AC58D4033A; Wed, 6 Apr 2016 11:54:28 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aiZvA42jnWly; Wed, 6 Apr 2016 11:54:26 +0200 (CEST)
Received: from Rays-MacBook-Pro.local (178-84-244-32.dynamic.upc.nl [178.84.244.32]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id C2A534032B; Wed, 6 Apr 2016 11:54:25 +0200 (CEST)
Message-ID: <5704DCD0.1090907@globis.net>
Date: Wed, 06 Apr 2016 11:54:24 +0200
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: Joe Touch <touch@isi.edu>
References: <CAHw9_iLbqEvsw0x4dDcA3Zy3SXKUROcQuy5nSynsL9Xi+xrZLg@mail.gmail.com> <394925FE-FAB1-4FFC-B1CF-4F64CC58F613@employees.org> <56E94275.20700@foobar.org> <3AE1DE20-D735-4262-A3FB-7C01F30BAFA2@employees.org> <56E96F74.7000206@foobar.org> <CALx6S37zP4UvCtBJsvnPN6OmDB0OQDMfRrJNy1XF0t4COStUjQ@mail.gmail.com> <56E98086.5040209@foobar.org> <EE17974D-EDA4-4732-B29E-B2B3BC36DB86@employees.org> <20160328183844.GR62900@Space.Net> <56F9A22B.2030301@isi.edu> <5E619124-0A60-45BB-86AA-7F7D5CC614AD@cisco.com> <56F9AE53.8060903@gmail.com> <56F9BEA3.9050409@isi.edu> <4542AA33-F4FA-4F52-B5FE-9ABF2627CD5E@cisco.com> <56F9C856.2030403@gmail.com> <56F9C915.9070408@isi.edu> <E2C0BF9F-806C-4ACC-86CE-1B678628E687@employees.org> <CAO42Z2z2R9N4b1Y=zQCuw2niwYzaRtten+8mDHpsjfYXSh8pJQ@mail.gmail.com> <47A7C6D0-9DCA-4FE3-9CBF-8A9101D48763@employees.org> <91a3ea5b-f12b-f1b1-d0e1-885faa2d1e90@bogus.com> <CAO42Z2xZ=A0nTVGdX74q2M1fSN7chPzMz9gwZSEv-pzMejFdHA@mail.gmail.com> <5703F89D.3080203@isi.edu>
In-Reply-To: <5703F89D.3080203@isi.edu>
Content-Type: multipart/alternative; boundary="------------040105060208030706000400"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/uZ0vItxSZELQh1s0wCaevv0FxHo>
Cc: v6ops list <v6ops@ietf.org>
Subject: Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 09:54:32 -0000


Joe Touch wrote:
> On 4/5/2016 10:00 AM, Mark Smith wrote:
>> Adding, deleting or changing EHs in the network would be silent about
>> who made the changes (except when modification records who did the
>> change e.g. RH0). In this case the packet source address has lost its
>> much of its clarity, because there are now multiple sources of the
>> information in the packet.
>
> Given the pervasive presence of NAT and other header rewriting devices,
> there are already many such sources. Unless the header is authenticated,
> there are no assurances as to exactly where the information therein
> originated.
>
> Joe
>
>
NAT is not pervasively present in IPv6 networks, so that's not really 
relevant to the discussion.

The outer packet headers can't be fully invariant end to end, because 
some fields have to/ may be rewritten along the path, even in normal 
operations e.g. HBH options, flow label, and hop count. So any 
protection of header content would have to be very limited in scope.

But even authenticated headers get messed around, so that's also no 
solution in and of itself.  Look at the hoops that people have to jump 
through (both technical and legal) to make https and other strong end to 
end transports work over NAT and proxies.

IMHO the end to end principle is still worth fighting for.

But IMVHO another consequence of the end to end principle is that if you 
want end to end protection, you'd better do it yourself, at a layer you 
control, and not rely on any underlying infra to guarantee it for you. 
On a routed network, there's always a man in the middle. So you can 
never trust headers in the general case, even if they're authenticated.

Whilst the end to end principle itself doesn't preclude in-flight 
deep-packet-inspection (where appropriate/legally justified/technically 
possible). [Note: Your lawyers may disagree. You may be subject to 
different laws.]

-- 
regards,
RayH
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>

v2.23.0 | Report a Bug | By Email